Medium

Endpoints have appropriate protections to prevent attacks on memory.

Regular end-users do not have privileged access to endpoints continuously, including but not limited to the ability to modify organisationally managed system settings, changes to environment variables, directly modify the registry, modify files in system directories or install programs. Only users that have a demonstrable need for a local privileged account to perform their work activities can have access to a local privileged account. This access adheres to the privileged access controls, including just-in-time and just-enough admin. These privileges are registered together with the reason why and the approver.

The rules regarding the processing of data are made explicit and clear, including whether remote work is allowed, under what circumstances and the use of Bring-Your-Own-Device and how data storage should be handled (including paper media, USB devices, retention of the data in mail clients, how data can be exchanged with other parties, etc…)

Certificates for Transport Level Security (TLS) are registered with at least: for what service it was issued, what the owning group is including contact information, expiration date and technical details of certificate. There is a process for requesting and revoking official certificates. Requesting and approving certificate requests are separate roles. The organisation selects approved certificate providers. Self-signed certificates are never allowed. If there is any indication that a system may be compromised, current certificates are revoked, new private keys generated and replacement certificates requested based on the new private key. Clients check whether certificates have been revoked as part of...

Data at rest is always stored encrypted. The organisation is responsible for the key management of the chosen encryption solution, either directly, contractually or through policies.

After incidents, the organisation communicates openly and truthfully to affected parties/subjects, without creating additional security risks to the organisation itself. After (potential) major incidents, the evaluation and lessons learnt will be shared within the industry to improve cyber resilience of the entire sector.

Communication coming from outside the organisation needs to be clearly distinguishable from internal communication with warnings that the originating party is from outside the organisation. This includes electronic messages received in email programs.

The organisation must know what software is used on managed devices, including a Software “Bill-of-Materials” (BOM) of libraries and components.

Description Planned changes are evaluated for potential security impact. The classification of all processes and systems involved in the change is reviewed and adjusted where necessary. In projects, sufficient resources including time, manpower and budget are allocated to perform a security assessment and ensure compliance with the information security policy

Description Organisations actively and passively detect assets that may not be registered in the CMDB, both within the network and outside. Discrepancies in CMDB and detected assets are resolved.