Controls

De exportfunctie ondergaat momenteel verbeteringen. Voor de meest recente baselineversie, zie de wiki: https://wiki.surfnet.nl/x/KwCjBw

Zoekopdracht annuleren
Zoekresultaten op ''
Asset Management
Low
Low
Low
Organisation
v2.0 (Q1 2024)

Description End users are actively informed on the organisational policies regarding acceptable use of assets. Organisationally offered IT assets and services must be used for professional purposes, the usage of free/private alternatives is not allowed. Specification At a minimum, an acceptable use policy is formulated and communicated covering the expected behavior of end-users regarding information, systems, applications, infrastructure and hardware made available to them and specifying what users can expect from the IT department(s) in terms of monitoring and enforcement of rules. Secure Terms of Use cover at least: What’s allowed What’s not allowed Reporting security issues Sanctions Network performance...

Lees meer
Asset Management
Low
Low
Low
Organisation
v2.0 (Q1 2024)

Description The Information Systems and Processes are identified and registered. Each System and Process has an owner within the organisation. The owner is responsible for compliance with the organisational information security policy. Ownership falls to a single person and not to an organisational unit. Systems and Processes are classified according to the organisational classification policy to determine the appropriate level of protection. The classification is reviewed and updated periodically. The owner is responsible for the classification. Specification Yearly review of the classification is recommended. Organisations should employ a wide definition of systems to ensure appropriate protection of assets important to...

Lees meer
Asset Management
Low
Low
Low
Organisation
v2.0 (Q1 2024)

Description Organisations maintain an accurate and up-to-date registry of organisational hardware and software assets in a Configuration Management Database (CMDB). Specification Organisationally owned assets are registered with their relevant attributes, lifecycle status, an asset owner and a classification of the information asset. At a minimum the following hardware and software assets used in the processing of information are registered: portable and fixed processing units network equipment user accounts operating systems packaging and administration software business applications (including licenses to SaaS applications) certificates and keys suppliers physical locations relevant to the IT services (including data centres)

Lees meer
Asset Management
Low
Low
Low
System Owner
v2.0 (Q1 2024)

Description The assets making up a system that are under control of the organisation are registered and tracked in the CMDB. System owners periodically check that the information in the CMDB regarding their systems is accurate and up-to-date. System owners accurately maintain any documentation needed to deliver, describe, support and maintain the systems. Specification System owners need to make sure that the information in the CMDB is accurate and up-to-date.Documentation includes servers, services, ports, protocols, interactions/dependencies between components (also on the same server), installed software versions, zoning information as well as physical location of assets (where relevant). Also include logical...

Lees meer
Asset Management
Medium
Medium
Medium
Organisation
v2.0 (Q1 2024)

Description Organisations actively and passively detect assets that may not be registered in the CMDB, both within the network and outside. Discrepancies in CMDB and detected assets are resolved. Specification Active scanning of the network devices needs to take place. Passive scanning can take place through DNS or DHCP logs for example. Organisations may use other means to detect assets outside of the network, for example through registrations of domain names using organisation email addresses or detecting the use of organisational logos.

Lees meer
Asset Management
Low
Low
Low
System Owner
v2.0 (Q1 2024)

Description Available patches and/or security fixes are installed in compliance with set and approved policies (including those for operating systems, databases and installed applications) and recommendations of CERT and/or suppliers. Specification Only supported services can be used. End-of-Life or End-of-Support software is not allowed. All software is tested and installed according to a documented and defined patch cycle. Patching takes place in accordance with the change management process. Unpatched systems will be treated in accordance with the vulnerability management process. Use the CVSS scores to define the criticality of the required patch. Patches including critical security updates are installed as...

Lees meer
Asset Management
High
High
High
System Owner
v2.0 (Q1 2024)

Description Emergency changes requiring immediate implementation are properly handled to ensure minimal impact on systems and IT applications. The emergency change is registered, evaluated and tested after implementation and approved by responsible management. Specification The emergency change management procedure is formalised, documented, authorised, communicated and executed in a standarised matter.

Lees meer
Asset Management
Medium
Medium
Medium
Organisation
v2.0 (Q1 2024)

Description Planned changes are evaluated for potential security impact. The classification of all processes and systems involved in the change is reviewed and adjusted where necessary. In projects, sufficient resources including time, manpower and budget are allocated to perform a security assessment and ensure compliance with the information security policy Specification Changes are registered and subjected to an impact analysis, change proces includes formal approval from a change board.

Lees meer
Asset Management
High
High
High
Organisation
v2.0 (Q1 2024)

Description Domain names reserved for organisational purposes cannot be released shortly after the domain name is no longer needed. A list of domain names that can never be released needs to be kept. Domain names not on this list need to remain reserved with a placeholder message that the domain is no longer in use by the organisation for 3 years before they can be released and used by other parties. Specification There is a list of all used domain names of the organisation. Every domain is managed by the organisation and follows the security policy of the organisation.

Lees meer
Asset Management
Medium
Medium
Medium
System Owner
v2.0 (Q1 2024)

Description The organisation must know what software is used on managed devices, including a Software “Bill-of-Materials” (BOM) of libraries and components. Specification Use of automated scripts and tooling to identify the installed software and maintain an up-to-date documentation.

Lees meer
Asset Management
Low
Low
Low
System Owner
v2.0 (Q1 2024)

Description Before engaging in an agreement with a supplier of an IT-service, an information security risk assessment is performed. Contractual agreements regarding information security are made with suppliers of IT-services. Suppliers report on their compliance with these agreements and will deliver evidence of compliance when prompted. This compliance is actively monitored by the organisation and documented. Non-compliances are treated as potential security incidents. Which suppliers the organisation has, what services they provide and the status of contracts with the supplier are documented. Specification The contractual agreements with the supplier contain, at a minimum, the following: Clauses necessary to comply with...

Lees meer
Backup & Restore
Low
Low
nvt
System Owner
v2.0 (Q1 2024)

For every system a documented backup procedure is available with values for the RPO (Recovery Point Objective, maximum tolerable amount of data that can be lost) and RTO (Recovery Time Objective, maximum downtime of the system). The RPO and RTO are communicated to users of the system. The backup procedure will identify the appropriate: type(s) of storage media used for backups, frequency, reduncancy, storage location, storage conditions and frequency of restore testing. How data on endpoints is backed up is included in the backup procedure. Backups are tested periodically to verify that they can be restored. The results of these...

Lees meer
Backup & Restore
Medium
nvt
nvt
System Owner
v2.0 (Q1 2024)

Description Data centres used in the processing of information take appropriate measures to guarantee continued uptime. Specification Appropriate measures for data centre uptime are: https://uptimeinstitute.com/tiers Security level: Medium: a Tier II or higher data centre. High: a Tier III or higher data centre. External data centres have appropriate certifications to guarantee appropriate risk management practices, uptime and quality. Appropriate certifications include those of Uptime Institute (uptime), ISO9001 (quality), ISO27001 (information security).

