Trust & Compliance Center
Welcome to the NormNest Trust & Compliance Center. This portal provides transparency into our security, privacy, and compliance practices.
Certifications
Completed Certifications
ISO27001:2022
Valid until May 15, 2027
ISO27001:2022
<p data-start="0" data-end="386" class="">De <strong data-start="3" data-end="25">ISO/IEC 27001:2022</strong> is een internationale norm voor informatiebeveiliging. Ze specificeert eisen voor het opzetten, implementeren, onderhouden en continu verbeteren van een <strong data-start="179" data-end="228">Information Security Management System (ISMS)</strong>. Het doel is om organisaties te helpen hun informatie systematisch te beveiligen tegen risico’s zoals datalekken, cyberaanvallen of ongeautoriseerde toegang.</p> <p data-start="388" data-end="568" class="">De versie <strong data-start="398" data-end="406">2022</strong> is een geactualiseerde editie, met meer nadruk op risicobeheer, leiderschap, en continue verbetering, en sluit beter aan bij moderne dreigingen en technologieën.</p>
KMO-Portefeuille (erkende dienstverlener)
Valid until Mar 26, 2030
DV.A251375
KMO-Portefeuille (erkende dienstverlener)
<p data-start="215" data-end="640">De KMO-Portefeuille is een subsidiemaatregel van de Vlaamse overheid die kleine en middelgrote ondernemingen (KMO’s) financieel ondersteunt bij het volgen van opleidingen en het inwinnen van advies. Organisaties die erkend zijn als dienstverlener voor de KMO-Portefeuille voldoen aan specifieke kwaliteits- en administratieve vereisten en mogen via het platform diensten aanbieden aan Vlaamse ondernemingen.</p> <p data-start="642" data-end="786">Deze erkenning biedt klanten niet alleen financiële voordelen, maar ook vertrouwen in de deskundigheid en betrouwbaarheid van de dienstverlener.</p>
Data Protection Officer
Binnen onze organisatie beschikken meerdere medewerkers over een erkende DPO-certificering. Zij combineren hun grondige kennis van de privacywetgeving met jarenlange ervaring in zowel private als publieke sectoren. Dankzij dit multidisciplinair team kunnen wij onze klanten een betrouwbare en continu beschikbare DPO-dienst aanbieden, afgestemd op de specifieke noden van elke organisatie.
Data Protection Officer
De Data Protection Officer (DPO)-certificering bevestigt onze diepgaande kennis van de Algemene Verordening Gegevensbescherming (AVG/GDPR) en onze bekwaamheid om organisaties te ondersteunen bij het waarborgen van privacy- en gegevensbeschermingsnormen. Deze certificering onderstreept onze expertise in het adviseren over privacybeleid, het beoordelen van gegevensverwerkingsactiviteiten, het management van datalekken, en het fungeren als betrouwbaar contactpunt voor toezichthoudende autoriteiten. <div><br></div><div>Onze gecertificeerde DPO’s combineren gedegen juridische kennis met ruime praktijkervaring binnen diverse sectoren, zowel privaat als publiek. Hierdoor bieden wij een volwaardige, continu beschikbare DPO-dienstverlening die perfect aansluit op de unieke privacybehoeften en compliance-uitdagingen van elke organisatie. Deze deskundigheid versterkt het vertrouwen van klanten en medewerkers en helpt organisaties effectief te voldoen aan hun wettelijke verplichtingen.</div>
ISO/IEC 27001 Lead auditor
ISO/IEC 27001 Lead auditor
Het bezit van het <strong data-start="182" data-end="224">ISO/IEC 27001 Lead Auditor-certificaat</strong> bevestigt onze grondige kennis van informatiebeveiligingsnormen en onze bekwaamheid om formele audits uit te voeren op een Information Security Management System (ISMS). Deze certificering weerspiegelt onze deskundigheid in het beoordelen van risico’s, naleving, en de doeltreffendheid van beveiligingsmaatregelen binnen organisaties. Hierdoor kunnen wij ondersteuning bieden bij zowel interne evaluaties als voorbereidingen op externe certificaties, en dit in uiteenlopende sectoren waar informatiebeveiliging van cruciaal belang is.
NIS 2 Directive: Senior Lead Implementor
NIS 2 Directive: Senior Lead Implementor
<p data-start="150" data-end="788">Het <strong data-start="154" data-end="210">NIS 2 Directive: Senior Lead Implementor-certificaat</strong> bevestigt onze diepgaande kennis van de vereisten en verantwoordelijkheden die voortvloeien uit de NIS2-richtlijn, gericht op de beveiliging van netwerk- en informatiesystemen binnen essentiële en belangrijke entiteiten. Deze certificering onderschrijft onze expertise in het opzetten, implementeren en optimaliseren van beheersmaatregelen op vlak van cybersecurity, risicobeheer, governance en incidentrespons. Ze stelt ons in staat organisaties te begeleiden bij het naleven van de NIS2-verplichtingen en bij het opbouwen van een weerbare en conforme digitale infrastructuur.</p>
Compliance
GDPR
Heb je vragen over hoe wij omgaan met jouw persoonsgegevens? Wil je informatie opvragen, gegevens laten corrigeren, verwijderen of je rechten uitoefenen zoals voorzien in de geldende wetgeving (zoals de GDPR)?
Neem dan gerust contact met ons op via dpo@cloudcom.eu. Wij helpen je graag verder in lijn met wat de normen en wetgeving voorschrijven.
We zetten alle nodige stappen in werking om deze regelgeving correct na te leven en jouw gegevens zo goed mogelijk te beschermen.
GDPR
De <strong data-start="3" data-end="11">GDPR</strong> (General Data Protection Regulation) is een Europese wetgeving die de privacy en bescherming van persoonsgegevens van burgers binnen de EU regelt. Ze is sinds mei 2018 van kracht en verplicht organisaties om zorgvuldig om te gaan met persoonlijke gegevens, transparant te zijn over het gebruik ervan, en passende beveiligingsmaatregelen te nemen. De GDPR geeft individuen meer controle over hun data en legt bedrijven strenge verplichtingen op, met hoge boetes bij niet-naleving.<div><br></div><div>Wet : <a href="https://eur-lex.europa.eu/legal-content/NL/TXT/?uri=CELEX%3A32016R0679">Verordening - 2016/679 - EN - avg - EUR-Lex</a> - https://eur-lex.europa.eu/legal-content/NL/TXT/?uri=CELEX%3A32016R0679</div><div><br></div><div>Informatie : https://www.gegevensbeschermingsautoriteit.be/professioneel/eerstehulp-avg/toolbox</div>
ISO/IEC 27001
Wij zijn gecertificeerd volgens ISO/IEC 27001, de internationale standaard voor informatiebeveiligingsmanagement. Dit betekent dat wij robuuste maatregelen hebben ingericht om de vertrouwelijkheid, integriteit en beschikbaarheid van gegevens te waarborgen. Zo garanderen wij een systematische aanpak van risico’s op het vlak van informatiebeveiliging.
ISO/IEC 27001
<span data-teams="true">Internationale standaard voor informatiebeveiliging. Toont aan dat je als organisatie risico’s beheerst en je data adequaat beschermt.</span>
NIS2 (EU)
Wij voldoen aan de NIS2-richtlijn van de Europese Unie, die eisen stelt aan de beveiliging van netwerk- en informatiesystemen binnen essentiële en belangrijke organisaties. Dit onderstreept onze inzet voor een veilige en veerkrachtige digitale infrastructuur, afgestemd op Europese cybersecurityregelgeving.
NIS2 (EU)
Europese richtlijn die strengere eisen oplegt aan cybersecurity, vooral voor essentiële en belangrijke sectoren. Vanaf 2024 belangrijk voor veel bedrijven.
Cyber Fundamentals (CyFun)
Als onderdeel van onze cybersecurity-aanpak volgen wij de Cyber Fundamentals (CyFun) richtlijnen van het CCB, een kader dat praktische beveiligingsmaatregelen definieert voor bedrijven in België. Deze aanpak helpt ons om een solide basis te leggen voor continue verbetering en bescherming tegen cyberdreigingen.
Cyber Fundamentals (CyFun)
Vlaams/Nationaal raamwerk dat bedrijven helpt om hun cyberweerbaarheid op basisniveau op orde te brengen. Focus op identificeren, beschermen, detecteren, reageren en herstellen.
Cybersecurity Framework
Our cybersecurity approach is based on the NIST Cybersecurity Framework, which organizes cybersecurity activities into five core functions: Identify, Protect, Detect, Respond, and Recover.
IDENTIFY
BASIC_ID.AM-1.1: An inventory of assets associated with information and information processing facilities within the organization shall be documented, reviewed, and updated when changes occur.
Our organization maintains a comprehensive inventory of all information and information processing assets through our internal platform, my.cloudcom. This platform enables us to document, review, and update asset records efficiently, including fixed and portable computers, mobile devices, network infrastructure, and other connected or standalone components.
The inventory is continuously maintained and updated when changes occur, supported by appropriate approval flows to ensure traceability and accountability. my.cloudcom supports the management of both networked and non-networked assets and functions as a centralized IT asset management tool aligned with best practices and compliance requirements.
IMPORTANT_ID.AM-1.2: The inventory of assets associated with information and information processing facilities shall reflect changes in the organization’s context and include all information necessary for effective accountability.
The organization uses Mycloudcom as its central platform for asset inventory management. This tool is used to maintain an up-to-date list of all information-processing assets, including:
- Workstations (laptops/desktops),
- Mobile devices,
- Servers (physical and virtual),
- Network equipment (firewalls, routers, switches),
- Peripheral devices (printers, external drives),
- and where applicable, links to code repositories and databases.
The Mycloudcom platform provides visibility into asset ownership, location, hardware details, and assigned users. Asset entries are reviewed and updated regularly by the IT team, and any changes (e.g., reassignment, disposal) are logged through defined internal procedures. Periodic reviews ensure data accuracy, and the platform supports risk assessments, access control planning, and incident response readiness.
BASIC_ID.AM-2.1: An inventory that reflects what software platforms and applications are being used in the organization shall be documented, reviewed, and updated when changes occur.
Our organization maintains an up-to-date inventory of all software platforms and applications in use, including internally hosted solutions and outsourced services (e.g., SaaS), through our platform my.cloudcom. This platform ensures that every entry—whether software program, platform, or database—is properly documented with key attributes such as name, description, version, number of users, and the type of data processed.
Changes to the software inventory are managed through an appropriate approval flow within my.cloudcom, ensuring updates are authorized and traceable.
IMPORTANT_ID.AM-2.3: Individuals who are responsible and who are accountable for administering software platforms and applications within the organization shall be identified.
The organization maintains an internal list of key data systems along with their designated team-level owners. Each system is assigned to a responsible team that oversees its maintenance, access management, and documentation.
The purpose of this listing is to ensure accountability, support access reviews, and enable appropriate security measures to be implemented across systems handling business or personal data.
For each system, the following details are tracked or being formalized in Cyberday:
- The system’s purpose and primary function
- Responsible team for management and documentation
- Whether the system contains personal or sensitive data
- (Linked in other tasks) access roles, data location, authentication methods, and system integrations
Examples of systems included in this listing:
- Microsoft 365 (Collaboration and productivity)
- Entra ID (Identity management – contains personal data)
- Jira (Internal project and ticket management)
- Confluence (Documentation and knowledge sharing)
- MyCloudCom (Asset tracking – contains internal and client data)
- Atera (Client-facing ticketing – contains client data)
The listing is currently being formalized in Cyberday based on existing operational knowledge and responsibilities held by the NOC,Projects, Security, and Management.
IMPORTANT_ID.AM-2.4: When unauthorized software is detected, it shall be quarantined for possible exception handling, removed, or replaced, and the inventory shall be updated accordingly.
The organization proactively detects and blocks unauthorized or unapproved software using a combination of endpoint protection and application control technologies. These mechanisms help prevent malware, reduce the attack surface, and maintain system integrity across all devices.
Application Whitelisting and Blocking
- The organization uses Heimdal Application Control to enforce a default-deny policy for software execution on endpoints.
- Only pre-approved software is allowed to run.
- Any execution attempt of unknown or unauthorized applications is automatically blocked and logged.
- Application control policies are maintained and reviewed by the Security Team in alignment with business requirements and risk assessments.
Real-Time Monitoring and Detection
- SentinelOne provides real-time detection of unknown or potentially unwanted applications (PUAs), even if not explicitly blacklisted.
- It flags suspicious executables, scripts, and anomalous behavior.
- It can automatically quarantine or kill unauthorized processes and isolate affected devices.
- Detected applications or behavior are reviewed by the Security Team through the SentinelOne console.
Use of Intrusion Detection Functionality
- The organization does not currently operate a traditional network-based Intrusion Detection System (IDS).
- However, equivalent functionality is provided at the endpoint level through:
- Heimdal and SentinelOne behavioral analysis
- DNS filtering to prevent unauthorized communications
- Alerting mechanisms for known malicious or unauthorized software behavior
Future IDS or NDR (Network Detection and Response) capabilities may be evaluated as part of the organization’s maturing security roadmap.
