High
Background Check
Before commencement of processing activities background checks are performed for all individuals working with sensitive data and systems to determine integrity and suitability for the tasks and ensure secure behaviour....
Scripts and Executables
Unless necessary for executing job responsibilities, by default user endpoints do not allow the execution of scripts and executables. If the function necessitates this access, it will be documented and...
Printing Data-Leakage Prevention
Printing services are appropriately protected: Printers are kept separate from the public internet. Printing requires authentication before printing. No repeating printing statements. Documents are stored encrypted and for as short...
Data Exfiltration Detection and Prevention
There are measures to prevent users from downloading entire datasets. Additionally, or if these measures cannot be implemented, alerting and monitoring for users downloading large amounts of information from the...
Administrator Data Access
Only data owners have access to their data. Administrators and suppliers can only access the data through a break-glass procedure that involves business sign-off and consultation with the organisation.
Authorized data distribution
The proces owner authorises distribution of confidential information explicitly to any recipient, internal or external to the organisation. For all non-incidental data transfers, the authorisation is documented and reviewed yearly....
CSIRT
The organization has a (contracted) CSIRT. The CSIRT is fully mandated to respond to active threats to limit the impact of potential security incidents.
Business continuity management
A business contuinity plan (BCP) exists for potential disaster scenario’s that could affect the critical processes. The business contuinity plan is reviewed at least annually. The business continuity plan is...
Disaster Recovery Plan
A disaster recovery plan (DRP) exists for potential disaster scenarios that could affect the IT systems. The disaster recovery plan is reviewed at least annually. The disaster recovery plan is...
Domain reservations
Description Domain names reserved for organisational purposes cannot be released shortly after the domain name is no longer needed. A list of domain names that can never be released needs...