Lees meer
Backup & Restore
High
High
nvt
System Owner
v2.0 (Q1 2024)

Description All critical backup media, documentation and other IT resources needed for IT recovery, and business continuity plans are stored offsite. The content of backup storage is determined after collaboration between business process owners and IT personnel. Management at the offsite storage facility acts on the basis of data classification policy and the enterprise’s media storage practices. IT management ensures that offsite arrangements are periodically assessed, at least annually, for content, environmental protection and security. Compatibility of hardware and software for restoring archived data is ensured, and archived data is periodically tested and refreshed. Specification Data critical to the operation...

Lees meer
Communications Security
Low
Low
nvt
System Owner
v2.0 (Q1 2024)

Description All data in transit is transferred over encrypted connections, using the encrypted versions of protocols or encapsulation of plaintext protocols over encrypted connections. Specification For TLS based protocols including but not limited to https use the latest version of the NCSC publication ‘ICT-beveiligingsrichtlijnen voor Transport Layer Security (TLS)’ For other encrypted protocols: the same choices in enabling and disabling key exchange, hashing and bulk encryption algorithms to get the same level of confidentiality, integrity and non-repudiation.

Lees meer
Communications Security
Low
Low
nvt
Organisation
v2.0 (Q1 2024)

Description Automatic forwarding of email to external addresses is denied-by-default. Specification Information does not automatically leave the organisation. If the individual has a legitimate organisational need to be reached after the end of the formal relationship with the organisation, the individual can request an out-of-office to be set including new contact details. Other domains belonging to the organisation are not considered external. Forwarding to external domains can only occur under control of the organisation, taking appropriate organisational, contractual and technical measures to safeguard that information remains under control of the organisation.

Lees meer
Communications Security
Low
Low
Low
System Owner
v2.0 (Q1 2024)

Description IT components send emails to end-users using an email address ending in a top-level domain for which the organisation is legally responsible. Mailservers take measures to prevent the reception and transmission of spam and malicious mails. Mails should be revocable on managed servers and supported endpoints. Links in emails should be validated to not be malicious. Mailserver reputation is monitored. Thresholds are determined and actions are taken to improve the reputation if it falls below thresholds. Specification DKIM, STARTTLS, DMARC are implemented according to the relevant standard:https://www.forumstandaardisatie.nl/open-standaarden/verplicht?domein=125&trefwoord=180. Organisations closely guard their top-level domain SPF records. For system emails use...

Lees meer
Communications Security
Medium
Medium
Medium
System Owner
v2.0 (Q1 2024)

Description Communication coming from outside the organisation needs to be clearly distinguishable from internal communication with warnings that the originating party is from outside the organisation. This includes electronic messages received in email programs. Specification Implement warnings in the email regarding communications from outside the organisation, to alert people of: Communications originating from outside the own orginasation Communication from people that individuals do not usually correspond with Emails with indicators of potential attacks, such as originating from look-a-like domains

Lees meer
Crisis & Incident Response
Low
Low
Low
Organisation
v2.0 (Q1 2024)

Description The organisation has processes for IT incidents in place. IT incidents are evaluated if they are potential security incidents. (Potential) Security incidents are treated according to a documented and standardised procedure. This procedure differentiates based on the risk involved and includes appropriate escalation, risk treatment steps, evaluating the relationship to other reports/alarms and root-cause analysis. Security Incidents are evaluated (either aggregated or individually, based on the severity) and appropriate measures are taken to prevent future occurances of the incidents. Information on security incidents is handled on a need-to-know basis. Security incidents involving Personally Identifiable Information (PII) are also considered...

Lees meer
Crisis & Incident Response
High
High
High
System Owner
v2.0 (Q1 2024)

Description A disaster recovery plan (DRP) exists for potential disaster scenarios that could affect the IT systems. The disaster recovery plan is reviewed at least annually. The disaster recovery plan is tested periodically. Specification The DRP needs to differentiate steps to restore the IT systems' fucntionality within the RTO as needed (this can include using alternate IT systems of other organisations, having a warm/hot site). The DRP outlines steps to reach a more sustainable resolution of the crisis after initial recovery has occured. Testing of the DRP can be done through tabletop exercises, simulations, parallel test or full interruption. It...

Lees meer
Crisis & Incident Response
High
High
High
Organisation
v2.0 (Q1 2024)

Description A business contuinity plan (BCP) exists for potential disaster scenario’s that could affect the critical processes. The business contuinity plan is reviewed at least annually. The business continuity plan is tested periodically. Specification The BCP needs to differentiate steps to restore minimal business functions for all critical processes (this can include using the processes or systems of other organisations to continue primary processes). Testing of the BCP can be done through tabletop exercises, simulations or a full test. It is recommended to test the BCP at least once every 2 years.

Lees meer
Crisis & Incident Response
High
High
High
Organisation
v2.0 (Q1 2024)

Description The organization has a (contracted) CSIRT. The CSIRT is fully mandated to respond to active threats to limit the impact of potential security incidents. Specification The CSIRT has an average maturity according to the SIM3 maturity model for CSIRTS of 2 or higher on each of the O, H, T and P categories (see: https://www.trusted-introducer.org/SIM3-Reference-Model.pdf). Contact information of the CSIRT is published in the RFC2350 format.The CSIRT maturity is reviewed annually. CSIRT members of SURF member organisations have at a miminum followed an incident response course.

Lees meer
Crisis & Incident Response
Medium
Medium
Medium
Organisation
v2.0 (Q1 2024)

Description After incidents, the organisation communicates openly and truthfully to affected parties/subjects, without creating additional security risks to the organisation itself. After (potential) major incidents, the evaluation and lessons learnt will be shared within the industry to improve cyber resilience of the entire sector. Specification Communication towards (potential) victims of a data breach includes at a minmum (to the extent the disclosure of this information doesn't pose an active risk to the security): the details of the incident, the suspected causes, the steps taken to mitigate risks, what will be done in the future to prevent further incidents and what...

Lees meer
Cryptography
Medium
Medium
nvt
System Owner
v2.0 (Q1 2024)

Description Data at rest is always stored encrypted. The organisation is responsible for the key management of the chosen encryption solution, either directly, contractually or through policies. Specification Encryption can take place at the application, database, file system or entire disk level. The latter, Full Disk Encryption, is the preferred method of encrypting data-at-rest. Based on the classification of the data, determine the requirements for data encryption. Endpoints should support Intel® AES-NI technology, UEFI and GPT platforms. Decryption keys can only persist on endpoints in the TPM (Trusted Platform Modules). Data on unmanaged devices must be stored encrypted. It is...

