Organisation

The organization has a (contracted) CSIRT. The CSIRT is fully mandated to respond to active threats to limit the impact of potential security incidents.

A business contuinity plan (BCP) exists for potential disaster scenario’s that could affect the critical processes. The business contuinity plan is reviewed at least annually. The business continuity plan is tested periodically.

The organisation has processes for IT incidents in place. IT incidents are evaluated if they are potential security incidents. (Potential) Security incidents are treated according to a documented and standardised procedure. This procedure differentiates based on the risk involved and includes appropriate escalation, risk treatment steps, evaluating the relationship to other reports/alarms and root-cause analysis. Security Incidents are evaluated (either aggregated or individually, based on the severity) and appropriate measures are taken to prevent future occurances of the incidents. Information on security incidents is handled on a need-to-know basis. Security incidents involving Personally Identifiable Information (PII) are also considered a...

Automatic forwarding of email to external addresses is denied-by-default.

Description Domain names reserved for organisational purposes cannot be released shortly after the domain name is no longer needed. A list of domain names that can never be released needs to be kept. Domain names not on this list need to remain reserved with a placeholder message that the domain is no longer in use by the organisation for 3 years before they can be released and used by other parties.

Description Planned changes are evaluated for potential security impact. The classification of all processes and systems involved in the change is reviewed and adjusted where necessary. In projects, sufficient resources including time, manpower and budget are allocated to perform a security assessment and ensure compliance with the information security policy

Description Organisations actively and passively detect assets that may not be registered in the CMDB, both within the network and outside. Discrepancies in CMDB and detected assets are resolved.

Organisations maintain an accurate and up-to-date registry of organisational hardware and software assets in a Configuration Management Database (CMDB).

The Information Systems and Processes are identified and registered. Each System and Process has an owner within the organisation. The owner is responsible for compliance with the organisational information security policy. Ownership falls to a single person and not to an organisational unit. Systems and Processes are classified according to the organisational classification policy to determine the appropriate level of protection. The classification is reviewed and updated periodically. The owner is responsible for the classification.

End users are actively informed on the organisational policies regarding acceptable use of assets. Organisationally offered IT assets and services must be used for professional purposes, the usage of free/private alternatives is not allowed. Templates & References Example AUP (NL): GebruiksreglementDownload