BASIC_ID.AM-3.1: Information that the organization stores and uses shall be identified.
Our organization identifies and categorizes all types of information it stores and uses, and this information is documented and maintained within our Information Security Management System (ISMS), which supports our ISO/IEC 27001:2022 implementation.
The ISMS contains a structured list of information types relevant to our business operations, including but not limited to:
Customer and supplier data (e.g., names, email addresses, contracts)
Financial information (e.g., invoices, banking details)
Internal documentation (e.g., procedures, reports)
Technical data (e.g., source code, configuration files, system logs)
Regulatory and compliance records
Proprietary business information and intellectual property
This inventory of information is regularly reviewed and updated as part of our ISMS processes. Furthermore, we map each type of information to associated physical assets, systems, software platforms, and applications—as outlined in our hardware and software inventories (referencing ID.AM-1 and ID.AM-2)—to ensure a clear understanding of where information resides and how it is processed, transmitted, or stored.
IMPORTANT_ID.AM-3.2: All connections within the organization's ICT/OT environment, and to other organization-internal platforms shall be mapped, documented, approved, and updated as appropriate.
List of data sets: The organization has maintained a comprehensive list of data sets contained in the data stores it manages. This documentation helps in managing and securing the data efficiently.
Data systems used: The documentation includes information on the data systems and other means used to process the data sets. This ensures a clear understanding of where and how the data is being handled and stored.
Data retention period: While detailed data retention periods are discussed in a separate task, the documentation includes a reference to the retention period relevant to each data set. This helps in managing data lifecycle and compliance with legal and organizational policies.
Periodic review and updates: The organization has established procedures for the periodic review and updating of the data set list. This ensures that the information remains current and reflective of any changes in data management practices.
IMPORTANT_ID.AM-4.1: The organization shall map, document, authorize and when changes occur, update, all external services and the connections made with them.
Documentation of interfaces and connections: The organization has maintained detailed documentation of the interfaces and connections between different data systems. This documentation includes information on the data transmission methods used in each interface.
Regular review of interface documentation: The organization has regularly reviewed the interface documentation to ensure that it remains current and accurate. This review process has been conducted on a scheduled basis to preempt potential discrepancies.
Stakeholder involvement in reviews: The organization has involved key stakeholders in the review process of the interface documentation. This collaboration ensures that all relevant parties are aware of and agree on the changes made, promoting comprehensive understanding and accountability.
BASIC_ID.AM-5.1: The organization’s resources (hardware, devices, data, time, personnel, information, and software) shall be prioritized based on their classification, criticality, and business value.
Our organization has conducted a comprehensive risk assessment as part of our ISMS aligned with ISO/IEC 27001:2022, which includes an evaluation of the criticality, classification, and business value of all organizational resources—such as hardware, devices, data, time, personnel, information, and software.
Through this process, we analyze potential impacts on confidentiality, integrity, and availability for each resource by asking:
What would happen if the resource were made public, damaged, or lost?
What would be the consequences if the resource’s integrity were compromised?
What would the impact be if the resource became unavailable to us or our customers?
Based on this analysis, all resources are prioritized and classified according to their business impact, and appropriate controls and safeguards are implemented in line with their level of criticality. This classification supports our decision-making regarding access control, backup strategy, incident response, and continuity planning.
IMPORTANT_ID.AM-6.1: Information security and cybersecurity roles, responsibilities and authorities within the organization shall be documented, reviewed, authorized, and updated and alignment with organization-internal roles and external partners.
The most important roles and responsibilities for organization's information security work are defined directly in the management system.
The theme owner is responsible for processing and implementing all content under that cyber security theme. Theme owner is displayed on the dashboard of the management system.
Task owner is responsible for ensuring that the related task is completed. An individual owner must be assigned to each task in the management system.
Document owner is responsible for completing and maintaining documentation related to the item. Certain guidelines can also be implemented for owners based on this role.
An employee linked to a guideline must read and accept the security guideline directed at him or her and commit to complying with the guideline in his or her own work.
Top management oversees the implementation of the management system and ensures that it achieves the objectives set for it.
IMPORTANT_ID.BE-1.1: The organization’s role in the supply chain shall be identified, documented, and communicated.
Establishment of minimum security requirements: The organization has set minimum security requirements for partner companies that handle confidential information, ensuring that the privacy and integrity of sensitive data are upheld.
Inclusion of security requirements in supplier agreements: These security requirements have been incorporated into supplier agreements, creating a formal, contractual obligation for partners to adhere to predetermined security standards.
Requirement differentiation based on criticality: The organization has differentiated security requirements based on the criticality of the information handled by the partner, ensuring that high-risk data receives correspondingly heightened protection.
Alignment with internal rules and practices: The required security practices and rules for partners have been aligned with those followed within the organization, maintaining consistency in data protection across the board.
Division into low, medium and high-risk suppliers: Taking into account the varying levels of risk associated with different suppliers, the organization has divided suppliers into low, medium and high-risk categories, with corresponding levels of security requirements.
IMPORTANT_ID.BE-5.1: To support cyber resilience and secure the delivery of critical services, the necessary requirements are identified, documented and their implementation tested and approved.
The organization has established clear security arrangements for the deployment and operation of critical network services and equipment. These include network connections, routers, firewalls (e.g., pfSense), and wireless infrastructure (e.g., UniFi).
Key security arrangements include:
- Use of security technologies: All critical services utilize technologies such as strong authentication (admin access control), encrypted communications (e.g., HTTPS, VPN), and firewall protection.
- Defined technical parameters: Network devices are configured with strict access rules, port restrictions, and default service deactivation to minimize exposure.
- Service-level requirements: Critical equipment is monitored and maintained by the Network Operations Center (NOC), with regular updates and configuration backups in place.
- Access and usage criteria: Only authorized personnel have access to manage or configure network equipment. Usage is restricted through VLANs, network segmentation, and role-based access.
- Lifecycle management: Any implementation or update of network equipment includes security requirement verification before deployment.
These arrangements ensure that security is integrated into all stages of planning, deploying, and operating critical network services.
BASIC_ID.GV-1.1: Policies and procedures for information security and cyber security shall be created, documented, reviewed, approved, and updated when changes occur.
Our organization has a comprehensive set of documented policies and procedures in place for information security and cybersecurity, developed in accordance with the ISO/IEC 27001:2022 standard.
These documents clearly define acceptable practices, responsibilities, and expectations regarding the protection of our information assets and systems. They are used to guide daily operations, support investigations in case of security incidents, and ensure a shared understanding across the organization.
As part of our onboarding process for new employees and consultants, we include a dedicated information security onboarding procedure, ensuring all individuals are aware of their responsibilities and our security policies from day one.
All policies and procedures are:
Reviewed and approved by management,
Updated promptly following organizational or technological changes, and
Formally reviewed at least annually as part of our ISMS lifecycle.
Policy updates are communicated clearly to all staff to ensure continued awareness and compliance.
IMPORTANT_ID.GV-1.2: An organization-wide information security and cybersecurity policy shall be established, documented, updated when changes occur, disseminated, and approved by senior management.
Creation of information security policy: The organization's top management has developed and approved an information security policy that acts as a guiding document for its security stance and actions.
Basis for security objectives: The information security policy provides the foundation for setting the organization's security objectives. This includes a detailed understanding of the organization's risk appetite and regulatory requirements that guide the security objective formulation.
Commitment to security requirements: The policy shows the organization's commitment to meet all information security requirements. This is achieved by clearly stating adherence to applicable laws, regulations, and industry best practices.
Continuous improvement commitment: The information security policy reflects the organization's commitment to the continuous improvement of the information security management system. This is communicated through ongoing training, routine audits, and adaptive risk management.
Policy relevance and appropriateness: The task owner has ensured that the information security policy aligns with the organization's business idea, making it fit for purpose and relevant.
Organization-wide policy communication: The task owner has executed a comprehensive communication plan, ensuring that the policy is communicated throughout the entire organization.
Stakeholder policy availability: The organization has ensured that the information security policy is available to stakeholders as required, complying with transparency requisites and fostering trust between the organization and its stakeholders.
BASIC_ID.GV-3.1: Legal and regulatory requirements regarding information/cybersecurity, including privacy obligations, shall be understood and implemented.
Our organization identifies, understands, and implements all relevant legal and regulatory requirements related to information security, cybersecurity, and privacy, in particular those arising from the General Data Protection Regulation (GDPR).
As part of our ISO/IEC 27001:2022-aligned ISMS, we maintain a register of applicable legal and regulatory requirements, which is reviewed regularly to ensure continued compliance. This includes data protection obligations, incident reporting duties, data subject rights, and requirements related to the processing, storage, and transfer of personal data.
Our internal policies, procedures, and technical controls are designed to ensure that privacy and data protection principles—such as data minimization, purpose limitation, integrity, confidentiality, and accountability—are consistently applied across all business operations.
All employees and relevant contractors are made aware of these obligations during onboarding and through ongoing training initiatives.
IMPORTANT_ID.GV-3.2: Legal and regulatory requirements regarding information/cybersecurity, including privacy obligations, shall be managed.
Other requirements that affect an organization's security, including at least legislation and customer requirements, are documented directly in the organization's information security management system.
Task owner ensures that the requirements have owners and there's a set review interval for according to which owners need to review changes to requirements.
Task owner regularly reviews the listing to ensure it is accurate, up-to-date, and consistent.
BASIC_ID.GV-4.1: As part of the company's overall risk management, a comprehensive strategy to manage information security and cybersecurity risks shall be developed and updated when changes occur.
As part of our ISO/IEC 27001:2022 implementation, our organization has developed a comprehensive strategy for managing information security and cybersecurity risks as an integral component of our overall risk management framework.
This strategy includes:
The identification of information security objectives aligned with our business goals,
The assessment and treatment of risks to business-critical assets,
The allocation of appropriate resources (personnel, technology, budget) to implement and maintain security controls, and
A continuous improvement cycle that ensures the strategy is updated when changes occur in our organization or threat landscape.
Our approach ensures that information and cybersecurity risks are managed proactively and in a structured manner, with clear responsibilities and measurable targets.
IMPORTANT_ID.GV-4.2: Information security and cybersecurity risks shall be documented, formally approved, and updated when changes occur.
Risk assessment documentation: The organization has proactively developed and maintained comprehensive documentation to list and assess the likelihood and severity of various cyber security risks.
Description of the risk: The documentation includes detailed descriptions of each identified cyber security risk.
Evaluated impact and likelihood: The organization evaluates and documents both the potential impact and the likelihood of each cyber security risk occurring.
Risk management tasks and treatment options: The organization outlines specific tasks for managing each risk, as well as other potential treatment options to mitigate or address the risks.
Acceptability of the risk: The documentation includes an assessment of the acceptability of each risk, determining whether the risk level is within acceptable thresholds or requires further action.
Risk prioritization: The organization has prioritized the identified risks based on their assessed impact and likelihood.
Review and update: The organization regularly reviews and updates the risk assessment documentation to reflect changes in the threat landscape and organizational context.
Stakeholder involvement: The organization involves relevant stakeholders in the risk assessment process to ensure comprehensive coverage and shared understanding of risks.
Ongoing monitoring: The organization commits to ongoing monitoring of cyber security risks to identify new risks and reassess existing risks continuously.
Decision-making support: The documented risk assessments support informed decision-making within the organization regarding resource allocation and security measures.
BASIC_ID.RA-1.1: Threats and vulnerabilities shall be identified.
Our organization identifies threats and vulnerabilities as part of the security objectives and risk assessment process defined in our ISO/IEC 27001:2022-compliant ISMS.
During regular risk assessments, we evaluate:
Vulnerabilities in hardware, software, procedures, and human factors that could expose our assets,
Threats that could exploit these vulnerabilities, including both internal and external sources, and
The associated risks, based on the likelihood and potential impact of such threats materializing.
This structured process enables us to maintain a clear understanding of our threat landscape and prioritize the implementation of appropriate risk treatment measures to reduce or mitigate risks to acceptable levels.
Identified threats and vulnerabilities are documented, reviewed periodically, and updated in response to changes in technology, operations, or the external environment.
IMPORTANT_ID.RA-1.2: A process shall be established to monitor, identify, and document vulnerabilities of the organisation's business critical systems in a continuous manner.
We identify, assess, and remediate vulnerabilities on endpoints, servers, and network infrastructure using automated tools and structured processes.
Implementation
- Endpoint vulnerabilities are detected via SentinelOne.
- Server and infrastructure vulnerabilities are detected via ManageEngine Vulnerability Manager Plus (VAS).
- High and critical vulnerabilities are prioritized based on CVSS score, exploitability, and asset criticality.
- Vulnerabilities are tracked and managed in Jira from detection to closure.
- Patch management is coordinated between the Security Team and Infrastructure Team.
Monitoring and Review
- SentinelOne alerts reviewed daily for critical vulnerabilities.
- VAS vulnerability scans reviewed weekly.
IMPORTANT_ID.RA-2.1: A threat and vulnerability awareness program that includes a cross-organization information-sharing capability shall be implemented.