Lees meer
Cryptography
Medium
Medium
Medium
System Owner
v2.0 (Q1 2024)

Description Certificates for Transport Level Security (TLS) are registered with at least: for what service it was issued, what the owning group is including contact information, expiration date and technical details of certificate. There is a process for requesting and revoking official certificates. Requesting and approving certificate requests are separate roles. The organisation selects approved certificate providers. Self-signed certificates are never allowed. If there is any indication that a system may be compromised, current certificates are revoked, new private keys generated and replacement certificates requested based on the new private key. Clients check whether certificates have been revoked as part...

Lees meer
Data Protection
High
nvt
nvt
Process Owner
v2.0 (Q1 2024)

Description The proces owner authorises distribution of confidential information explicitly to any recipient, internal or external to the organisation. For all non-incidental data transfers, the authorisation is documented and reviewed yearly. The authorisation includes which data can be shared, which persons/systems are authorised and under what conditions. Data can only be moved to hardcopy with express permission of the data owner. Information Security policy and controls are equally applicable to hardcopy data. Specification Internal data processing agreements are recommended to specify which data is transferred and the obligations for the receiving party with regards to handling and securing the data....

Lees meer
Data Protection
Medium
nvt
nvt
System Owner
v2.0 (Q1 2024)

Description It is possible for organisational data to be deleted from devices remotely by a device management system, if they actively make a connection or based on an interval without any connection. Encrypted data to which the keys are made unrecoverable complies with this standard. Specification Deletion of data follows NIST Guidelines for Media Sanitization for the level ‘Clear’ or higher: https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final Example: https://www.umsystem.edu/ums/is/infosec/data-disposal The recommended period to wipe data after devices have not made a connection should be set taking into account common use-cases, such as employees who regularly spend longer periods without a connection. Employees should be made...

Lees meer
Data Protection
High
High
High
System Owner
v2.0 (Q1 2024)

Description Only data owners have access to their data. Administrators and suppliers can only access the data through a break-glass procedure that involves business sign-off and consultation with the organisation. Specification Apply RBAC (Role Based Access controls). Administrators group is removed from personal data storage and replace by a group with break the glass accounts.

Lees meer
Data Protection
High
nvt
nvt
System Owner
v2.0 (Q1 2024)

Description There are measures to prevent users from downloading entire datasets. Additionally, or if these measures cannot be implemented, alerting and monitoring for users downloading large amounts of information from the service is in place. Specification Apply detection for anomalities for data in motion; spikes in network usage/bandwidth.

Lees meer
Data Protection
High
High
High
Organisation
v2.0 (Q1 2024)

Description Printing services are appropriately protected: Printers are kept separate from the public internet. Printing requires authentication before printing. No repeating printing statements. Documents are stored encrypted and for as short a time as possible. Print jobs only start after user authenticates at the printer. Specification Use a separated network for printing services. Activate policy: purge print queue after 24h.

Lees meer
Data Protection
Low
nvt
nvt
System Owner
v2.0 (Q1 2024)

Description After the retention period or when the data medium is decommissioned, lost or repurposed, organisation data is deleted. End users receive sufficient warning before data is deleted. Specification Deletion of data takes place according to NIST Guidelines for Media Sanitization: https://csrc.nist.gov/publications/detail/sp/800-88/rev-1/final, depending on the sensitivity of the data: Low / 1. Medium: level Clear or higher High: Purge or higher Purging of sensitive data mediums is done by a trusted supplier. Certificates of destruction must be available for the destruction of highly sensitive data. Destruction of encryption keys is considered equivalent to data purging.

Lees meer
Data Protection
Medium
Medium
Medium
Process Owner
v2.0 (Q1 2024)

Description The rules regarding the processing of data are made explicit and clear, including whether remote work is allowed, under what circumstances and the use of Bring-Your-Own-Device and how data storage should be handled (including paper media, USB devices, retention of the data in mail clients, how data can be exchanged with other parties, etc…) Specification Work in public areas is only allowed with privacy screens, use of public wifi is only allowed with VPN connection. Process owners should determine if Bring-Your-Own-Device is allowed and which rules apply.

Lees meer
Data Protection
Low
Low
nvt
Process Owner
v2.0 (Q1 2024)

Description How long data is retained and available is identified and recorded and adheres to the minimum legal or business requirements. After this period, data is deleted and unrecoverable. This includes sensitive data stored on hardcopy which needs to be properly shredded and destroyed. Specification In the education sector, there are a few products that specify minimum requirements, such as: For universities/universiteiten, there is the 'Selectielijst Universiteiten en Universitair Medische Centra'. For universities of applied sciences/hogescholen, there is the 'Selectielijst hogescholen'. Within the MBO, a selection list: Documentair Structuur Plan MBO Raad.

Lees meer
Endpoint Security
High
High
High
Organisation
v2.0 (Q1 2024)

Description Unless necessary for executing job responsibilities, by default user endpoints do not allow the execution of scripts and executables. If the function necessitates this access, it will be documented and approved by the supervisor. Specification Office Macro’s and Powershell are disabled by default.

Lees meer
Endpoint Security
Low
Low
Low
Organisation
v2.0 (Q1 2024)

Description Regular end-users do not have privileged access to endpoints continuously, including but not limited to the ability to modify organisationally managed system settings, changes to environment variables, directly modify the registry, modify files in system directories or install programs. Only users that have a demonstrable need for a local privileged account to perform their work activities can have access to a local privileged account. This access adheres to the privileged access controls, including just-in-time and just-enough admin. These privileges are registered together with the reason why and the approver. Specification Protection against malware should be present on managed endpoints...

Lees meer
Endpoint Security
Medium
Medium
Medium
Organisation
v2.0 (Q1 2024)

Description Regular end-users do not have privileged access to endpoints continuously, including but not limited to the ability to modify organisationally managed system settings, changes to environment variables, directly modify the registry, modify files in system directories or install programs. Only users that have a demonstrable need for a local privileged account to perform their work activities can have access to a local privileged account. This access adheres to the privileged access controls, including just-in-time and just-enough admin. These privileges are registered together with the reason why and the approver. Specification Privileged setting and features cannot be controlled using a...

Lees meer
Endpoint Security
Medium
Medium
Medium
Organisation
v2.0 (Q1 2024)

Description Endpoints have appropriate protections to prevent attacks on memory. Specification Endpoint OS needs to have Address Space Layout Randomization (ASLR) enabled. Endpoint OS needs to use executable-space protection, preferably through hardware NX-bits. DEP is enabled for Windows.

Lees meer
Endpoint Security
Low
Low
Low
Organisation
v2.0 (Q1 2024)

Description When a workstation is left unattended, the session/screen is locked automatically after a maximum of 15 minutes and the user prompted for re-authentication. Specification Centrally managed via AD policy.

