v2.0 (Q1 2024)

Applications that communicate to end-users do so from an organisational domain and organisational email account.

Before go-live of new IT services, and after major updates and changes, a penetration test of the information security needs to be performed by a trusted security party. For externally performed pentests, organisational security staff assesses the management summaries of a recent pentest results and the follow-up to findings.The management summary contains at least which party performed the test, when the test was performed, what the scope of the test was, the number of vulnerabilities that were found and their associated risks. The re-test results are also inspected.

The (web-)application is subject to automated vulnerability scanning at least once per quarter. Scanning occurs authenticated as much as possible.

Network connected IT systems are subjected to automatic vulnerability scanning at least once per month. Scanning occurs authenticated where possible.

The organization has a published Coordinated Vulnerability Disclosure Policy to encourage security researchers and individuals to ethically find and report vulnerabilities.

A system owner is responsible for maintaining a list of known vulnerabilities on the system, including the associated risk, when the vulnerability was reported, what action resolution was taken and the current status of the vulnerability. Vulnerabilities can be ‘resolved’, ’mitigated’ or ‘accepted’. If the vulnerability is ‘mitigated’, a new risk estimation needs to be done for the mitigating measures in place. After resolution, resolved vulnerabilities need to remain registered for 1 year. The organisation shall establish maximum resolution time of vulnerabilities based on the associated risk. There is monitoring on the timely resolution of vulnerabilities.

IT services run in their own virtual environments, vulnerabilities in one service cannot give access to other services. This includes no multiple websites on the same webserver unless they share the same Security Capability Level and purpose, the same applies to databases between different services.

Services run under their own account with minimal necessary privileges . Only necessary services run on production servers, and are only accessible to necessary interfaces using Host-based Firewalls. All services are maintained and kept up-to-date. For each running service on servers, hardening guides are followed and deviations from hardening guides due to business requirements are documented.Local Firewall rules limit service traffic to ports filtered as restrictive as possible.

Default Passwords on any piece of hardware or software are changed before deployment.

Applications and services are configured to not display information that is unnecessary. Functionality is designed and configured to prevent enumeration of information.