Conducting threat intelligence: The organization actively carries out threat intelligence by collecting information about potential information security threats related to its operations and identifying protection methods. The aim is to enhance awareness of the threat landscape, allowing for better evaluation of its security level and implementation of adequate control measures.
Multifaceted approach to threat intelligence: When accumulating threat intelligence, the organization takes into account all three levels - strategic threat intelligence (such as information on emerging types of attackers and attacks), tactical threat intelligence (like information about tools and technologies used in attacks), and operational threat intelligence (details of specific attacks).
Identification and selection of information sources: The organization identifies, verifies, and selects trusted information sources for its threat intelligence activities. The chosen sources further enrich its threat intelligence database, enhancing the reliability and scope of collected information.
Gathering and processing threat intelligence: The organization systematically gathers threat intelligence and processes it for analysis. This includes translation, formatting, and compression of data to enable efficient and comprehensive threat analysis.
BASIC_ID.RA-5.1: The organization shall conduct risk assessments in which risk is determined by threats, vulnerabilities and impact on business processes and assets.
Our organization conducts formal risk assessments in accordance with our ISO/IEC 27001:2022-aligned ISMS, where risk is determined based on the relationship between threats, vulnerabilities, and their potential impact on business processes and assets.
We systematically:
Identify threats that could exploit known or potential vulnerabilities,
Assess the potential impact of these risks on the confidentiality, integrity, and availability (CIA) of our information assets,
Evaluate how these risks could affect critical business processes, and
Document, review, and update risk scenarios as part of our regular risk management cycle or when significant changes occur.
The results of these assessments guide our risk treatment planning and ensure that appropriate safeguards are in place to protect our organization’s operations and assets
IMPORTANT_ID.RA-5.2: The organization shall conduct and document risk assessments in which risk is determined by threats, vulnerabilities, impact on business processes and assets, and the likelihood of their occurrence.
Risk assessment documentation: The organization has proactively developed and maintained comprehensive documentation to list and assess the likelihood and severity of various cyber security risks.
Description of the risk: The documentation includes detailed descriptions of each identified cyber security risk.
Evaluated impact and likelihood: The organization evaluates and documents both the potential impact and the likelihood of each cyber security risk occurring.
Risk management tasks and treatment options: The organization outlines specific tasks for managing each risk, as well as other potential treatment options to mitigate or address the risks.
Acceptability of the risk: The documentation includes an assessment of the acceptability of each risk, determining whether the risk level is within acceptable thresholds or requires further action.
Risk prioritization: The organization has prioritized the identified risks based on their assessed impact and likelihood.
Review and update: The organization regularly reviews and updates the risk assessment documentation to reflect changes in the threat landscape and organizational context.
Stakeholder involvement: The organization involves relevant stakeholders in the risk assessment process to ensure comprehensive coverage and shared understanding of risks.
Ongoing monitoring: The organization commits to ongoing monitoring of cyber security risks to identify new risks and reassess existing risks continuously.
Decision-making support: The documented risk assessments support informed decision-making within the organization regarding resource allocation and security measures.
Risk assessment and treatment procedures: The organization has defined comprehensive procedures for assessing and treating cyber security risks.
Risk identification methods: The organization has established systematic methods for identifying potential cyber security risks. This may include techniques such as threat modeling, vulnerability assessments, and incident analysis.
Methods for risk analysis: The organization has implemented methods for analyzing identified risks, which might include qualitative and quantitative analysis techniques to understand the potential impact and likelihood of each risk.
Criteria for risk evaluation: The organization has defined specific criteria for evaluating risks based on their impact and likelihood. This helps in categorizing the severity of risks and determining the appropriate response.
Risk prioritization, treatment options, and defining control tasks: The organization prioritizes risks according to their evaluated impact and likelihood. It then outlines various treatment options and defines specific control tasks to manage or mitigate these risks.
Risk acceptance criteria: The organization has set clear criteria for determining which risks are acceptable and can be tolerated, and which require additional controls or mitigation measures.
Process implementation cycle, resourcing, and responsibilities: The organization has articulated the full cycle of the risk management process, including the allocation of resources and definition of responsibilities. This ensures that all aspects of risk management are appropriately addressed.
IMPORTANT_ID.RA-6.1: A comprehensive strategy shall be developed and implemented to manage risks to the organization’s critical systems, that includes the identification and prioritization of risk responses.
Risk assessment documentation: The organization has proactively developed and maintained comprehensive documentation to list and assess the likelihood and severity of various cyber security risks.
Description of the risk: The documentation includes detailed descriptions of each identified cyber security risk.
Evaluated impact and likelihood: The organization evaluates and documents both the potential impact and the likelihood of each cyber security risk occurring.
Risk management tasks and treatment options: The organization outlines specific tasks for managing each risk, as well as other potential treatment options to mitigate or address the risks.
Acceptability of the risk: The documentation includes an assessment of the acceptability of each risk, determining whether the risk level is within acceptable thresholds or requires further action.
Risk prioritization: The organization has prioritized the identified risks based on their assessed impact and likelihood.
Review and update: The organization regularly reviews and updates the risk assessment documentation to reflect changes in the threat landscape and organizational context.
Stakeholder involvement: The organization involves relevant stakeholders in the risk assessment process to ensure comprehensive coverage and shared understanding of risks.
Ongoing monitoring: The organization commits to ongoing monitoring of cyber security risks to identify new risks and reassess existing risks continuously.
Decision-making support: The documented risk assessments support informed decision-making within the organization regarding resource allocation and security measures.
Risk assessment and treatment procedures: The organization has defined comprehensive procedures for assessing and treating cyber security risks.
Risk identification methods: The organization has established systematic methods for identifying potential cyber security risks. This may include techniques such as threat modeling, vulnerability assessments, and incident analysis.
Methods for risk analysis: The organization has implemented methods for analyzing identified risks, which might include qualitative and quantitative analysis techniques to understand the potential impact and likelihood of each risk.
Criteria for risk evaluation: The organization has defined specific criteria for evaluating risks based on their impact and likelihood. This helps in categorizing the severity of risks and determining the appropriate response.
Risk prioritization, treatment options, and defining control tasks: The organization prioritizes risks according to their evaluated impact and likelihood. It then outlines various treatment options and defines specific control tasks to manage or mitigate these risks.
Risk acceptance criteria: The organization has set clear criteria for determining which risks are acceptable and can be tolerated, and which require additional controls or mitigation measures.
Process implementation cycle, resourcing, and responsibilities: The organization has articulated the full cycle of the risk management process, including the allocation of resources and definition of responsibilities. This ensures that all aspects of risk management are appropriately addressed.
IMPORTANT_ID.RM-2.1: The organization shall clearly determine it’s risk appetite.
Acceptable risk level determination: The organization has defined procedures to determine an acceptable level for risks, calculated based on the likelihood, impact, and control of those risks.
Likelihood assessment: The organization has assessed the likelihood of each identified risk occurring. This involves evaluating conditions and factors that could contribute to the realization of the risk.
Impact assessment: The organization has evaluated the potential impact of each risk on the organization’s operations, assets, reputation, and other critical areas.
Control assessment: The organization has analyzed the effectiveness of existing or planned controls to mitigate or manage the identified risks.
Risk matrix: The organization has utilized a risk matrix or similar tool to visualize and categorize risks, facilitating the comparison of different risks and their respective levels.
Review and approval: The risk levels and acceptability thresholds have been reviewed and approved by relevant stakeholders, including management and the board, to ensure alignment with organizational objectives.
IMPORTANT_ID.RM-3.1: The organization’s role in critical infrastructure and its sector shall determine the organization’s risk appetite.
Risk assessment documentation: The organization has proactively developed and maintained comprehensive documentation to list and assess the likelihood and severity of various cyber security risks.
Description of the risk: The documentation includes detailed descriptions of each identified cyber security risk.
Evaluated impact and likelihood: The organization evaluates and documents both the potential impact and the likelihood of each cyber security risk occurring.
Risk management tasks and treatment options: The organization outlines specific tasks for managing each risk, as well as other potential treatment options to mitigate or address the risks.
Acceptability of the risk: The documentation includes an assessment of the acceptability of each risk, determining whether the risk level is within acceptable thresholds or requires further action.
Risk prioritization: The organization has prioritized the identified risks based on their assessed impact and likelihood.
Review and update: The organization regularly reviews and updates the risk assessment documentation to reflect changes in the threat landscape and organizational context.
Stakeholder involvement: The organization involves relevant stakeholders in the risk assessment process to ensure comprehensive coverage and shared understanding of risks.
Ongoing monitoring: The organization commits to ongoing monitoring of cyber security risks to identify new risks and reassess existing risks continuously.
Decision-making support: The documented risk assessments support informed decision-making within the organization regarding resource allocation and security measures.
Risk assessment and treatment procedures: The organization has defined comprehensive procedures for assessing and treating cyber security risks.
Risk identification methods: The organization has established systematic methods for identifying potential cyber security risks. This may include techniques such as threat modeling, vulnerability assessments, and incident analysis.
Methods for risk analysis: The organization has implemented methods for analyzing identified risks, which might include qualitative and quantitative analysis techniques to understand the potential impact and likelihood of each risk.
Criteria for risk evaluation: The organization has defined specific criteria for evaluating risks based on their impact and likelihood. This helps in categorizing the severity of risks and determining the appropriate response.
Risk prioritization, treatment options, and defining control tasks: The organization prioritizes risks according to their evaluated impact and likelihood. It then outlines various treatment options and defines specific control tasks to manage or mitigate these risks.
Risk acceptance criteria: The organization has set clear criteria for determining which risks are acceptable and can be tolerated, and which require additional controls or mitigation measures.
Process implementation cycle, resourcing, and responsibilities: The organization has articulated the full cycle of the risk management process, including the allocation of resources and definition of responsibilities. This ensures that all aspects of risk management are appropriately addressed.
IMPORTANT_ID.SC-2.1: The organization shall conduct cyber supply chain risk assessments at least annually or when a change to the organization’s critical systems, operational environment, or supply chain occurs; These assessments shall be documented, and the results disseminated to relevant stakeholders including those responsible for ICT/OT systems.
Categorization of partners: The organization has categorized partners according to their responsibilities, specifically those that are system vendors and personal data processors, and have maintained a separate list for these.
Regular updates of partner lists: The organization has consistently updated the list after every change; when a new partner is integrated, any obsolete partnership ends or a partner's data handling roles are altered.
Detailed partner profiles: The organization has built comprehensive profiles for each partner, outlining the specific confidential information they have access to, the reason for their access, and the extent of their data processing role.
Access controls for partner lists: The organization has implemented strict access controls on who can view or edit the partner lists, limiting the chance of unauthorized modifications.
Implementation of data processing roles: The organization has clearly defined data processing roles for system vendors and personal data processors, including what data they can access, how they should handle it, and how they should process it under the set guidelines.
Enforcement of data protection contracts: The organization has enforced the signing of data protection contracts with all listed partners, ensuring they comprehend and comply with data handling and privacy regulations.
Periodic review of partner roles: The organization has set checklist protocols to carry out periodic reviews of partner roles and access privileges to ensure that they are in line with the entity's data protection standards and necessary operational requirements.
Usage of secure systems for partner interaction: The organization has designed secure platforms for partners which allow them to interact with the confidential data they need. This ensures that data access and processing by partners is consistently secure and traceable.
IMPORTANT_ID.SC-3.1: Based on the results of the cyber supply chain risk assessment, a contractual framework for suppliers and external partners shall be established to address sharing of sensitive information and distributed and interconnected ICT/OT products and services.
Creation of supplier agreements: The organization has created supplier agreements to clarify and ensure mutual understanding of security obligations.
Inclusion of data relevant clauses: The organization has included clauses specific to the data handled by the supplier and the staff given access, with possible data classification details.
Formatting of acceptable data use: The organization has laid out rules concerning what comprises acceptable use of data supplied to the partners.
Outline of confidentiality requirements: The supplier agreement has clearly defined the confidentiality requirements for staff working in data processing.
Clarification of regulatory responsibilities: Definite responsibilities of the parties involved in meeting regulatory requirements have been clarified to avoid any ambiguity.
Guidelines for reporting and correcting incidents: The agreement incorporates guidelines on how security incidents should be reported and handled.
Criteria for the use of subcontractors: Requirements and terms pertaining to the use of subcontractors by the suppliers have been specified.
Categorization of partners: The organization has categorized partners according to their responsibilities, specifically those that are system vendors and personal data processors, and have maintained a separate list for these.
Regular updates of partner lists: The organization has consistently updated the list after every change; when a new partner is integrated, any obsolete partnership ends or a partner's data handling roles are altered.
Detailed partner profiles: The organization has built comprehensive profiles for each partner, outlining the specific confidential information they have access to, the reason for their access, and the extent of their data processing role.
Access controls for partner lists: The organization has implemented strict access controls on who can view or edit the partner lists, limiting the chance of unauthorized modifications.
Implementation of data processing roles: The organization has clearly defined data processing roles for system vendors and personal data processors, including what data they can access, how they should handle it, and how they should process it under the set guidelines.