Lees meer
Endpoint Security
Medium
Medium
Medium
Organisation
v2.0 (Q1 2024)

Description Shared workspace endpoints are physically protected from tampering with or removing the hardware. Specification Public and/or shared workspaces are periodically reimaged, and do not have autologon. Browsers on public workspaces delete all cookies and session information when the browser is closed. Possible measures: Hardening (no unnecessary services are running) No network access (only for internet access - browsing and email or via VPN with authentication) Possibly blocking usb ports Up-to-date anti-malware

Lees meer
Human Resource Security
Medium
Medium
Medium
System Owner
v2.0 (Q1 2024)

Description Manuals and Operating Procedures that detail how to work with Information Systems and Services in a secure manner are available and communicated to end-users. Understanding of the operating procedures is verified and adhering to these procedures is monitored. Appropriate measures are taken when operating procedures are not followed. Specification These manuals explain step-by-step how the user should operate the system safely. Use screenshots where possible.

Lees meer
Human Resource Security
Medium
Medium
Medium
Organisation
v2.0 (Q1 2024)

Description Before commencement of processing activities all individuals working with data and systems have been identified using a nationally issued Identification Document or through a trusted federated identity provider. Specification Trusted Identity providers include Studielink, IDIN, DigID and providers that identify according to EIDAS level "Substantial" or "High".

Lees meer
High
High
High
Human Resource Security
Process Owner
v2.0 (Q1 2024)

Description Before commencement of processing activities background checks are performed for all individuals working with sensitive data and systems to determine integrity and suitability for the tasks and ensure secure behaviour. Screening is repeated periodically and a procedure is in place to deal with situations where screening identifies security risks. Specification Background checks depend on the risk associated with authorisations, but include at a minimum: checking of references and a "verklaring omtrent gedrag" (VOG). Screening is repeated at least every 10 years

Lees meer
Human Resource Security
Medium
Medium
Medium
Organisation
v2.0 (Q1 2024)

Description Non-contracted visitors in sensitive areas are always accompanied by organisational staff. Specification A procedure exists for employees from contracted partners to commence activities on site in sensitive areas, including serverrooms. This procedure includes that contractors must be announced beforehand, identified, and be clearly recognisable while performing work.

Lees meer
Human Resource Security
Medium
Medium
Medium
Organisation
v2.0 (Q1 2024)

Description The organisation has a policy for disciplinary action and inappropriate handling of information. Police reports will be filed when willfully breaking of the law or actions with criminal intent are ascertained with regards to data handling. A record of this will be placed in the personnel file. The case will immediately be presented to a committee consisting of representation of the Organisational Unit, CISO and HR that will determine the disciplinary action. Specification Upon noting deviations from information security policy and inappropriate handling of data, initially an informal warning will be given by the supervisor. If a second case...

Lees meer
Human Resource Security
Medium
Medium
Medium
Process Owner
v2.0 (Q1 2024)

Description When working with sensitive information, individuals are required to agree with and sign a non-disclosure agreement (NDA). At a minimum the NDA specifies how the individual should handle the sensitive information and how long restrictions apply after working with the information has ceased. Also, the NDA specifies the consequences for the individual when breaching the agreement. Specification NDA is available on processing sensitive data.

Lees meer
High
High
Human Resource Security
nvt
Process Owner
v2.0 (Q1 2024)

Description Teams plan to have sufficient capacity to execute important tasks, also during holidays. There is monitoring on the capacity of the team and structural understaffing gets flagged and addressed. There are procedures in case of unplanned absence of team-members to continue with important processes. Individuals in teams that are the only ones capable of performing specific tasks need to be identified as Single Points of Failure. Team leaders are responsible for identifying these individuals and transferring this knowledge to other employees and procedures. If this knowledge is non-transferable, more capable staff or a retainer with a supplier that can...

Lees meer
Human Resource Security
Low
Low
Low
Organisation
v2.0 (Q1 2024)

Description The organisation has a coherent awareness program that identifies the knowledge relevant to information security various stakeholders must have, the ways to measure the current level of knowledge, and includes planning and organisation of interventions to maintain and increase the knowledge to desired levels. Specification Awareness programs cover: appropriate handling of information, how to detect and respond to potential incidents, secure working practices, information security policies. Simulated attacks, such as phishing emails, can be used to measure awareness and as a form of intervention to improve knowledge at the same time. Training is given at least once during onboarding...

Lees meer
Identity & Access Management
Low
Low
Low
System Owner
v2.0 (Q1 2024)

Description End-user authentication for applications takes place through a trusted Identity Provider for anyone with access to organisational data. The organisation has a defined relationship with individuals that have been given access, either directly or through contractual agreements with third parties. Only production environments can be linked to the production IdP. Specification Federated identities are used for all employees for authenticating to the system. The use of local accounts is only permitted: if neccessary for external users, following any relevant other controls including password complexity and multi-factor requirements for break-glass or separate privileged accounts For end-user access to applications Single-Sign...

Lees meer
Identity & Access Management
Low
Low
nvt
Organisation
v2.0 (Q1 2024)

Description After a period of 45 days of inactivity or at the end date of a formal relation with the organisation for which the account was provided, accounts are automatically blocked. After 90 days the account is deleted or stripped of all authorisations. Unblocking accounts follows the same approval process for requesting access as Joiner/Mover situations. Specification Account details can persist in logging if required by organisational retention periods. Deletion of accounts should not lead to a deletion of logs that need to be retained or items that were assigned. In such cases, overwriting the identifier with a random ID...

Lees meer
Identity & Access Management
Medium
Medium
Medium
System Owner
v2.0 (Q1 2024)

Description System owners define how user management takes place, including who is authorised to request changes to which user roles and how this can be requested/managed. System owners determine the access control models used for which types of users. Specification System owners may decide to use Discretionary Access Controls (DAC) for most end-users, as is customary in environments such as Office365 where end-users determine who has access to what. It is recommended to only allow Rol-Based Access Controls (RBAC) for more sensitive access. User authorisations are then based on the role a user has.

Lees meer
Identity & Access Management
Low
Low
Low
Process Owner
v2.0 (Q1 2024)

Description Periodically, a list of all users in the system is generated along with associated permissions and reviewed. If it is available, all access rights must be in accordance with the authorisation matrix. A documented procedure is available for how the review is performed. Actions taken based on the review are recorded and stored for 2 years. If the authorisations are given based on role, the authorisations within the roles are part of the review as well. Specification The frequency of user reviews depends on the classification of the process involved and the number of mutations. The frequency needs to...

