Organisational mails

Applications that communicate to end-users do so from an organisational domain and organisational email account.

Vulnerability Registration and Resolution

A system owner is responsible for maintaining a list of known vulnerabilities on the system, including the associated risk, when the vulnerability was reported, what action resolution was taken and...

Unintended Information Disclosure

Applications and services are configured to not display information that is unnecessary. Functionality is designed and configured to prevent enumeration of information.

Web Application Security

Web applications have taken all appropriate measure to protect against OWASP top 10 Web Application vulnerabilities: https://owasp.org/www-project-top-ten/

Input and Output Filtering

All variable information that gets sent by a client is filtered and sanitized before being processed in the application. The same applies to user-selected output that is presented back to...

MFA for Privileged Access

Authentication for access using privileged accounts includes Multi-Factor Authentication. This can include Multi-Factor Authentication to get access to a network and subsequent strong cryptographic asymmetric keys for authentication. Devices cannot...

Segmenting authentication domains

A distinction must be made between security levels within the IT landscape when considering privileged access secret authentication information, where a logical distinction is made at least for user endpoints,...


The DMZ (demilitarized zone) is the network location for public-facing services. Only systems in the DMZ can accept communications initiated from outside the network. The DMZ is separated from the...

Networking Hardware

Networking maintains a list of approved hardware components and their required configurations. Networking hardware components are not accessible to unauthorised individuals.