Low

Periodically, a list of all users in the system is generated along with associated permissions and reviewed. If it is available, all access rights must be in accordance with the authorisation matrix. A documented procedure is available for how the review is performed. Actions taken based on the review are recorded and stored for 2 years. If the authorisations are given based on role, the authorisations within the roles are part of the review as well.

End-user authentication for applications takes place through a trusted Identity Provider for anyone with access to organisational data. The organisation has a defined relationship with individuals that have been given access, either directly or through contractual agreements with third parties. Only production environments can be linked to the production IdP.

The organisation has a coherent awareness program that identifies the knowledge relevant to information security various stakeholders must have, the ways to measure the current level of knowledge, and includes planning and organisation of interventions to maintain and increase the knowledge to desired levels.

When a workstation is left unattended, the session/screen is locked automatically after a maximum of 15 minutes and the user prompted for re-authentication.

Preventive, detective and corrective measures are in place (especially up-to-date security patches and virus control) across the organisation to protect information systems and technology from malware (e.g., viruses, worms, spyware, spam).

The organisation has processes for IT incidents in place. IT incidents are evaluated if they are potential security incidents. (Potential) Security incidents are treated according to a documented and standardised procedure. This procedure differentiates based on the risk involved and includes appropriate escalation, risk treatment steps, evaluating the relationship to other reports/alarms and root-cause analysis. Security Incidents are evaluated (either aggregated or individually, based on the severity) and appropriate measures are taken to prevent future occurances of the incidents. Information on security incidents is handled on a need-to-know basis. Security incidents involving Personally Identifiable Information (PII) are also considered a...

IT components send emails to end-users using an email address ending in a top-level domain for which the organisation is legally responsible. Mailservers take measures to prevent the reception and transmission of spam and malicious mails. Mails should be revocable on managed servers and supported endpoints. Links in emails should be validated to not be malicious. Mailserver reputation is monitored. Thresholds are determined and actions are taken to improve the reputation if it falls below thresholds.

For every system a documented backup procedure is available with values for the RPO (Recovery Point Objective, maximum tolerable amount of data that can be lost) and RTO (Recovery Time Objective, maximum downtime of the system). The RPO and RTO are communicated to users of the system. The backup procedure will identify the appropriate: type(s) of storage media used for backups, frequency, reduncancy, storage location, storage conditions and frequency of restore testing. How data on endpoints is backed up is included in the backup procedure. Backups are tested periodically to verify that they can be restored. The results of these...

Before engaging in an agreement with a supplier of an IT-service, an information security risk assessment is performed. Contractual agreements regarding information security are made with suppliers of IT-services. Suppliers report on their compliance with these agreements and will deliver evidence of compliance when prompted. This compliance is actively monitored by the organisation and documented. Non-compliances are treated as potential security incidents. Which suppliers the organisation has, what services they provide and the status of contracts with the supplier are documented.

Available patches and/or security fixes are installed in compliance with set and approved policies (including those for operating systems, databases and installed applications) and recommendations of CERT and/or suppliers.