Lees meer
Identity & Access Management
Low
Low
Low
Organisation
v2.0 (Q1 2024)

Description Systems that allow setting passwords enforce that passwords satisfy minimum complexity requirements. Rate-limiting is enforced for failed password entries. During password creation, an indicator of password complexity is reported to the user. Easy passwords are prohibited. If initial passwords or reset passwords are assigned by the system or by operators, they are changed by the user upon first login. Passwords to personal accounts are only chosen by the account owner. One-time passwords are exempt. Every account has a traceable owner that is responsible for password maintenance on the account. Specification Alternative authentication mechanisms stronger than passwords should be encouraged....

Lees meer
Identity & Access Management
Low
Low
Low
Organisation
v2.0 (Q1 2024)

Description PIN codes are a subset of passwords that usually have limitations to the complexity. Usage of PIN codes in place of passwords is only permitted in a one-to-one relation to physical access (to either hardware or locations). A PIN code is hardware specific, and where possible also user specific. Biometrics can be used in place of a PIN code if processed on-device and offered as an optional usability feature, meaning a PIN code must be set. Biometric authentication is also subject to rate limiting, and needs to adhere to the guidelines set in NIST Special Publication 800-63 section 5.2.3:...

Lees meer
Identity & Access Management
Low
Low
Low
System Owner
v2.0 (Q1 2024)

Description Passwords must by default not be visible during entry (only when prompted by the user as a usability feature). Passwords are not visible in any other way (including to administrators) and are not stored in a way that can be reversed. If passwords/secrets are stored, they must be stored in an appropriate password vault service. Specification Passwords need to be hashed and salted (ideally using a unique salt per user) according to https://www.nist.gov/publications/secure-hash-standard or a superseding standard.

Lees meer
Identity & Access Management
Medium
Medium
Medium
System Owner
v2.0 (Q1 2024)

Description Users must use a second factor to authenticate before accessing sensitive data or functionality. Users are allowed to mark devices as trusted, not requiring MFA on that specific device for a maximum period of 30 days for access, if the device meets all requirements for a second factor (such as being personal and meeting all hardware requirements). Users can mark a maximum of 5 devices as trusted. Authenticated users can access an overview of devices they have marked as trusted and be able to remove the trusted status of a device. Only ‘what you know’ and ‘what you have’...

Lees meer
Identity & Access Management
Low
Low
Low
System Owner
v2.0 (Q1 2024)

Description After a period of inactivity in an application, the user session should be locked and require re-authentication. Activity in another application from the same identity provider may be considered continued activity. Specification Depending on the security levels of the IT system, the maximum duration of the session is as follows: Low: 30 days Medium: 1 day High: 8 hours

Lees meer
Identity & Access Management
Low
Low
Low
System Owner
v2.0 (Q1 2024)

Description Once issued, a digital account/identifier is connected uniquely with a natural person. Once issued, (old) accounts and unique account information are never (re)assigned to other natural persons. After individuals have left the organisation, their digital & legal identities are kept for a predefined period of time, based on business and legal requirements. Specification Digital access can always be traced to a unique individual.

Lees meer
Identity & Access Management
Low
Low
Low
Process Owner
v2.0 (Q1 2024)

Description Individuals receive only the minimum number of authorisations required for their role and purpose in the processing activities. Authorisations are only given for the period the activities take place. Preferably these are given based on a role and not attached to individuals. Specification IST/SOLL control is performed and approved by proces owner.

Lees meer
Identity & Access Management
Low
Low
Low
Process Owner
v2.0 (Q1 2024)

Description Process approve users getting authorisations to the data in the process. The requests of individuals that want access to information assets or authorisations to do so, are logged and retained for at least 1 year. It includes the requester, and the approval (or rejection) of the appropriate data owner. Revocation requests, end of employment notifications and changes are recorded and retained for at least 1 year. After role changes or upon termination of contractual or formal relations between the organisation and the individual, access to data that is no longer part of your role is revoked at first opportunity....

Lees meer
High
High
High
Identity & Access Management
Process Owner
v2.0 (Q1 2024)

Description Process owners are responsible for an authorization matrix listing who has what access to data and functionality in relevant systems, in what capacity. The authorisation matrix includes roles, the authorisations in roles, individuals and which roles the individuals are allowed to have. Optionally, job functions can be used to identify which roles belong to those functions. If there conflicts between certain authorisations that cannot be given simultaneously, the authorisation matrix identifies which combinations of authorisations are not allowed. Specification The authorization matrix is immediately updated after changes are requested and approved, so it should be remain up-to-date. IST/SOLL control...

Lees meer
Logging & Monitoring
Medium
Medium
Medium
System Owner
v2.0 (Q1 2024)

Description Creation of new accounts with privileged authorisations, mutations in user groups through which privileged authorisations can be obtained and changes in passwords for non-personal privileged accounts are approved Potential abuse cases for the (attempted) use of privileged authorisations are defined and monitoring impemented for these cases. False positive situations are approved by the System Owner before being allowed. Specification An audit trail on priviliged accounts is available. Approval is stored in a durable manner and kept for at least one year.

Lees meer
Logging & Monitoring
Medium
Medium
Medium
Organisation
v2.0 (Q1 2024)

Description At least every month for all current accounts the number of lock-outs, current account status, account end-date and account-deletion date (if relevant) is reported. Specification Report account monitoring is available. The CISO and Operational Security teams receive these reports.

Lees meer
High
High
High
Logging & Monitoring
Organisation
v2.0 (Q1 2024)

Description Protections are in place to detect and prevent unauthorised user activity based on context and behaviour. Specification The Risky Logins report is frequently monitored and checked.

Lees meer
Logging & Monitoring
Low
Low
Low
System Owner
v2.0 (Q1 2024)

Description Events potentially relevant to the security of systems are logged in a central logging system (different from the originating system) with timestamps synchronised to official timeservers in UTC. Logs are protected from modification. Logs are reviewed periodically. Specification Logs contain at least: A timestamp User ID The originating system of the log The activity performed Changes in configurations Logging data retention is 6 months for security incident handling. Logging retention for the purpose of normal operational activities is 2 months maximum. NTP or NT5DS is used to synchronize computer clocks to a central timeserver slaved to a GPS receiver...

Lees meer
High
High
High
Logging & Monitoring
System Owner
v2.0 (Q1 2024)

Description Applications log access (attempts) to sensitive data. Applications log mutations of system configurations and sensitive data. Original values are recommended but not necessitated to be stored. Specification Mutation and data access logs adhere to all logging rules as defined in IS.5.002.

Lees meer
Logging & Monitoring
Low
Low
Low
Organisation
v2.0 (Q1 2024)

Description Authentication attempts are logged including originating IP and attempted user. Passwords are not logged. Access to the network is logged. Specification AD Security audit log central policy enabled. Network authentication logs (802.1x, wifi access logging, clearpass logging). IP address usage logging (monitoring of ARP for IPv4, NDP for IPv6). Network address to network port logging. Wireless network location logging.