Enforcement of data protection contracts: The organization has enforced the signing of data protection contracts with all listed partners, ensuring they comprehend and comply with data handling and privacy regulations.
Periodic review of partner roles: The organization has set checklist protocols to carry out periodic reviews of partner roles and access privileges to ensure that they are in line with the entity's data protection standards and necessary operational requirements.
Usage of secure systems for partner interaction: The organization has designed secure platforms for partners which allow them to interact with the confidential data they need. This ensures that data access and processing by partners is consistently secure and traceable.
IMPORTANT_ID.SC-4.1: The organization shall review assessments of suppliers’ and third-party partner’s compliance with contractual obligations by routinely reviewing audits, test results, and other evaluations.
Partners providing 'High' or 'Critical' data systems are required to have a valid ISO 27001 certification.
Definition of security assessment: The organization has defined a comprehensive security assessment protocol tailored to evaluate the security posture of partners in the digital services supply chain.
Regular conduction of assessments: The organization has scheduled and conducted regular security assessments for all partners involved in the supply chain to ensure ongoing compliance with security requirements.
Compliance verification: The organization has verified the compliance of the partners with the established security policies and standards, ensuring they meet the required security benchmarks.
Contractual terms fulfillment: The organization has ensured that the partners' compliance with security requirements aligns with the contractual terms, thereby upholding the integrity and security of the provided digital services.
Defining required certifications or standards: The organization has precisely defined the certifications or standards necessary for their key partners to possess, establishing a benchmark for trust and quality.
ISO 27001 certification requirement: The organization has required partners to comply with ISO 27001, indicating a robust information security management system in place.
SOC2 compliance requirement: The organization has asked for SOC2 certification or its equivalent SSAE 16 from partners, verifying general security measures are appropriately implemented.
Continuous validation of certifications: The organization has made provisions for continuous validation of certifications held by partners to confirm that they remain active and up-to-date.
Appointment of designated responsible person: The organization has assigned a designated responsible person who actively monitors and ensures that suppliers comply with the security terms of their contracts.
Execution of service-level monitoring: The designated responsible person has set up a watch on the promised level of service from suppliers to guarantee their contractual obligations are met.
Regular review of supplier reports: Post analysis of periodic supplier reports, the responsible person has engaged in follow-up meetings to address any issues or changes.
Audit problem follow-ups: Issues identified during audits have been systematically tracked and managed until resolution.
Incident management oversight: The responsible person has overseen the supplier's management of security incidents to assess responsiveness, effectiveness, and implementation of improvements if necessary.
Supplier’s performance rating system: The organization has developed a performance rating system to ensure that service levels are consistently met by the supplier. Through this, the supplier's performance can be objectively assessed and potential deficiencies can be addressed.
IMPORTANT_ID.SC-5.1: The organization shall identify and document key personnel from suppliers and third-party partners to include them as stakeholders in response and recovery planning activities.
Continuity planning for unexpected events: The organization has implemented continuity planning to ensure that operations can continue as quickly and smoothly as possible following an unexpected event, such as a fire, flood, or equipment failure.
Event description: Each continuity plan specifies the particular event or scenario it addresses, such as fires, floods, equipment failures, or similar disruptions.
Goal for recovery time: The plan sets a clear target for the recovery time objective (RTO), which defines the maximum acceptable downtime before critical operations must be restored.
Responsible persons and stakeholders: The plan identifies the responsible persons and relevant stakeholders, including their roles and responsibilities. It also includes detailed contact information for quick and effective communication.
Planned immediate actions: The continuity plan outlines the immediate actions to be taken in response to the event. These actions are designed to mitigate impact, ensure safety, and stabilize the situation quickly.
Planned recovery steps: The plan describes the specific steps that need to be taken to recover and restore operations. This includes detailed procedures for assessing damage, prioritizing actions, and resuming critical business functions.
IDENTIFY
Develop an organizational understanding to manage cybersecurity risk to systems, people, assets, data, and capabilities.
PROTECT
BASIC_PR.AC-1.1: Identities and credentials for authorized devices and users shall be managed.
Unique passwords:
The system enforces the use of unique passwords for each account. Both Keeper and Devolutions Remote Desktop Manager (RDM) prevent password reuse and help ensure account isolation, significantly reducing the risk of credential stuffing or breach propagation.
Recurring password warnings:
Both tools prompt users to rotate passwords that have not been updated within a defined time frame. These reminders help reduce the use of stale credentials and align with internal password hygiene policies.
Complex password enforcement:
The password managers enforce organization-defined complexity rules, including minimum length, the use of upper/lowercase characters, numbers, and special symbols. Passwords generated via these tools are by default complex and randomized.
Tools in use:
Keeper: Used for secure storage of individual and shared credentials. Offers zero-knowledge encryption, role-based access control (RBAC), audit logs, and integration with SSO. Devolutions Remote
Desktop Manager (RDM): Primarily used by IT and administrators to manage remote sessions and privileged credentials. Integrates with external vaults and enforces access restrictions based on user roles. Supports MFA and logs all session activity for auditing.
Access control and auditing: Access to password entries is limited based on role and necessity. Both tools provide detailed access logs, modification histories. Periodic reviews of vault permissions are conducted to ensure least privilege.
Backup and recovery: Encrypted backups of vault data are regularly created and stored in secure locations. In the event of a system failure or compromise, restoration procedures are in place, and vault access can be quickly revoked or rotated.
User onboarding and training: New employees are onboarded with guided training on how to securely use Keeper and RDM. Best practices around password generation, storage, and sharing are reinforced during onboarding and through periodic security awareness sessions.
Secure password transmission: Passwords are not sent as plain text over the internet. The organization has implemented encryption to protect passwords during transmission, preventing interception by attackers.
Session duration limits: The system does not allow sessions to continue indefinitely after logging in. Session timeouts are set to ensure users re-authenticate after a period of inactivity, reducing the risk of unauthorized access due to forgotten or unattended sessions.
Implementation of multi-authentication logon: The organization has mandated that systems containing important information require multi-authentication logon, commonly known as two-factor, multi-factor, or dual-factor authentication. This enhances the security of sensitive systems by adding an additional layer of verification.
Password and one-time authentication code: As an example, the organization has utilized a method where, after logging in with a password, a one-time authentication code is sent to the user via text message.
This ensures that the user is identified by two factors: knowing the password and owning the phone. Biometric identifiers: The organization has also integrated biometric identifiers such as fingerprints for two-stage authentication. This approach adds a robust level of security by using physical characteristics that are unique to the individual.
Device-based authentication: The organization has considered and, where appropriate, implemented other devices for two-stage authentication. This includes using security tokens, smart cards, or mobile apps designed for authentication purposes.
Cost and privacy considerations: While implementing these measures, the organization has taken into account the associated costs and privacy implications. This ensures that the benefits of enhanced security are balanced with financial feasibility and the protection of users' privacy.
Shared accounts will only be accepted if the associated data system does not contain critical or sensitive information. Shared accounts for general administrator purposes are prohibited. Shared accounts can be used in individual data systems that do not have proper user management.
In these cases, the use of the shared accounts is approved by the task owner and documented in the list of data systems. Credentials are shared with a minimum group of people and only through the password management system.
Passwords associated with shared accounts are only visible to "super admins" in the password management system.
Determination of access roles by data system owner: The organization has stipulated that the data system owner is responsible for determining access roles within the system based on the tasks and responsibilities of the users. This ensures that each user has the appropriate access needed to perform their duties effectively and securely.
Monitoring access rights compliance: The organization has implemented mechanisms to monitor the compliance of the actual access rights with the planned ones. This continuous monitoring ensures that users only have the access they are supposed to have, which helps to maintain a secure data environment.
Regular reassessment of access rights: The organization has mandated the regular reassessment of access rights to ensure they remain appropriate over time. This periodic review process helps to identify and rectify any discrepancies between the intended access rights and the actual ones.
Minimizing admin rights: During the review of access rights, the organization has taken care to minimize administrative rights. This reduces the potential for misuse or compromise of powerful accounts, thereby enhancing overall system security.
Eliminating unnecessary accounts: The organization has implemented protocols to identify and eliminate unnecessary accounts during access rights reviews. This helps to ensure that only active and essential accounts exist, reducing the risk of unauthorized access.
IMPORTANT_PR.AC-1.2: Identities and credentials for authorized devices and users shall be managed, where feasible through automated mechanisms.
Unique passwords:
The system enforces the use of unique passwords for each account. Both Keeper and Devolutions Remote Desktop Manager (RDM) prevent password reuse and help ensure account isolation, significantly reducing the risk of credential stuffing or breach propagation.
Recurring password warnings:
Both tools prompt users to rotate passwords that have not been updated within a defined time frame. These reminders help reduce the use of stale credentials and align with internal password hygiene policies.
Complex password enforcement:
The password managers enforce organization-defined complexity rules, including minimum length, the use of upper/lowercase characters, numbers, and special symbols. Passwords generated via these tools are by default complex and randomized.
Tools in use:
Keeper: Used for secure storage of individual and shared credentials. Offers zero-knowledge encryption, role-based access control (RBAC), audit logs, and integration with SSO. Devolutions Remote
Desktop Manager (RDM): Primarily used by IT and administrators to manage remote sessions and privileged credentials. Integrates with external vaults and enforces access restrictions based on user roles. Supports MFA and logs all session activity for auditing.
Access control and auditing: Access to password entries is limited based on role and necessity. Both tools provide detailed access logs, modification histories. Periodic reviews of vault permissions are conducted to ensure least privilege.
Backup and recovery: Encrypted backups of vault data are regularly created and stored in secure locations. In the event of a system failure or compromise, restoration procedures are in place, and vault access can be quickly revoked or rotated.
User onboarding and training: New employees are onboarded with guided training on how to securely use Keeper and RDM. Best practices around password generation, storage, and sharing are reinforced during onboarding and through periodic security awareness sessions.
Secure password transmission: Passwords are not sent as plain text over the internet. The organization has implemented encryption to protect passwords during transmission, preventing interception by attackers.
Session duration limits: The system does not allow sessions to continue indefinitely after logging in. Session timeouts are set to ensure users re-authenticate after a period of inactivity, reducing the risk of unauthorized access due to forgotten or unattended sessions.
Implementation of multi-authentication logon: The organization has mandated that systems containing important information require multi-authentication logon, commonly known as two-factor, multi-factor, or dual-factor authentication. This enhances the security of sensitive systems by adding an additional layer of verification.
Password and one-time authentication code: As an example, the organization has utilized a method where, after logging in with a password, a one-time authentication code is sent to the user via text message.
This ensures that the user is identified by two factors: knowing the password and owning the phone. Biometric identifiers: The organization has also integrated biometric identifiers such as fingerprints for two-stage authentication. This approach adds a robust level of security by using physical characteristics that are unique to the individual.
Device-based authentication: The organization has considered and, where appropriate, implemented other devices for two-stage authentication. This includes using security tokens, smart cards, or mobile apps designed for authentication purposes.
Cost and privacy considerations: While implementing these measures, the organization has taken into account the associated costs and privacy implications. This ensures that the benefits of enhanced security are balanced with financial feasibility and the protection of users' privacy.
Shared accounts will only be accepted if the associated data system does not contain critical or sensitive information. Shared accounts for general administrator purposes are prohibited. Shared accounts can be used in individual data systems that do not have proper user management.
In these cases, the use of the shared accounts is approved by the task owner and documented in the list of data systems. Credentials are shared with a minimum group of people and only through the password management system.
Passwords associated with shared accounts are only visible to "super admins" in the password management system.
Determination of access roles by data system owner: The organization has stipulated that the data system owner is responsible for determining access roles within the system based on the tasks and responsibilities of the users. This ensures that each user has the appropriate access needed to perform their duties effectively and securely.
Monitoring access rights compliance: The organization has implemented mechanisms to monitor the compliance of the actual access rights with the planned ones. This continuous monitoring ensures that users only have the access they are supposed to have, which helps to maintain a secure data environment.
Regular reassessment of access rights: The organization has mandated the regular reassessment of access rights to ensure they remain appropriate over time. This periodic review process helps to identify and rectify any discrepancies between the intended access rights and the actual ones.
Minimizing admin rights: During the review of access rights, the organization has taken care to minimize administrative rights. This reduces the potential for misuse or compromise of powerful accounts, thereby enhancing overall system security.
Eliminating unnecessary accounts: The organization has implemented protocols to identify and eliminate unnecessary accounts during access rights reviews. This helps to ensure that only active and essential accounts exist, reducing the risk of unauthorized access.
BASIC_PR.AC-2.1: Physical access to the facility, servers and network components shall be managed.
To ensure the highest level of security for the real estate property, we implement strategically placed motion detection cameras around the building. These cameras serve as a proactive security measure by detecting and recording any movement within their field of view. Our approach includes the following key actions:
Strategic Camera Placement
We conduct a thorough security assessment of the property to identify vulnerable entry points, high-traffic areas, and blind spots. Cameras are positioned at these locations to maximize coverage and minimize potential security gaps.
