Version

Only data owners have access to their data. Administrators and suppliers can only access the data through a break-glass procedure that involves business sign-off and consultation with the organisation.

Description It is possible for organisational data to be deleted from devices remotely by a device management system, if they actively make a connection or based on an interval without any connection. Encrypted data to which the keys are made unrecoverable complies with this standard.

The proces owner authorises distribution of confidential information explicitly to any recipient, internal or external to the organisation. For all non-incidental data transfers, the authorisation is documented and reviewed yearly. The authorisation includes which data can be shared, which persons/systems are authorised and under what conditions. Data can only be moved to hardcopy with express permission of the data owner. Information Security policy and controls are equally applicable to hardcopy data.

Certificates for Transport Level Security (TLS) are registered with at least: for what service it was issued, what the owning group is including contact information, expiration date and technical details of certificate. There is a process for requesting and revoking official certificates. Requesting and approving certificate requests are separate roles. The organisation selects approved certificate providers. Self-signed certificates are never allowed. If there is any indication that a system may be compromised, current certificates are revoked, new private keys generated and replacement certificates requested based on the new private key. Clients check whether certificates have been revoked as part of...

Data at rest is always stored encrypted. The organisation is responsible for the key management of the chosen encryption solution, either directly, contractually or through policies.

After incidents, the organisation communicates openly and truthfully to affected parties/subjects, without creating additional security risks to the organisation itself. After (potential) major incidents, the evaluation and lessons learnt will be shared within the industry to improve cyber resilience of the entire sector.

The organization has a (contracted) CSIRT. The CSIRT is fully mandated to respond to active threats to limit the impact of potential security incidents.

A business contuinity plan (BCP) exists for potential disaster scenario’s that could affect the critical processes. The business contuinity plan is reviewed at least annually. The business continuity plan is tested periodically.

A disaster recovery plan (DRP) exists for potential disaster scenarios that could affect the IT systems. The disaster recovery plan is reviewed at least annually. The disaster recovery plan is tested periodically.

The organisation has processes for IT incidents in place. IT incidents are evaluated if they are potential security incidents. (Potential) Security incidents are treated according to a documented and standardised procedure. This procedure differentiates based on the risk involved and includes appropriate escalation, risk treatment steps, evaluating the relationship to other reports/alarms and root-cause analysis. Security Incidents are evaluated (either aggregated or individually, based on the severity) and appropriate measures are taken to prevent future occurances of the incidents. Information on security incidents is handled on a need-to-know basis. Security incidents involving Personally Identifiable Information (PII) are also considered a...