Lees meer
High
High
High
Logging & Monitoring
Organisation
v2.0 (Q1 2024)

Description Event data is aggregated from multiple sources. Accepted organisational risks are monitored through defined abuse cases. Personnel security and awareness is monitored and periodically tested. Specification Tooling is available to monitor risks and compliance to regulations

Lees meer
Logging & Monitoring
Medium
Medium
Medium
Organisation
v2.0 (Q1 2024)

Description There is security monitoring on organisational credentials appearing in (publicized) data-breaches. If there are indications of compromise of passwords, or risks that the credentials of individuals are compromised, passwords will be forcibly changed and the users informed. Specification Services such as "Have i been pwned" can be used to monitor for the appearance of organisational accounts in breaches. Losing a device on which ongoing sessions may be active should also qualify as cause for password rotation.

Lees meer
High
High
High
Logging & Monitoring
Organisation
v2.0 (Q1 2024)

Description A baseline for normal network and application packet traffic is established around critical IT services. Network Intrusion Prevention Systems are used to dynamically detect deviations from the baseline and block traffic until it has been established if the traffic does not pose unwanted risks. Specification IDS/IPS logs are monitored and checked.

Lees meer
Medium
Medium
Medium
Network Security
Organisation
v2.0 (Q1 2024)

Description Network Access Control is used to determine the level of access users are given to the internal network. Unidentified users get access to the guest network. The authentication system shall be tied to the hardware asset inventory data to ensure only authorised devices can connect to the network. Authenticated users with managed devices can be allowed on the internal network pending verification by a client program of the device OS security update level and anti-malware status. Filters are in place against spoofed addresses. Specification Utilize port level access control, following IEEE 802.1x standards.

Lees meer
Low
Low
Low
Network Security
Organisation
v2.0 (Q1 2024)

Description Identify known malicious domains, IPs or other content and block access to these sources from the organisational network, systems and managed devices. Enable Domain Name System (DNS) query logging to detect hostname lookups for known malicious domains. Specification There is a proces where malicious sources are frequently monitored, checked and blocked

Lees meer
Low
Low
Low
Network Security
Organisation
v2.0 (Q1 2024)

Description Networking maintains a list of approved hardware components and their required configurations. Networking hardware components are not accessible to unauthorised individuals. Specification Switches do not operate in promiscuous mode. TACACS+ is preferred over RADIUS as a means of authentication. SNMPv3 Community strings and passwords are managed as part of privileged access management and thus rotated when there have been changes in the roles or employment status of anyone with access to them. The use of SNMPv2 is prohibited. Anti-spoofing protection is in place, such as IP Source Guard (CISCO), Port Security, DHCP snooping and Dynamic ARP Inspection.

Lees meer
Medium
Medium
Medium
Network Security
Organisation
v2.0 (Q1 2024)

Description Networks are segmented if they serve different business purposes or have differing risk levels, determined by the classification of the assets in the same segment. Each network segment is separated by a (virtual) Firewall. Best practices for Network Naming Security are followed. Managed systems belong to one organisationally managed security domain. Specification DNS servers only allow zone transfers between authorised internal DNS servers. DNSSEC is implemented for DNS zones owned by the organisation. 

Lees meer
Low
Low
Low
Network Security
Organisation
v2.0 (Q1 2024)

Description The DMZ (demilitarized zone) is the network location for public-facing services. Only systems in the DMZ can accept communications initiated from outside the network. The DMZ is separated from the outside world and the internal network with Firewalls. Only the public facing component of a service can be in the DMZ, data processing and storage must be in separate parts of the network according to the data classification. Systems within the DMZ treat other DMZ systems as non-trusted. Inside services verify requests from DMZ hosts to have the right source and authorisation. Specification Use a stateful firewall between the...

Lees meer
Medium
Medium
Medium
Network Security
Organisation
v2.0 (Q1 2024)

Description The network firewall is set up to protect hosts on the network against networkflows that are potentially insecure. The firewall is one part of a layered defense. The firewall rules are set to deny all traffic that is not explicitly allowed by default. Rules that allow traffic necessary for functionality follow the architectural design. All firewall rules are documented with a textual explanation of their purpose and a revision date. Firewall rules are revised on or before their revision dates. Access to the firewall itself should be appropriately protected, has a safe configuration by default: filtering all traffic and...

Lees meer
High
Network Security
nvt
nvt
Organisation
v2.0 (Q1 2024)

Description Network of IT services must be hardened against Distributed Denial of Service (DDoS) attacks. Services are configured to avoid participating in DDoS attacks. There is a documented procedure in the event of high network load (in the case of DDoS attacks for example). A procedure is in place to throttle traffic from non-critical sources, to ensure continued minimal essential functioning of the service. Specification The (D)DoS protection of a preferred supplier is used. No open DNS resolvers, NTP amplification. Blocking of broadcasting requests to internal IP addresses originating outside of the network. Routers with Access Control Lists. Configure BPDU...

Lees meer
Medium
Medium
Medium
Physical & Environmental Security
System Owner
v2.0 (Q1 2024)

Description Access to physical areas housing IT equipment or sensitive data must be logged and checked at least monthly for deviating situations. Procedures for working in secure areas are in place and adherence to them monitored. The procedures include at a minimum rules regarding: how and when access can be obtained by whom work should be supervised or checked no recordings can be made in secure areas how guests and contractors can perform their work activities rules regarding consumption of food emergency protocols and how any out-of-ordinary situations can be reported. Specification Access to technical areas is limited to authorised...

Lees meer
High
nvt
nvt
Physical & Environmental Security
System Owner
v2.0 (Q1 2024)

Description Emergency power to IT equipment is available or a hot-site connected to a separate power source is available. Specification Dual power supplies (A+B feed). N+1 redundancy: system will work with 1 power supply missing.Emergency power or the hot-site connection is tested once per 6 months.

Lees meer
Low
Low
Low
Privileged Access Management
System Owner
v2.0 (Q1 2024)

Description A distinction must be made between security levels within the IT landscape when considering privileged access secret authentication information, where a logical distinction is made at least for user endpoints, network access-layer, network core, server-administrator and domain administrator. Specification There is a security architecture which describes the segments and this architecture is implemented.

Lees meer
Medium
Medium
Medium
Privileged Access Management
System Owner
v2.0 (Q1 2024)

Description Administrative interfaces (other than application-level) are only accessible from an internal zone designated for administrative tasks. Access to this zone is secured via jumpservers. These jumpservers are used exclusively for the privileged actions. Specification There is a security architecture which describes the segments and this architecture is implemented.

