v2.0 (Q1 2024)

Organisational mails

Description Applications that communicate to end-users do so from an organisational domain and organisational email account. Specification All emails from organisational applications should be clearly recognisable as official by using...

Penetration Testing

Description Before go-live of new IT services, and after major updates and changes, a penetration test of the information security needs to be performed by a trusted security party. For...

Automated Application Vulnerability Scanning

Description The (web-)application is subject to automated vulnerability scanning at least once per quarter. Scanning occurs authenticated as much as possible. Specification Use authenticated scanning. Report findings with a ratings...

Automated Vulnerability Scanning

Description Network connected IT systems are subjected to automatic vulnerability scanning at least once per month. Scanning occurs authenticated where possible. Specification Use authenticated scanning. Report findings with a ratings...

Coordinated Vulnerability Disclosure Policy

Description The organization has a published Coordinated Vulnerability Disclosure Policy to encourage security researchers and individuals to ethically find and report vulnerabilities. Specification For external suppliers the policy should be...

Vulnerability Registration and Resolution

Description A system owner is responsible for maintaining a list of known vulnerabilities on the system, including the associated risk, when the vulnerability was reported, what action resolution was taken...

Server and Application Infrastructure Not Shared

Description IT services run in their own virtual environments, vulnerabilities in one service cannot give access to other services. This includes no multiple websites on the same webserver unless they...

Service Hardening

Description Services run under their own account with minimal necessary privileges . Only necessary services run on production servers, and are only accessible to necessary interfaces using Host-based Firewalls. All...

Default Passwords changed

Description Default Passwords on any piece of hardware or software are changed before deployment. Specification Universal and/or default passwords must not be used. For existing systems that have built-in default...

Unintended Information Disclosure

Description Applications and services are configured to not display information that is unnecessary. Functionality is designed and configured to prevent enumeration of information. Specification Information that should not be enumerable...