Real-Time Monitoring & Alerts
The motion detection cameras are connected to a centralized monitoring system, which instantly alerts security personnel or property management when movement is detected outside of scheduled activity hours.
High-Resolution Video & Night Vision
Our cameras are equipped with high-definition (HD) recording and infrared night vision to ensure clear visibility, even in low-light conditions. This feature enhances security during nighttime hours when properties are more vulnerable to intrusions.
Automated Recording
When motion is detected, the system automatically records footage. This ensures that all security events are documented and accessible for future review or evidence if needed.
Remote Access & Mobile Notifications
Property owners and security teams can remotely access live camera feeds through a secure mobile app or web portal. This allows for real-time viewing and incident verification from anywhere, providing flexibility and control over security management.
Camera surveillance in real estates is internaly managed
When guests visit the premises, the time of their arrival and departure and the person responsible will be recorded in the visitor log.
Visitors will only be given access to designated facilities and systems and will be instructed on other security requirements and emergency procedures related to the visit, if necessary.
Guidelines related to visitors are managed directly in Cyberday. The guidelines deal with e.g. visitor identification and visit control.
Task owner will review comments related to the instructions and add and update the instructions as needed.
Access to security restricted areas is only possible through an on-call attendant or under the supervision of another technical arrangement that identifies the person and leaves a mark.
IMPORTANT_PR.AC-2.2: The management of physical access shall include measures related to access in emergency situations.
To ensure the highest level of security for the real estate property, we implement strategically placed motion detection cameras around the building. These cameras serve as a proactive security measure by detecting and recording any movement within their field of view. Our approach includes the following key actions:
Strategic Camera Placement
We conduct a thorough security assessment of the property to identify vulnerable entry points, high-traffic areas, and blind spots. Cameras are positioned at these locations to maximize coverage and minimize potential security gaps.
Real-Time Monitoring & Alerts
The motion detection cameras are connected to a centralized monitoring system, which instantly alerts security personnel or property management when movement is detected outside of scheduled activity hours.
High-Resolution Video & Night Vision
Our cameras are equipped with high-definition (HD) recording and infrared night vision to ensure clear visibility, even in low-light conditions. This feature enhances security during nighttime hours when properties are more vulnerable to intrusions.
Automated Recording
When motion is detected, the system automatically records footage. This ensures that all security events are documented and accessible for future review or evidence if needed.
Remote Access & Mobile Notifications
Property owners and security teams can remotely access live camera feeds through a secure mobile app or web portal. This allows for real-time viewing and incident verification from anywhere, providing flexibility and control over security management.
Camera surveillance in real estates is internaly managed
When guests visit the premises, the time of their arrival and departure and the person responsible will be recorded in the visitor log.
Visitors will only be given access to designated facilities and systems and will be instructed on other security requirements and emergency procedures related to the visit, if necessary.
Guidelines related to visitors are managed directly in Cyberday. The guidelines deal with e.g. visitor identification and visit control.
Task owner will review comments related to the instructions and add and update the instructions as needed.
Access to security restricted areas is only possible through an on-call attendant or under the supervision of another technical arrangement that identifies the person and leaves a mark.
BASIC_PR.AC-3.1: The organisation's wireless access points shall be secured.
The organization's wireless network is protected using WPA2 or WPA3 encryption to ensure secure data transmission. All wireless access points are managed via the UniFi Controller and are configured with strong, regularly reviewed passphrases.
A separate guest wireless network is implemented and isolated from the internal network using VLANs and firewall rules configured in pfSense. This prevents guest users from accessing internal systems and resources.
Administrative access to network equipment (e.g., UniFi Controller, pfSense) is restricted to authorized personnel and secured via HTTPS.
Wireless network configurations are reviewed periodically, and passphrases are rotated when necessary, such as during employee offboarding or after potential exposure.
BASIC_PR.AC-3.2: The organization's networks when accessed remotely shall be secured, including through multi-factor authentication (MFA).
Implementation of multi-authentication logon: The organization has mandated that systems containing important information require multi-authentication logon, commonly known as two-factor, multi-factor, or dual-factor authentication. This enhances the security of sensitive systems by adding an additional layer of verification.
Password and one-time authentication code: As an example, the organization has utilized a method where, after logging in with a password, a one-time authentication code is sent to the user via text message. This ensures that the user is identified by two factors: knowing the password and owning the phone.
Biometric identifiers: The organization has also integrated biometric identifiers such as fingerprints for two-stage authentication. This approach adds a robust level of security by using physical characteristics that are unique to the individual.
Device-based authentication: The organization has considered and, where appropriate, implemented other devices for two-stage authentication. This includes using security tokens, smart cards, or mobile apps designed for authentication purposes.
Cost and privacy considerations: While implementing these measures, the organization has taken into account the associated costs and privacy implications. This ensures that the benefits of enhanced security are balanced with financial feasibility and the protection of users' privacy.
IMPORTANT_PR.AC-3.3: Usage restrictions, connection requirements, implementation guidance, and authorizations for remote access to the organization’s critical systems environment shall be identified, documented and implemented.
Creation of remote work policy: The organization has developed a comprehensive remote work policy detailing operating guidelines for remote workers. The policy covers best practices, personal responsibilities, and acceptable use of company resources.
Establishment of monitoring protocols: The organization has implemented protocols to monitor compliance with the remote work policy. This includes the use of software for tracking activity and regular check-ins to ensure adherence to guidelines.
Provision of regular staff training: The organization conducts regular training sessions to help staff understand and identify threats related to remote work and use of mobile devices. The training sessions also review the guidelines set for remote work.
Information security awareness programs: The organization has launched information security awareness programs for its remote workforce. These programs focus on identifying, avoiding, and reporting potential security threats.
Regular update of guidelines: The organization regularly updates its remote work guidelines based on changing trends in information security, feedback from staff, and the results of monitoring activities.
Establishment of a predefined trusted network: The organization has established a predefined, trusted network for data processing. This network ensures secure and controlled data traffic.
Implementation of VPN services: The organization has implemented a specific VPN service to provide encrypted connections and safeguard data processing activities irrespective of the network settings.
Network security policies: The organization has instituted stringent network security policies which define the acceptable and safe use of networking technologies. This includes guidelines on the use of public Wi-Fi networks and VPN services.
BASIC_PR.AC-4.1: Access permissions for users to the organization’s systems shall be defined and managed.
- Define Access Requirements: Identify the information and systems required for each role or task within the organization. Access should be granted based on job function and operational necessity.
- Assign Role-Based Access Controls (RBAC): Establish predefined access profiles based on roles, ensuring employees only have permissions relevant to their responsibilities.
- Implement Separation of Duties (SoD): Ensure that no single individual has control over conflicting tasks (e.g., approval and execution of financial transactions) to prevent fraud and errors.
- Periodic Access Review: Regularly review and update access rights to ensure they align with current roles and responsibilities. Revoke access for employees who no longer require it.
- Approval Workflow: Access requests must go through an approval process, involving line managers and security officers before access is granted.
- Logging and Monitoring: Track and audit access to sensitive information, ensuring that unauthorized access attempts are detected and addressed.
- Revoke Access on Role Changes or Exit: Immediately revoke or adjust access when an employee changes roles or leaves the organization to prevent unauthorized access. This structured approach ensures compliance with security policies while minimizing risks associated with unauthorized access.
Role-based access control implementation: The organization has implemented role-based access control (RBAC) with predefined access roles for various protected assets. These roles define who can access each asset, ensuring that access is granted based on necessity and security risk.
Information access requirements: The organization has assessed and defined how much information each user needs access to, ensuring that users have access only to the data necessary for their roles.
Application access to data: The organization has evaluated and defined whether other applications have access to the data, ensuring that integration points are secure and that only authorized applications can interact with sensitive data.
Data segregation: The organization has implemented measures to segregate data within the property, ensuring that sensitive data is less exposed and is accessed only by users with appropriate permissions.
Granting Access: Requires a formal request, approval, and use of a separate admin account with MFA. Temporary access expires, and permanent access is reviewed regularly.
Usage Rules: Admin accounts are strictly for admin tasks, not daily use. Violations are security breaches.
Monitoring & Review: Logs track activity, and access is reviewed periodically.
Revocation: Immediate removal if no longer needed, inactive, or misused.
BASIC_PR.AC-4.2: It shall be identified who should have access to the organization's business's critical information and technology and the means to get access.
Granting Access: Requires a formal request, approval, and use of a separate admin account with MFA. Temporary access expires, and permanent access is reviewed regularly.
Usage Rules: Admin accounts are strictly for admin tasks, not daily use. Violations are security breaches.
Monitoring & Review: Logs track activity, and access is reviewed periodically.
Revocation: Immediate removal if no longer needed, inactive, or misused.
BASIC_PR.AC-4.3: Employee access to data and information shall be limited to the systems and specific information they need to do their jobs (the principle of Least Privilege).
Role-based access control implementation: The organization has implemented role-based access control (RBAC) with predefined access roles for various protected assets. These roles define who can access each asset, ensuring that access is granted based on necessity and security risk.
Information access requirements: The organization has assessed and defined how much information each user needs access to, ensuring that users have access only to the data necessary for their roles.
Application access to data: The organization has evaluated and defined whether other applications have access to the data, ensuring that integration points are secure and that only authorized applications can interact with sensitive data.
Data segregation: The organization has implemented measures to segregate data within the property, ensuring that sensitive data is less exposed and is accessed only by users with appropriate permissions.
BASIC_PR.AC-4.4: Nobody shall have administrator privileges for daily tasks.
Granting Access: Requires a formal request, approval, and use of a separate admin account with MFA. Temporary access expires, and permanent access is reviewed regularly.
Usage Rules: Admin accounts are strictly for admin tasks, not daily use. Violations are security breaches.
Monitoring & Review: Logs track activity, and access is reviewed periodically.
Revocation: Immediate removal if no longer needed, inactive, or misused.
IMPORTANT_PR.AC-4.5: Where feasible, automated mechanisms shall be implemented to support the management of user accounts on the organisation's critical systems, including disabling, monitoring, reporting and deleting user accounts.
See Access management and password policy
IMPORTANT_PR.AC-4.6: Separation of duties (SoD) shall be ensured in the management of access rights.
- Define Access Requirements: Identify the information and systems required for each role or task within the organization. Access should be granted based on job function and operational necessity.
- Assign Role-Based Access Controls (RBAC): Establish predefined access profiles based on roles, ensuring employees only have permissions relevant to their responsibilities.
- Implement Separation of Duties (SoD): Ensure that no single individual has control over conflicting tasks (e.g., approval and execution of financial transactions) to prevent fraud and errors.
- Periodic Access Review: Regularly review and update access rights to ensure they align with current roles and responsibilities. Revoke access for employees who no longer require it.
- Approval Workflow: Access requests must go through an approval process, involving line managers and security officers before access is granted.
- Logging and Monitoring: Track and audit access to sensitive information, ensuring that unauthorized access attempts are detected and addressed.
- Revoke Access on Role Changes or Exit: Immediately revoke or adjust access when an employee changes roles or leaves the organization to prevent unauthorized access. This structured approach ensures compliance with security policies while minimizing risks associated with unauthorized access.
IMPORTANT_PR.AC-4.7: Priviliged users shall be managed and monitored.
Granting Access: Requires a formal request, approval, and use of a separate admin account with MFA. Temporary access expires, and permanent access is reviewed regularly.
Usage Rules: Admin accounts are strictly for admin tasks, not daily use. Violations are security breaches.
Monitoring & Review: Logs track activity, and access is reviewed periodically.
Revocation: Immediate removal if no longer needed, inactive, or misused.
BASIC_PR.AC-5.1: Firewalls shall be installed and activated on all the organization's networks.
Firewalls are installed and activated as can be seen in file: CloudCom Firewalls 2025.pdf
BASIC_PR.AC-5.2: Where appropriate, network integrity of the organization's critical systems shall be protected by incorporating network segmentation and segregation.
Network ownership: The organization has defined an owner for its networks who is responsible for planning and documenting the structure of the network.
Network structure documentation: The owner has meticulously documented the network structure, detailing all components and configurations.
Separate network areas: The organization has used separate network areas in its design as needed, to enhance security and manageability.
Domain definition by trust level: The organization has defined network domains based on trust levels, such as public, workstations, and servers, to ensure appropriate access controls.
Domain definition by organizational units: The organization has established network domains based on organizational units, such as HR and financial management, to segregate sensitive data.
Physical and logical separation: The organization has implemented separation through physically separate networks or logically separate networks to meet security and operational needs.
Documentation in Confluence:
IMPORTANT_PR.AC-5.3: Where appropriate, network integrity of the organization's critical systems shall be protected by (1) Identifying, documenting, and controlling connections between system components. (2) Limiting external connections to the organization's critical systems.