Lees meer
Medium
Medium
Medium
Privileged Access Management
System Owner
v2.0 (Q1 2024)

Description Privileged Access involves all user access that exposes more functionality than regular users have on any layer of the IT service infrastructure. Authorisations for privileged access are required to follow Least Privilege (just-enough admin). Privileged Access is just-in-time, meaning it is only used for when needed and regular user actions are not performed using the privileged account. Privileged access is demonstrably limited to authorised personnel, an authorisation matrix is available for this access. Specification Authorisation is based on separation of duties and least privilege. Applications must apply separation of duties. Roles are defined based on tasks, responsibilities and privileges....

Lees meer
Medium
Medium
Medium
Privileged Access Management
System Owner
v2.0 (Q1 2024)

Description Service accounts are only used when necessary for system authentication (no association with natural persons) or system-to-system authentication. The purpose of a service account is always documented. Each unique application-to-service link should have a unique service account. Service Accounts are never used to perform actions as natural persons. Service Accounts are configured according to Least Privilege and, where used, have stronger password complexity requirements than regular accounts. Where possible passwordless authentication is used for service accounts. Regular user accounts can only be used to automate tasks for the individual user and not for generic processes. Changes to service accounts...

Lees meer
High
High
High
Privileged Access Management
System Owner
v2.0 (Q1 2024)

Description Accounts for privileged users are separate from regular user accounts. If a user needs privileged functionality, a second (privileged) account will be created to keep the privileged and non-privileged activities separated. Privileged Accounts usage is Just-in-Time, meaning they are only provided when needed and the access revoked after the tasks are completed. Logging in with privileged accounts on public facing services is prohibited, only local services (with non-internet routable IP’s) may be configured to accept direct logins with privileged accounts. There are additional protections to change or reset MFA access methods for Privileged Access, that involve validating the identity...

Lees meer
High
High
High
Privileged Access Management
System Owner
v2.0 (Q1 2024)

Description Privileged Access to IT services is orchestrated through a Privileged Access Management (PAM) system. Actions taken using privileged accounts are logged or recorded. These actions are reviewed (either sample-based or systematically). Credentials to privileged accounts are not exposed to end users. When passwords are used instead of cryptographic keys or passwordless authentication, passwords are rotated automatically (one-time-use passwords) at the end of the session. Specification Reports on usage of privileged accounts is available and frequently checked for deviations.

Lees meer
High
High
High
Privileged Access Management
System Owner
v2.0 (Q1 2024)

Description There is a procedure to use Privileged Access Management in unpredicted and/or emergency situations when access to privileged accounts is required in unanticipated events (privileged or non-privileged). Passwords are rotated after use of Break Glass Procedure The CISO and Process Owners are informed of any use of the break-glass procedure. Specification Make use of a four-eyes procedure and sealed bags.

Lees meer
Low
Low
Low
Privileged Access Management
System Owner
v2.0 (Q1 2024)

Description Authentication for access using privileged accounts includes Multi-Factor Authentication. This can include Multi-Factor Authentication to get access to a network and subsequent strong cryptographic asymmetric keys for authentication. Devices cannot be marked as ‘trusted’ for Multi-Factor for privileged access. MFA-tokens used as factors are user-specific and measures are in place to safeguard that these tokens remain strictly personal. Specification Authenticators must validate to Authenticator Assurance Level 3, according to NIST Special Publication 800-63 section 4.2: https://pages.nist.gov/800-63-3/sp800-63-3.html#sec4

Lees meer
Medium
Medium
Medium
Secure Development
System Owner
v2.0 (Q1 2024)

Description At a minimum there are distinct environments for acceptance and production. Where development activities take place, at least one separate environment for development exists. The environments are clearly distinguishable (for example through a different colour scheme). Privileged Access to the production infrastructure is completely separated from privileged access to the other environments. Authentication to non-production environments does not take place through the production IdP. The acceptance environment must represent the production environment as closely as possible with the exception of not being publicly available. Before going into production, any change must always be tested in the acceptance environment. Specification...

Lees meer
Medium
Medium
nvt
Secure Development
System Owner
v2.0 (Q1 2024)

Description No production information is exposed or reused in environments other than for acceptance testing. This includes production data (also not pseudonymised), API keys, credentials and production server hostnames. Specification On sufficiently large datasets, removing names and randomly scrambling records can be a way to generate realistic testing data, maintaining a realistic distribution of values and edge cases, without being able to point at which data belongs to what individual.

Lees meer
High
nvt
nvt
Secure Development
System Owner
v2.0 (Q1 2024)

Description Major changes and/or migrations that could have potential impact on the availability of the IT service have a rollback procedure and a step-by-step plan for the change documented beforehand and approved by the relevant change boards. This rollback procedure can be requested.

Lees meer
Medium
Medium
Medium
Secure Development
System Owner
v2.0 (Q1 2024)

Description Appropriate secrets management is applied to confidential information needed to develop and deliver the service. No hardcoded credentials and configurations are present in source code, only in separate configuration files with appropriate security protections. No sensitive information can be found in versioning information and older releases in version management systems. Configuration is stored in environment variables or in versioned scripts that generate the configuration based on user input. Specification Apply appropriate configuration hardening using CIS recommendations where available.Place files with sensitive information outside public access.Apply strict permissions on sensitive files.

Lees meer
Low
Low
Low
Secure Development
System Owner
v2.0 (Q1 2024)

Description All variable information that gets sent by a client is filtered and sanitized before being processed in the application. The same applies to user-selected output that is presented back to users. This avoids any unintentional side-effect of processed data. Specification Any input and output will adhere to the concept of ‘do not trust user in/output’. Normalisation, validation, and limitation should be applied during input and output Any data entered by the user or processed as result of earlier entry should be handled in such a way it can’t cause any side-effects in the application. In web application programming this...

Lees meer
Low
Low
Low
Secure Development
System Owner
v2.0 (Q1 2024)

Description Web applications have taken all appropriate measure to protect against OWASP top 10 Web Application vulnerabilities: https://owasp.org/www-project-top-ten/ Specification Follow all relevant instructions for web application hardening to protect against the top web-application threats. The following page can be used to check specific hardening best pratices: https://cheatsheetseries.owasp.org/index.html

Lees meer
Medium
Medium
Medium
Secure Development
System Owner
v2.0 (Q1 2024)

Description Mobile Applications use certificate pinning to prevent MitM attacks on apps and Open WiFi. Mobile applications have protections for the binaries that users can download. Mobile apps preferably store information encrypted and containerised. Sensitive information must be stored server-side unless specifically needed for functioning of the application.

Lees meer
High
nvt
nvt
Secure Development
System Owner
v2.0 (Q1 2024)

Description The application has taken application level steps to prevent Denial of Service attacks such as caching where possible, rate limiting and designing functionality to be non-blocking. This includes protecting API endpoints against executing requests that could lead to DoS, limiting upload field data size and locking out users through reset functionality.

