Low
Review of Permissions
Periodically, a list of all users in the system is generated along with associated permissions and reviewed. If it is available, all access rights must be in accordance with the...
Authentication through organisational identity
End-user authentication for applications takes place through a trusted Identity Provider for anyone with access to organisational data. The organisation has a defined relationship with individuals that have been given...
Secure behavior
The organisation has a coherent awareness program that identifies the knowledge relevant to information security various stakeholders must have, the ways to measure the current level of knowledge, and includes...
Screen lock
When a workstation is left unattended, the session/screen is locked automatically after a maximum of 15 minutes and the user prompted for re-authentication.
Anti-Malware protection
Preventive, detective and corrective measures are in place (especially up-to-date security patches and virus control) across the organisation to protect information systems and technology from malware (e.g., viruses, worms, spyware,...
Incident response procedure
The organisation has processes for IT incidents in place. IT incidents are evaluated if they are potential security incidents. (Potential) Security incidents are treated according to a documented and standardised...
Technical email security
IT components send emails to end-users using an email address ending in a top-level domain for which the organisation is legally responsible. Mailservers take measures to prevent the reception and...
Backup procedure
For every system a documented backup procedure is available with values for the RPO (Recovery Point Objective, maximum tolerable amount of data that can be lost) and RTO (Recovery Time...
Supplier Security Management
Before engaging in an agreement with a supplier of an IT-service, an information security risk assessment is performed. Contractual agreements regarding information security are made with suppliers of IT-services. Suppliers...
Patch management
Available patches and/or security fixes are installed in compliance with set and approved policies (including those for operating systems, databases and installed applications) and recommendations of CERT and/or suppliers.