The Network Operations Center (NOC) team is responsible for managing all network devices within the organization. This includes:
- Setting up and configuring routers, switches, firewalls, and wireless access points
- Performing regular maintenance, updates, and patching
- Monitoring network performance and identifying potential issues or security events
- Controlling access to network devices, ensuring only authorized personnel can make changes
- Keeping network device documentation and configurations up to date
Responsibilities are assigned internally within the NOC team, and changes in ownership or responsibilities are communicated via team meetings or internal IT communication channels. Access and configuration activities are tracked using our existing IT tooling.
IMPORTANT_PR.AC-5.4: The organization shall monitor and control connections and communications at the external boundary and at key internal boundaries within the organization's critical systems by implementing boundary protection devices where appropriate.
See Network and communications security Policy in Cyberday
IMPORTANT_PR.AC-6.1: The organization shall implement documented procedures for verifying the identity of individuals before issuing credentials that provide access to organization's systems.
Single access provision: When a person starts an employment relationship, he or she is granted access to all data systems related to his or her role at once. This streamlined process ensures that new employees can perform their duties without delay.
Role-based access: The organization has implemented a role-based access control system, where access rights are pre-defined based on job roles. This ensures that employees receive only the access necessary for their specific responsibilities.
Access control policies: The organization has established access control policies to govern the granting of access rights. These policies ensure that new employees are granted access to all relevant data systems in a secure and efficient manner.
Onboarding coordination: The organization has coordinated the onboarding process to include the immediate granting of access rights to new employees. This involves cooperation between HR, IT, and the specific department to ensure seamless access provisioning.
Security briefing: Before access is granted, new employees have received a security briefing that covers their responsibilities related to data system access and usage. This includes an overview of security guidelines, acceptable use policies, and reporting procedures.
Verification of access: The organization has implemented a verification step to confirm that all necessary access rights have been correctly granted. This ensures that new employees can start their work without any access issues.
Review of recommendations: The organization has included a review of recommendations as part of the background check process. This involves contacting references provided by the applicant to verify their professional reputation and reliability.
Verification of CV accuracy: The organization has procedures in place to verify the accuracy of information provided in the candidate’s CV. This includes confirming previous employment, job titles, and responsibilities to ensure the applicant’s experience matches their claims.
Verification of educational qualifications: The organization has verified the educational qualifications of applicants. This involves contacting educational institutions to confirm degrees, certifications, and other credentials.
IMPORTANT_PR.AC-7.1: The organization shall perform a documented risk assessment on organization's critical system transactions and authenticate users, devices, and other assets (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks).
Implementation of multi-authentication logon: The organization has mandated that systems containing important information require multi-authentication logon, commonly known as two-factor, multi-factor, or dual-factor authentication. This enhances the security of sensitive systems by adding an additional layer of verification.
Password and one-time authentication code: As an example, the organization has utilized a method where, after logging in with a password, a one-time authentication code is sent to the user via text message. This ensures that the user is identified by two factors: knowing the password and owning the phone.
Biometric identifiers: The organization has also integrated biometric identifiers such as fingerprints for two-stage authentication. This approach adds a robust level of security by using physical characteristics that are unique to the individual.
Device-based authentication: The organization has considered and, where appropriate, implemented other devices for two-stage authentication. This includes using security tokens, smart cards, or mobile apps designed for authentication purposes.
Cost and privacy considerations: While implementing these measures, the organization has taken into account the associated costs and privacy implications. This ensures that the benefits of enhanced security are balanced with financial feasibility and the protection of users' privacy.
Predefined authentication methods: The organization has predefined authentication methods that employees should prefer when using data systems. These methods ensure consistency, security, and ease of use across the organization.
User choice in cloud services: The organization recognizes that when using cloud services, users often have the freedom to decide how they authenticate with the service. However, guidance is provided to ensure secure and consistent authentication practices.
Centralized authentication account: The organization has implemented the use of centralized authentication accounts, such as Google or Microsoft 365 accounts. This approach helps streamline access management and enhance security.
Unified access management: By using a single centralized authentication account, the organization has ensured that a large number of access rights can be closed simultaneously when the main user account, which acts as the authentication method, is closed. This simplifies the process of revoking access when an employee leaves the organization or changes roles.
The organization has defined general guidelines for the acceptable use of data systems and the secure handling of authentication credentials. These guidelines apply to all personnel and support the secure use of company-managed systems and resources.
Key principles include:
- Systems must only be used for work-related purposes and in line with internal security policies
- Authentication credentials (e.g. usernames, passwords, MFA tokens) are personal, must not be shared, and must be stored and used securely
- Strong passwords and multi-factor authentication (MFA) are required where supported
- Credentials are issued during onboarding and revoked during offboarding or when roles change
For systems classified as High or Critical priority, more specific rules may be defined by the responsible team. These may include:
- Enforced MFA or VPN access
- Restrictions on administrative use
- Monitoring and audit logging requirements
- Limiting access based on role or function
The general guidelines are communicated during onboarding and made available in internal documentation. System-specific rules are managed by the responsible team and updated as needed to reflect the sensitivity or risk profile of the system.
Secure password transmission: Passwords are not sent as plain text over the internet. The organization has implemented encryption to protect passwords during transmission, preventing interception by attackers.
Session duration limits: The system does not allow sessions to continue indefinitely after logging in. Session timeouts are set to ensure users re-authenticate after a period of inactivity, reducing the risk of unauthorized access due to forgotten or unattended sessions.
- All authentication must use Multi-Factor Authentication (MFA) or higher security measures.
- If MFA is not possible, passwords must be autogenerated and securely stored in a password management tool.
BASIC_PR.AT-1.1: Employees shall be trained as appropriate.
Instructions on general guidelines: The organization has provided staff with instructions describing general guidelines of digital security related to their job roles. These guidelines are tailored to ensure that each employee understands the security expectations and practices specific to their responsibilities.
Role-specific training: The organization has conducted training sessions to maintain the appropriate digital and cyber security skills and knowledge required for each job role. This training ensures that staff are well-equipped to handle security challenges relevant to their positions.
Skill demonstration through tests: The organization has implemented tests for staff to demonstrate that they have the security skills and knowledge required for their job roles. These assessments help ensure that employees can apply their training effectively in practical scenarios.
Focus on relevant security aspects: The organization has designed training programs that focus on the most relevant security aspects for each job role. This targeted approach ensures that training is directly applicable and beneficial to employees’ daily tasks.
Inclusion of security basics: The organization has included basic security training that concerns all employees, regardless of their specific roles. This ensures a uniform understanding of essential security practices across the organization.
Personal security responsibilities: The organization has emphasized employees' personal security responsibilities, such as safeguarding devices and processed data. This is a core part of the training to instill a sense of accountability among the staff.
Clarification of security roles: The organization has provided clear information on the organization’s security roles, including who to contact with security problems. This knowledge ensures that staff know where to seek help and report issues promptly.
Relevant policies and guidelines: The organization has trained staff on policies relevant to everyone, such as security incident reporting, and guidelines like maintaining a clean desk policy. This helps ensure consistency in security practices across the board.
IMPORTANT_PR.AT-2.1: Privileged users shall be qualified before privileges are granted, and these users shall be able to demonstrate the understanding of their roles, responsibilities, and authorities.
Instructions on general guidelines: The organization has provided staff with instructions describing general guidelines of digital security related to their job roles. These guidelines are tailored to ensure that each employee understands the security expectations and practices specific to their responsibilities.
Role-specific training: The organization has conducted training sessions to maintain the appropriate digital and cyber security skills and knowledge required for each job role. This training ensures that staff are well-equipped to handle security challenges relevant to their positions.
Skill demonstration through tests: The organization has implemented tests for staff to demonstrate that they have the security skills and knowledge required for their job roles. These assessments help ensure that employees can apply their training effectively in practical scenarios.
Focus on relevant security aspects: The organization has designed training programs that focus on the most relevant security aspects for each job role. This targeted approach ensures that training is directly applicable and beneficial to employees’ daily tasks.
Inclusion of security basics: The organization has included basic security training that concerns all employees, regardless of their specific roles. This ensures a uniform understanding of essential security practices across the organization.
Personal security responsibilities: The organization has emphasized employees' personal security responsibilities, such as safeguarding devices and processed data. This is a core part of the training to instill a sense of accountability among the staff.
Clarification of security roles: The organization has provided clear information on the organization’s security roles, including who to contact with security problems. This knowledge ensures that staff know where to seek help and report issues promptly.
Relevant policies and guidelines: The organization has trained staff on policies relevant to everyone, such as security incident reporting, and guidelines like maintaining a clean desk policy. This helps ensure consistency in security practices across the board.
Role-specific security guidelines: The organization has specified security guidelines in connection with each employee's job role. This ensures that the guidance provided is tailored to the specific responsibilities and risks associated with their positions.
Identification of units and roles: The organization has identified units and roles that require separate and detailed security guidance. This identification process helps in developing guidelines that address the unique security needs of different functions within the organization.
Unit-specific guidelines: The organization has developed detailed security guidelines for specific units, such as customer service, IT, and HR. These guidelines cater to the distinct security challenges and requirements of each unit.
The most important roles and responsibilities for organization's information security work are defined directly in the management system.
The theme owner is responsible for processing and implementing all content under that cyber security theme. Theme owner is displayed on the dashboard of the management system.
Task owner is responsible for ensuring that the related task is completed. An individual owner must be assigned to each task in the management system.
Document owner is responsible for completing and maintaining documentation related to the item. Certain guidelines can also be implemented for owners based on this role.
An employee linked to a guideline must read and accept the security guideline directed at him or her and commit to complying with the guideline in his or her own work.
Top management oversees the implementation of the management system and ensures that it achieves the objectives set for it.
1. Define Roles and Responsibilities
Objective: Establish a clear understanding of key cybersecurity roles and their responsibilities.
- Identify Key Roles:
- Define roles critical to cybersecurity (e.g., ISMS Manager,Security Analyst, Incident Response Lead).
- Map roles to the organization's cybersecurity objectives and ISMS scope.
- Document Responsibilities:
- Create role descriptions that include tasks, accountability, and reporting structures.
- Link responsibilities to specific ISMS requirements and NIS2 compliance tasks.
2. Define Qualifications and Competence
Objective: Specify the qualifications and competencies required for each role.
- Identify Required Qualifications:
- Define educational background, certifications (e.g., CISSP, CISM, ISO 27001 Lead Implementer), and technical skills for each role.
- Include soft skills such as problem-solving, communication, and risk management.
- Set Competence Standards:
- Outline expected levels of expertise (beginner, intermediate, advanced) for tasks like risk assessments, incident response, and ISMS audits.
- Document Competence Requirements:
- Maintain a record of qualifications and required skills in HR or ISMS documentation.
3. Acquire and Maintain Competence
Objective: Ensure personnel meet and maintain required qualifications and skills.
- Recruitment:
- Hire personnel with the qualifications and experience needed for cybersecurity roles.
- Verify credentials and conduct security clearance checks as required.
- Training and Development:
- Develop a training plan to address gaps in competence or knowledge.
- Offer regular training on new threats, technologies, and compliance requirements.
- Include certification programs and industry-standard courses.
- Training Monitoring:
- Track employee participation in training programs.
- Maintain training records as evidence of acquired qualifications.
- Supervision:
- Assign experienced mentors to supervise new or junior cybersecurity staff.
- Establish regular check-ins to ensure performance aligns with expectations.
4. Demonstrate Qualifications
Objective: Provide evidence of personnel qualifications and competence.
- Maintain Records:
- Document certifications, training completion, and experience for all key personnel.
- Use HR systems or ISMS documentation to store and update records.
- Internal Audits:
- Regularly review and verify the accuracy of qualification records.
- Include competence assessments in ISMS internal audits.
- External Validation:
- Where required, ensure certifications are externally validated or accredited.
5. Regular Review of Staffing and Competence
Objective: Ensure sufficient and adequate staffing levels at all times.
- Assess Staffing Levels:
- Regularly evaluate the number of cybersecurity personnel against current and projected needs.
- Use workload analysis and risk assessments to determine adequacy.
- Review Competence:
- Conduct periodic evaluations of staff competence through performance reviews or practical assessments.
- Adjust Staffing and Training:
- Address deficiencies by hiring additional personnel, increasing training, or reallocating resources.
- Owner of the Task:
- Assign a responsible owner (e.g., ISMS Manager) to oversee staffing and competence adequacy.
- Ensure reviews occur on a predefined schedule (e.g., quarterly or biannually).
IMPORTANT_PR.AT-1.2: The organization shall incorporate insider threat recognition and reporting into security awareness training.
Phishing guidelines are defined directly in Cyberday and their acceptance is automatically monitored through Teams. The guidelines deal with e.g. secure web behavior, anti-scam, up-to-date web browser, and proper use of work email.
Training and testing is done trough the phished.io platform
Time: The organization has maintained a log that includes the time of each cyber security training event provided to its staff. This helps in tracking the frequency and scheduling of training sessions.
Topics and duration: For each training event, the organization has documented the topics covered and the duration of the training. This information provides insights into the depth and breadth of the training content.
Training method and trainer: The organization has recorded the training method (e.g., online, in-person, workshop) and the trainer's details for each session. This helps in evaluating the training's effectiveness and the credentials of the trainers.