Lees meer
Medium
Medium
Medium
Secure Development
System Owner
v2.0 (Q1 2024)

Description The system scans attachments, uploads and links for malware and filters content identified as harmful by these scans. Specification The malware/Anti-Virus scanner of a preferred supplier is used. This includes attachments and hyperlinks in emails.

Lees meer
High
High
High
Secure Development
System Owner
v2.0 (Q1 2024)

Description A documented risk analysis is available for each third-party app used by the application. Third party apps and libraries are tracked for vulnerabilities and security updates as part of the main app. Specification The risk analysis is documented and contains at least the following: Are the third-party apps and their codes tested for security (before or in scope of pen tests on the entire application)? What are the benefits of the third-party app and what are the potential risks of using it? How are the third-party apps and libraries maintained, updated and patched? Only third-party software that is deemed...

Lees meer
Medium
Medium
Medium
System Hardening
System Owner
v2.0 (Q1 2024)

Description Document a security configuration baseline for the system based on current best practices from vendors and desired functionality. The baseline must be updated at least annually. Use this baseline for all new and recovered systems. Specification Baselines are defined, approved by senior management and communicated to IT StafImplemented baselins are audited and deviations are reported (and approved)

Lees meer
Medium
Medium
Medium
System Hardening
System Owner
v2.0 (Q1 2024)

Description IT systems have standard configurations that follow recommended hardening guidelines. Before new systems are taken into production, the systems are tested for adhering to the hardening guidelines. The standard images are tested for security vulnerabilities during regular vulnerability management process and are updated accordingly. Systems are periodically checked against the hardening baseline, preferably automatically. Specification Hardening or security guidelines by the supplier are followed. If supplier guidelines are absent or insufficient, third party guidelines should be used. OR: The most recent version of the CIS Benchmarks are taken into account when configuring devices or operating systems. L1 controls are...

Lees meer
Low
Low
Low
System Hardening
System Owner
v2.0 (Q1 2024)

Description Applications and services are configured to not display information that is unnecessary. Functionality is designed and configured to prevent enumeration of information. Specification Information that should not be enumerable are: user names, email-addresses, files, versioning information, server configuration and structure, endpoints and so forth. Error messages and headers should be compact and not contain any technical information about the environment (such as stack traces, debugging output, etc). Comments in code should not be accessible by end users. Make sure files are not directly accessible if they are not supposed to - either by hand or through tools such as...

Lees meer
Low
Low
Low
System Hardening
System Owner
v2.0 (Q1 2024)

Description Default Passwords on any piece of hardware or software are changed before deployment. Specification Universal and/or default passwords must not be used. For existing systems that have built-in default passwords, these can only be used once, after the first login it must be changed.

Lees meer
Medium
Medium
Medium
System Hardening
System Owner
v2.0 (Q1 2024)

Description Services run under their own account with minimal necessary privileges . Only necessary services run on production servers, and are only accessible to necessary interfaces using Host-based Firewalls. All services are maintained and kept up-to-date. For each running service on servers, hardening guides are followed and deviations from hardening guides due to business requirements are documented.Local Firewall rules limit service traffic to ports filtered as restrictive as possible. Specification For non-Windows servers, applications are running within a jail/chroot environment. When impossible, running Linux applications are secured by SELinux or AppArmor.

Lees meer
Medium
Medium
Medium
System Hardening
System Owner
v2.0 (Q1 2024)

Description IT services run in their own virtual environments, vulnerabilities in one service cannot give access to other services. This includes no multiple websites on the same webserver unless they share the same Security Capability Level and purpose, the same applies to databases between different services. Specification Every newly deployed server has a maximum of one role.

Lees meer
Low
Low
Low
System Owner
v2.0 (Q1 2024)
Vulnerability Management

Description A system owner is responsible for maintaining a list of known vulnerabilities on the system, including the associated risk, when the vulnerability was reported, what action resolution was taken and the current status of the vulnerability. Vulnerabilities can be ‘resolved’, ’mitigated’ or ‘accepted’. If the vulnerability is ‘mitigated’, a new risk estimation needs to be done for the mitigating measures in place. After resolution, resolved vulnerabilities need to remain registered for 1 year. The organisation shall establish maximum resolution time of vulnerabilities based on the associated risk. There is monitoring on the timely resolution of vulnerabilities. Specification Vulnerabilities are...

Lees meer
Medium
Medium
Medium
Organisation
v2.0 (Q1 2024)
Vulnerability Management

Description The organization has a published Coordinated Vulnerability Disclosure Policy to encourage security researchers and individuals to ethically find and report vulnerabilities. Specification For external suppliers the policy should be in accordance with the guidelines of the Dutch National Cyber Security Centre (NCSC): https://english.ncsc.nl/publications/publications/2019/juni/01/coordinated-vulnerability-disclosure-the-guideline The policy should be easy to find and should also be referenced to in security.txt

Lees meer
Medium
Medium
Medium
Organisation
v2.0 (Q1 2024)
Vulnerability Management

Description Network connected IT systems are subjected to automatic vulnerability scanning at least once per month. Scanning occurs authenticated where possible. Specification Use authenticated scanning. Report findings with a ratings such as Low/Medium/High to help prioritize. Use a special account and systems for performing security checks that can easily be distinguished in the monitoring.

Lees meer
Medium
Medium
Medium
System Owner
v2.0 (Q1 2024)
Vulnerability Management

Description The (web-)application is subject to automated vulnerability scanning at least once per quarter. Scanning occurs authenticated as much as possible. Specification Use authenticated scanning. Report findings with a ratings such as Low/Medium/High to help prioritize. Use a special account and systems for performing security checks that can easily be distinguished in the monitoring.

Lees meer
High
High
High
System Owner
v2.0 (Q1 2024)
Vulnerability Management

Description Before go-live of new IT services, and after major updates and changes, a penetration test of the information security needs to be performed by a trusted security party. For externally performed pentests, organisational security staff assesses the management summaries of a recent pentest results and the follow-up to findings.The management summary contains at least which party performed the test, when the test was performed, what the scope of the test was, the number of vulnerabilities that were found and their associated risks. The re-test results are also inspected. Specification A penetration test takes place at a frequency suitable for...

Lees meer
Communications Security
Low
Low
Low
System Owner
v2.0 (Q1 2024)

Description Applications that communicate to end-users do so from an organisational domain and organisational email account. Specification All emails from organisational applications should be clearly recognisable as official by using official mail addresses. Other characteristics, such as coloring scheme and logos are too easily falsified in phishing emails and train users to trust outside sources. Note the rules regarding guarding the top-level domain SPF records when allowing suppliers to mail on behalf or the organisation, only allowing the external party to email from subdomains.

Lees meer