Medium

No production information is exposed or reused in environments other than for acceptance testing. This includes production data (also not pseudonymised), API keys, credentials and production server hostnames.

Description At a minimum there are distinct environments for acceptance and production. Where development activities take place, at least one separate environment for development exists. The environments are clearly distinguishable (for example through a different colour scheme). Privileged Access to the production infrastructure is completely separated from privileged access to the other environments. Authentication to non-production environments does not take place through the production IdP. The acceptance environment must represent the production environment as closely as possible with the exception of not being publicly available. Before going into production, any change must always be tested in the acceptance environment.

Service accounts are only used when necessary for system authentication (no association with natural persons) or system-to-system authentication. The purpose of a service account is always documented. Each unique application-to-service link should have a unique service account. Service Accounts are never used to perform actions as natural persons. Service Accounts are configured according to Least Privilege and, where used, have stronger password complexity requirements than regular accounts. Where possible passwordless authentication is used for service accounts. Regular user accounts can only be used to automate tasks for the individual user and not for generic processes. Changes to service accounts are...

Privileged Access involves all user access that exposes more functionality than regular users have on any layer of the IT service infrastructure. Authorisations for privileged access are required to follow Least Privilege (just-enough admin). Privileged Access is just-in-time, meaning it is only used for when needed and regular user actions are not performed using the privileged account. Privileged access is demonstrably limited to authorised personnel, an authorisation matrix is available for this access. Templates and references Template-AutorisatiematrixDownload

Administrative interfaces (other than application-level) are only accessible from an internal zone designated for administrative tasks. Access to this zone is secured via jumpservers. These jumpservers are used exclusively for the privileged actions.

Access to physical areas housing IT equipment or sensitive data must be logged and checked at least monthly for deviating situations. Procedures for working in secure areas are in place and adherence to them monitored. The procedures include at a minimum rules regarding: how and when access can be obtained by whom work should be supervised or checked no recordings can be made in secure areas how guests and contractors can perform their work activities rules regarding consumption of food emergency protocols and how any out-of-ordinary situations can be reported.

The network firewall is set up to protect hosts on the network against networkflows that are potentially insecure. The firewall is one part of a layered defense. The firewall rules are set to deny all traffic that is not explicitly allowed by default. Rules that allow traffic necessary for functionality follow the architectural design. All firewall rules are documented with a textual explanation of their purpose and a revision date. Firewall rules are revised on or before their revision dates. Access to the firewall itself should be appropriately protected, has a safe configuration by default: filtering all traffic and not...

Networks are segmented if they serve different business purposes or have differing risk levels, determined by the classification of the assets in the same segment. Each network segment is separated by a (virtual) Firewall. Best practices for Network Naming Security are followed. Managed systems belong to one organisationally managed security domain.

Network Access Control is used to determine the level of access users are given to the internal network. Unidentified users get access to the guest network. The authentication system shall be tied to the hardware asset inventory data to ensure only authorised devices can connect to the network. Authenticated users with managed devices can be allowed on the internal network pending verification by a client program of the device OS security update level and anti-malware status. Filters are in place against spoofed addresses.

There is security monitoring on organisational credentials appearing in (publicized) data-breaches. If there are indications of compromise of passwords, or risks that the credentials of individuals are compromised, passwords will be forcibly changed and the users informed.