Risk Monitoring

Event data is aggregated from multiple sources. Accepted organisational risks are monitored through defined abuse cases. Personnel security and awareness is monitored and periodically tested.

Mutation and Data Access Logs

Applications log access (attempts) to sensitive data. Applications log mutations of system configurations and sensitive data. Original values are recommended but not necessitated to be stored.

Authorization Matrix

Process owners are responsible for an authorization matrix listing who has what access to data and functionality in relevant systems, in what capacity. The authorisation matrix includes roles, the authorisations...

Team capacity monitoring

Teams plan to have sufficient capacity to execute important tasks, also during holidays. There is monitoring on the capacity of the team and structural understaffing gets flagged and addressed. There...

Background Check

Before commencement of processing activities background checks are performed for all individuals working with sensitive data and systems to determine integrity and suitability for the tasks and ensure secure behaviour....

Scripts and Executables

Unless necessary for executing job responsibilities, by default user endpoints do not allow the execution of scripts and executables. If the function necessitates this access, it will be documented and...

Printing Data-Leakage Prevention

Printing services are appropriately protected: Printers are kept separate from the public internet. Printing requires authentication before printing. No repeating printing statements. Documents are stored encrypted and for as short...

Administrator Data Access

Only data owners have access to their data. Administrators and suppliers can only access the data through a break-glass procedure that involves business sign-off and consultation with the organisation.


The organization has a (contracted) CSIRT. The CSIRT is fully mandated to respond to active threats to limit the impact of potential security incidents.