Staff involved: The organization has logged the staff involved in each training event. This ensures that all employees are receiving necessary cyber security training and helps in identifying who has completed specific training modules.
Investment evidence: The organization has used the training log to show the specific investments made towards enhancing staff's cyber security expertise. This demonstrates a commitment to continuous improvement and staff development in cyber security.
IMPORTANT_PR.AT-3.1: The organization shall establish and enforce security requirements for business-critical third-party providers and users.
Appointment of designated responsible person: The organization has assigned a designated responsible person who actively monitors and ensures that suppliers comply with the security terms of their contracts.
Execution of service-level monitoring: The designated responsible person has set up a watch on the promised level of service from suppliers to guarantee their contractual obligations are met.
Regular review of supplier reports: Post analysis of periodic supplier reports, the responsible person has engaged in follow-up meetings to address any issues or changes. Audit problem follow-ups: Issues identified during audits have been systematically tracked and managed until resolution.
Incident management oversight: The responsible person has overseen the supplier's management of security incidents to assess responsiveness, effectiveness, and implementation of improvements if necessary.
Supplier’s performance rating system: The organization has developed a performance rating system to ensure that service levels are consistently met by the supplier. Through this, the supplier's performance can be objectively assessed and potential deficiencies can be addressed.
IMPORTANT_PR.AT-3.2: Third-party providers shall be required to notify any personnel transfers, termination, or transition involving personnel with physical or logical access to organization's business critical system's components.
Appointment of designated responsible person: The organization has assigned a designated responsible person who actively monitors and ensures that suppliers comply with the security terms of their contracts.
Execution of service-level monitoring: The designated responsible person has set up a watch on the promised level of service from suppliers to guarantee their contractual obligations are met.
Regular review of supplier reports: Post analysis of periodic supplier reports, the responsible person has engaged in follow-up meetings to address any issues or changes. Audit problem follow-ups: Issues identified during audits have been systematically tracked and managed until resolution.
Incident management oversight: The responsible person has overseen the supplier's management of security incidents to assess responsiveness, effectiveness, and implementation of improvements if necessary.
Supplier’s performance rating system: The organization has developed a performance rating system to ensure that service levels are consistently met by the supplier. Through this, the supplier's performance can be objectively assessed and potential deficiencies can be addressed.
IMPORTANT_PR.AT-3.3: The organization shall monitor business critical service providers and users for security compliance.
Appointment of designated responsible person: The organization has assigned a designated responsible person who actively monitors and ensures that suppliers comply with the security terms of their contracts.
Execution of service-level monitoring: The designated responsible person has set up a watch on the promised level of service from suppliers to guarantee their contractual obligations are met.
Regular review of supplier reports: Post analysis of periodic supplier reports, the responsible person has engaged in follow-up meetings to address any issues or changes. Audit problem follow-ups: Issues identified during audits have been systematically tracked and managed until resolution.
Incident management oversight: The responsible person has overseen the supplier's management of security incidents to assess responsiveness, effectiveness, and implementation of improvements if necessary.
Supplier’s performance rating system: The organization has developed a performance rating system to ensure that service levels are consistently met by the supplier. Through this, the supplier's performance can be objectively assessed and potential deficiencies can be addressed.
IMPORTANT_PR.AT-4.1: Senior executives shall demonstrate the understanding of their roles, responsibilities, and authorities.
Creation of information security policy: The organization's top management has developed and approved an information security policy that acts as a guiding document for its security stance and actions.
Basis for security objectives: The information security policy provides the foundation for setting the organization's security objectives. This includes a detailed understanding of the organization's risk appetite and regulatory requirements that guide the security objective formulation.
Commitment to security requirements: The policy shows the organization's commitment to meet all information security requirements. This is achieved by clearly stating adherence to applicable laws, regulations, and industry best practices.
Continuous improvement commitment: The information security policy reflects the organization's commitment to the continuous improvement of the information security management system. This is communicated through ongoing training, routine audits, and adaptive risk management.
Policy relevance and appropriateness: The task owner has ensured that the information security policy aligns with the organization's business idea, making it fit for purpose and relevant.
Organization-wide policy communication: The task owner has executed a comprehensive communication plan, ensuring that the policy is communicated throughout the entire organization.
Stakeholder policy availability: The organization has ensured that the information security policy is available to stakeholders as required, complying with transparency requisites and fostering trust between the organization and its stakeholders.
1. Define Cybersecurity Framework and Requirements
Objective: Establish the foundational frameworks and requirements for the organization’s cybersecurity efforts.
- Identify External and Internal Requirements:
- Evaluate customer promises, contractual obligations, applicable regulations (e.g., GDPR, NIS2), and industry standards.
- Identify relevant certificates (e.g., ISO 27001, SOC 2) that align with business objectives.
- Document Frameworks:
- Record chosen frameworks and requirements in the Information Security Management System (ISMS) documentation.
- Ensure alignment with organizational goals and regulatory obligations.
- Review and Approve Frameworks:
- Management reviews the selected frameworks for adequacy and relevance.
- Approve and communicate these frameworks across the organization.
2. Resource Allocation for Cybersecurity Management
Objective: Ensure adequate resources are allocated to manage cybersecurity effectively.
- Conduct Resource Assessment:
- Identify human, technical, and financial resources required to support cybersecurity initiatives. Include training programs, software tools, and infrastructure upgrades.
- Allocate Resources:
- Top management approves and allocates resources for cybersecurity tasks and projects.
- Include cybersecurity responsibilities in job roles and ensure skilled personnel are in place.
- Monitor Resource Utilization:
- Periodically review resource usage to ensure alignment with cybersecurity objectives.
- Adjust resource allocation as necessary to meet evolving security needs.
3. Communicate the Importance of Cybersecurity
Objective: Build organizational awareness and commitment to cybersecurity.
- Develop a Communication Plan:
- Outline methods for communicating cybersecurity priorities to all stakeholders. Use channels like town halls, newsletters, internal memos, and training sessions.
- Conduct Regular Training and Awareness Programs:
- Train employees on cybersecurity best practices, including their role in achieving organizational security objectives.
- Lead by Example:
- Top management actively participates in cybersecurity initiatives to demonstrate commitment.
4. Ensure Desired Results Are Achieved
Objective: Guarantee the effectiveness of cybersecurity efforts and the ISMS.
- Define Measurable Objectives:
- Establish KPIs (e.g., number of incidents, compliance audit results) to track progress. Implement
- Monitoring Mechanisms:
- Use tools and processes to monitor and report on cybersecurity performance.
- Conduct regular audits and risk assessments.
- Review and Act:
- Top management reviews performance reports.
- Initiate corrective actions when objectives are not met.
5. Promote Continuous Improvement
Objective: Enhance the ISMS and cybersecurity practices over time.
- Conduct Regular Management Reviews:
- Review the ISMS scope, objectives, and results periodically. Include findings from risk assessments, audits, and incident reports.
- Implement Improvement Initiatives:
- Address identified gaps through updates to policies, technologies, or practices.
- Foster a Culture of Innovation:
- Encourage feedback from employees and stakeholders to improve processes.
6. Define and Document the Scope of the ISMS
Objective: Establish clear boundaries for the ISMS.
- Identify Scope Parameters:
- Decide if the ISMS covers all organizational information and activities or specific parts.
- Document the Scope:
- Clearly define and record the ISMS scope in the system documentation. Include justifications for any exclusions.
- Communicate the Scope:
- Ensure stakeholders understand the ISMS scope and its relevance to their roles.
IMPORTANT_PR.AT-5.1: The organization shall ensure that personnel responsible for the physical protection and security of the organization's critical systems and facilities are qualified through training before privileges are granted, and that they understand their responsibilities.
Using and updating mobile devices: The organization has provided security guidelines that cover the proper usage and regular updating of mobile devices. These guidelines inform employees about maintaining device security through software updates and following best practices for safe usage.
Storing and backing up data: The organization has established guidelines for securely storing and backing up data. Employees are instructed on using secure storage solutions and regular backup procedures to protect data integrity and availability.
Privacy: The organization has defined privacy guidelines to ensure that employees understand how to handle personal and sensitive information. These guidelines emphasize protecting data privacy in compliance with relevant regulations and best practices.
Using email: The organization has provided guidelines for the secure use of email. Employees are taught how to recognize phishing attempts, use strong passwords, and follow safe emailing practices to prevent unauthorized access and data breaches.
Handling of printouts, papers, and files: The organization has set forth guidelines for handling printouts, papers, and files, ensuring they are managed securely. This includes proper disposal methods for sensitive documents and safe storage practices.
Reporting incidents: The organization has implemented clear guidelines for reporting security incidents. Employees are informed about the procedures to follow and whom to contact in case of a security breach or suspicious activity.
Scam prevention: The organization has developed guidelines to help employees prevent scams. This includes training on recognizing common scam tactics and adopting preventative measures to minimize risk.
Consistent operation of the security management system: The organization consistently operates a security management system, ensuring all facets of the system are functioning optimally to maintain the required level of security.
Routine maintenance: The organization carries out regular maintenance of the security management system. This includes updates, patches, vulnerability checks, and general system health reviews.
Ongoing development: The organization actively seeks opportunities for continuous development of the security management system. This could involve adoption of new security technologies, integration of advanced threat detection techniques, or improvements in security procedures and protocols.
Documenting boundaries and scope: The organization has documented the boundaries and scope of the security management system. This clarification helps in better comprehension and effective management of the security domain.
Comprehensive content records: The organization maintains records of all contents tied to the security management system. These could include policies, procedures, standards, guidelines, risk assessments, and incident reports.
Clear role definition: The organization has clearly outlined the role of the security management system within the broader organizational context. This helps align security practices with organizational goals and strategies.
Up-to-date implementation information: Cumulative implementation information related to the security management system is maintained and kept current. This includes records on system upgrades, security incidents, corrective actions, and preventive strategies.
Documentation of additional descriptive information: The organization keeps a record of any additional descriptive information necessary for understanding and managing the security operations.
The most important roles and responsibilities for organization's information security work are defined directly in the management system.
The theme owner is responsible for processing and implementing all content under that cyber security theme. Theme owner is displayed on the dashboard of the management system.
Task owner is responsible for ensuring that the related task is completed. An individual owner must be assigned to each task in the management system.
Document owner is responsible for completing and maintaining documentation related to the item. Certain guidelines can also be implemented for owners based on this role.
An employee linked to a guideline must read and accept the security guideline directed at him or her and commit to complying with the guideline in his or her own work.
Top management oversees the implementation of the management system and ensures that it achieves the objectives set for it.
Information security awareness training: The organization has conducted a series of trainings to educate personnel on how they can contribute to the effectiveness of the information security management system. The training also outlines the benefits of improving the level of information security.
Consequences of non-compliance: The organization has clearly communicated to all employees the potential consequences of non-compliance with the requirements of the information security management system. This helps to ensure a higher level of awareness and encourages compliance.
Role-based security impact understanding: The organization has taken steps to ensure that personnel understand which roles within the organization have effects on the level of security. Creating this understanding helps each employee comprehend their role in maintaining overall security.
Top management's role in awareness: Top management in the organization have defined methods to keep personnel continuously aware of security guidelines related to their own job roles. These methods may include regular meetings, briefings, email updates, or online awareness modules.
BASIC_PR.DS-3.1: Assets and media shall be disposed of safely.
Unnecessary laptops are collected by the IT department for safe and centralized disposal. Related guidelines for staff will be created if necessary.
When disabling old devices, the hard disks are first wiped electronically, for example using the operating system or separate software. The hard disks are then removed from the device and destroyed separately. The device can then be safely sold, donated or recycled.
Process for Secure Disposal of Removable Media Containing Confidential Information
1. Purpose
To ensure the secure disposal of removable media containing confidential information, preventing data recovery through industry-accepted methods. This process outlines the destruction methods for different types of media and the proper disposal procedures.
2. Scope
This process applies to all removable storage media, including but not limited to hard disk drives (HDDs), solid-state drives (SSDs), and other IT hardware components.
3. Secure Disposal Procedure
3.1 Hard Disk Drives (HDDs)
- Data Wiping: All HDDs undergo a multi-pass zero-filling process to overwrite all stored data, ensuring it is irretrievable.
- The zero-filling process is performed at least three times to eliminate any residual data.
- Verification checks are conducted to confirm complete data removal.
- Physical Destruction: After the zero-filling process, HDDs are physically destroyed by drilling through the platters to render them unusable.
- Final Disposal: The remains of the HDDs are placed in the designated trash bin intended for incineration in a furnace.
3.2 Solid-State Drives (SSDs)
- Physical Destruction: Due to the nature of SSD storage, they are directly destroyed by drilling multiple holes through the memory chips to prevent data recovery.
- Final Disposal: The remains of the SSDs are placed in the designated trash bin intended for incineration in a furnace.
3.3 Other Hardware Components
- Non-storage IT equipment and peripherals (excluding storage media) are collected for proper recycling.
- Recycling Partner: All recyclable components are handed over to Recupel, ensuring environmentally responsible disposal and compliance with electronic waste regulations.
