Medium
Local privileged accounts
Regular end-users do not have privileged access to endpoints continuously, including but not limited to the ability to modify organisationally managed system settings, changes to environment variables, directly modify the...
Data handling procedure
The rules regarding the processing of data are made explicit and clear, including whether remote work is allowed, under what circumstances and the use of Bring-Your-Own-Device and how data storage...
Remote Wipe of Organizational Data
Description It is possible for organisational data to be deleted from devices remotely by a device management system, if they actively make a connection or based on an interval without...
Certificate Management Registration
Certificates for Transport Level Security (TLS) are registered with at least: for what service it was issued, what the owning group is including contact information, expiration date and technical details...
Communicating about incidents
After incidents, the organisation communicates openly and truthfully to affected parties/subjects, without creating additional security risks to the organisation itself. After (potential) major incidents, the evaluation and lessons learnt will...
Warnings on external communication
Communication coming from outside the organisation needs to be clearly distinguishable from internal communication with warnings that the originating party is from outside the organisation. This includes electronic messages received...
Datacenter uptime
Data centres used in the processing of information take appropriate measures to guarantee continued uptime.
Software Bill-of-Materials
The organisation must know what software is used on managed devices, including a Software “Bill-of-Materials” (BOM) of libraries and components.
Security in projects and changes
Description Planned changes are evaluated for potential security impact. The classification of all processes and systems involved in the change is reviewed and adjusted where necessary. In projects, sufficient resources...
Detection of assets
Description Organisations actively and passively detect assets that may not be registered in the CMDB, both within the network and outside. Discrepancies in CMDB and detected assets are resolved.