4. Labeling and Handling
- Media requiring disposal must be clearly marked as “For Secure Disposal.”
- Only authorized personnel are permitted to perform the disposal process.
- Disposal activities are logged for compliance and audit purposes.
5. Compliance and Verification
- The destruction process ensures that no data remains recoverable, even through forensic means.
- Compliance with data protection and security policies is maintained.
- Periodic audits are conducted to ensure adherence to disposal procedures.
6. Responsibilities
- IT Security Team: Ensures proper execution of disposal procedures.
- Compliance Officer: Verifies that disposal logs are maintained and audits the process.
- Authorized Personnel: Conducts media destruction and ensures secure disposal in accordance with this process.
7. Review and Updates
- This process is reviewed annually or as needed to align with evolving security best practices and regulatory requirements.
To ensure the highest level of security and compliance with privacy regulations, the use of removable media (such as USB sticks, external hard drives, SD cards, and other portable storage devices) for storing or transferring sensitive and private data is strictly prohibited.
Why is this restriction in place?
- Data Protection: Removable media can easily be lost or stolen, leading to potential data breaches.
- Compliance Requirements: Regulatory frameworks such as GDPR, NIS2, and ISO 27001 require strict controls over the handling of sensitive data.
- Security Risks: These devices are susceptible to malware, unauthorized access, and potential misuse.
Alternatives for Secure Data Storage and Transfer:
- Use company-approved encrypted cloud storage or secure file-sharing platforms.
- When necessary, transfer files via secure internal networks or encrypted email attachments.
- For exceptional cases, contact IT Security for approved methods of secure data transfer.
Failure to comply with this policy may result in disciplinary actions and could lead to serious security risks for the organization. If you have any questions or require assistance, please reach out to the IT Security team.
IMPORTANT_PR.DS-3.2: The organization shall enforce accountability for all its business-critical assets throughout the system lifecycle, including removal, transfers, and disposition.
Process for Secure Disposal of Removable Media Containing Confidential Information
1. Purpose
To ensure the secure disposal of removable media containing confidential information, preventing data recovery through industry-accepted methods. This process outlines the destruction methods for different types of media and the proper disposal procedures.
2. Scope
This process applies to all removable storage media, including but not limited to hard disk drives (HDDs), solid-state drives (SSDs), and other IT hardware components.
3. Secure Disposal Procedure
3.1 Hard Disk Drives (HDDs)
- Data Wiping: All HDDs undergo a multi-pass zero-filling process to overwrite all stored data, ensuring it is irretrievable.
- The zero-filling process is performed at least three times to eliminate any residual data.
- Verification checks are conducted to confirm complete data removal.
- Physical Destruction: After the zero-filling process, HDDs are physically destroyed by drilling through the platters to render them unusable.
- Final Disposal: The remains of the HDDs are placed in the designated trash bin intended for incineration in a furnace.
3.2 Solid-State Drives (SSDs)
- Physical Destruction: Due to the nature of SSD storage, they are directly destroyed by drilling multiple holes through the memory chips to prevent data recovery.
- Final Disposal: The remains of the SSDs are placed in the designated trash bin intended for incineration in a furnace.
3.3 Other Hardware Components
- Non-storage IT equipment and peripherals (excluding storage media) are collected for proper recycling.
- Recycling Partner: All recyclable components are handed over to Recupel, ensuring environmentally responsible disposal and compliance with electronic waste regulations.
4. Labeling and Handling
- Media requiring disposal must be clearly marked as “For Secure Disposal.”
- Only authorized personnel are permitted to perform the disposal process.
- Disposal activities are logged for compliance and audit purposes.
5. Compliance and Verification
- The destruction process ensures that no data remains recoverable, even through forensic means.
- Compliance with data protection and security policies is maintained.
- Periodic audits are conducted to ensure adherence to disposal procedures.
6. Responsibilities
- IT Security Team: Ensures proper execution of disposal procedures.
- Compliance Officer: Verifies that disposal logs are maintained and audits the process.
- Authorized Personnel: Conducts media destruction and ensures secure disposal in accordance with this process.
7. Review and Updates
- This process is reviewed annually or as needed to align with evolving security best practices and regulatory requirements.
To ensure the highest level of security and compliance with privacy regulations, the use of removable media (such as USB sticks, external hard drives, SD cards, and other portable storage devices) for storing or transferring sensitive and private data is strictly prohibited.
Why is this restriction in place?
- Data Protection: Removable media can easily be lost or stolen, leading to potential data breaches.
- Compliance Requirements: Regulatory frameworks such as GDPR, NIS2, and ISO 27001 require strict controls over the handling of sensitive data.
- Security Risks: These devices are susceptible to malware, unauthorized access, and potential misuse.
Alternatives for Secure Data Storage and Transfer:
- Use company-approved encrypted cloud storage or secure file-sharing platforms.
- When necessary, transfer files via secure internal networks or encrypted email attachments.
- For exceptional cases, contact IT Security for approved methods of secure data transfer.
Failure to comply with this policy may result in disciplinary actions and could lead to serious security risks for the organization. If you have any questions or require assistance, please reach out to the IT Security team.
IMPORTANT_PR.DS-4.1: Capacity planning shall ensure adequate resources for organization's critical system information processing, networking, telecommunications, and data storage.
The organization continuously monitors the capacity and performance of its cloud-based infrastructure using N-able and Veeam. These tools track critical metrics such as storage usage, CPU load, memory consumption, and backup status across all systems.
While specific threshold values may vary by system, alerts are configured to trigger when resource usage reaches critical levels (e.g., approaching storage limits), enabling proactive intervention before service performance is impacted.
Monthly reviews are conducted by the IT team to analyze trends in resource consumption and assess potential bottlenecks. These reviews support capacity planning and help ensure that infrastructure scales in line with organizational needs.
All infrastructure is cloud-based, allowing the organization to dynamically scale resources when needed. This flexibility reduces the risk of resource saturation and contributes to maintaining high system availability.
While there is currently no formal documented escalation procedure, capacity-related alerts are handled operationally by the IT team as part of their incident response workflow. The organization is exploring the creation of a more formal escalation path as part of its continuous improvement efforts.
Dependencies on key personnel responsible for monitoring and capacity planning are acknowledged, and informal knowledge sharing helps mitigate continuity risks in case of staff absence.
Utilized Security Systems:
- N-able Backup
- Sophos Cloud Optix
- VMware VirtualCenter
- Atera RMM
- Veeam Backup & Replication
IMPORTANT_PR.DS-5.1: The organization shall take appropriate actions resulting in the monitoring of its critical systems at external borders and critical internal points when unauthorized access and activities, including data leakage, is detected.
We identify, assess, and remediate vulnerabilities on endpoints, servers, and network infrastructure using automated tools and structured processes.
Implementation
- Endpoint vulnerabilities are detected via SentinelOne.
- Server and infrastructure vulnerabilities are detected via ManageEngine Vulnerability Manager Plus (VAS).
- High and critical vulnerabilities are prioritized based on CVSS score, exploitability, and asset criticality.
- Vulnerabilities are tracked and managed in Jira from detection to closure.
- Patch management is coordinated between the Security Team and Infrastructure Team.
Monitoring and Review
- SentinelOne alerts reviewed daily for critical vulnerabilities.
- VAS vulnerability scans reviewed weekly.
IMPORTANT_PR.DS-6.1: The organization shall implement software, firmware, and information integrity checks to detect unauthorized changes to its critical system components during storage, transport, start-up and when determined necessary.
The organization follows a structured change management process for all significant changes to data processing services. Significant changes are defined as those that may affect the confidentiality, integrity, or availability of systems, services, or data.
The process includes the following steps:
- Change Request Initiation – A change is proposed and recorded, including scope, purpose, affected systems, and potential risks.
- Risk Assessment – The change is assessed using Cyberday’s built-in risk assessment process to evaluate its potential impact on information security.
- Approval Process – Changes are reviewed and approved by designated personnel based on risk and scope (e.g., IT lead, security officer, or service owner).
- Implementation & Testing – Approved changes are implemented during planned windows and, where applicable, tested in a staging environment before going live.
- Documentation & Communication – Change details, risk assessments, and decisions are documented and communicated to relevant stakeholders.
- Post-Implementation Review – If required, a review is conducted to ensure the change was successful and didn’t introduce unintended issues.
The change management process is integrated into daily operations via tools like issue trackers or internal project boards. All changes are logged, reviewed periodically, and linked to risk assessments where applicable. Documentation is managed centrally and updated as changes are implemented.
The organization ensures that all systems supporting critical business processes are continuously protected through real-time malware monitoring, automated scanning, and defined incident response procedures. These systems are a priority in the organization's overall cybersecurity posture.
Routine Malware Inspection of Critical Systems
- Systems that support critical business operations (e.g., identity systems, communication tools, endpoint devices used for privileged access, backup infrastructure) are prioritized for continuous malware inspection.
- SentinelOne, the organization’s active endpoint protection platform, provides real-time monitoring of all running processes, memory operations, and file activities.
- Scheduled scans are not required due to SentinelOne’s behavior-based detection engine, which continuously analyzes system behavior for signs of compromise.
Automated Scanning Systems
- All critical endpoints are monitored 24/7 by SentinelOne agents, which automatically detect and respond to:
- Fileless malware
- Ransomware
- Exploit attempts Known and unknown threats based on machine learning
- Detected threats are immediately quarantined, and the affected system is isolated from the network when necessary.
- Heimdal DNS filtering adds an additional layer of protection by blocking communication to known malicious domains, even before payloads are delivered.
Once Sophos is fully deployed, it will:
- Enhance protection of web-based and content-based threats
- Add HTTPS traffic filtering for systems accessing the internet
Incident Response Procedure
If malware is detected:
- SentinelOne generates an automated alert and initiates the appropriate remediation action (e.g., kill process, quarantine, rollback).
- The Security Team is notified through the SentinelOne console and email (optional configuration).
- If the threat is confirmed to impact critical systems or data, the incident response plan is triggered, which includes:
- Containment (e.g., isolating affected system)
- Analysis and triage
- Root cause investigation (using log data and EDR forensics)
- Recovery and post-incident review
All incidents are documented in the internal ticketing system or security incident log, and lessons learned may be incorporated into future detection criteria or playbooks.
IMPORTANT_PR.IP-2.1: The system and application development life cycle shall include security considerations.
We track these changes in Atlassian
IMPORTANT_PR.IP-3.1: Changes shall be tested and validated before being implemented into operational systems.
We track these changes in Atlassian
Configuration documentation: The organization has documented the current configurations of devices, data systems, and networks, ensuring a comprehensive record is maintained.
Configuration change log: The organization has maintained a log of configuration changes to track all modifications and ensure accountability.
Owner and contact information: The organization has included property owner and contact point information in the configuration documentation to ensure responsibility and communication channels are clear.
Date of last configuration change: The organization has documented the date of the last configuration change for all devices, data systems, and networks to maintain an accurate timeline.
Configuration reviews: The organization has established regular reviews of configuration documentation to ensure it remains accurate and up-to-date.Our organization defines significant security-related changes as updates or modifications that affect security-critical systems, including access controls, security applications, and infrastructure components.
We evaluate these changes using a lightweight but structured process:
- Identification & Risk Assessment: Significant changes are identified by the IT team. Since adopting Cyberday, each change undergoes a documented risk assessment. For earlier changes, informal assessments were discussed and are now retroactively documented where applicable.
- Approval Process: In our small team, approvals are given during IT sync meetings or directly between stakeholders. We record this in Jira tickets or internal documentation using a standard approval comment format.
- Impact & Mitigation Documentation: We have introduced a short checklist to record potential impacts and planned mitigation steps. This is now part of our change documentation process. Post-Implementation Review: After the change, we log whether it was successful and note any issues or lessons learned. This is done via comments on Jira tasks.
- Communication: Changes and their potential impacts are communicated to management during regular team meetings. This is logged in ticket comments or meeting summaries.
BASIC_PR.IP-4.1: Backups for organization's business critical data shall be conducted and stored on a system different from the device on which the original data resides
1. Purpose
This backup policy ensures that all critical data, applications, and systems are securely backed up and can be restored in the event of data loss, disaster, or system failure. The policy outlines the responsibilities, backup frequency, retention periods, storage locations, and security measures in place.
2. Scope
This policy applies to all systems, applications, and data under our responsibility, including those hosted in our private cloud and Microsoft 365 environments.
3. Backup Responsibilities
Our backup infrastructure consists of the following platforms:
- Veeam: Used for backing up servers and M365 in our private cloud.
- N-able SaaS: Used for backing up Microsoft 365 services, including emails, SharePoint, Teams, and OneDrive.
4. Backup Strategy
- Criticality Assessment: Each data asset is assessed based on its criticality to determine the backup frequency and retention period.
- Backup Frequency:
- Microsoft 365 (N-able SaaS)
- Emails are backed up four times per day.
- Files (SharePoint, Teams, OneDrive) are backed up three times per day.
- Private Cloud (Veeam)
- Virtual machines, databases, and critical infrastructure components are backed up daily with incremental backups every hour for mission-critical workloads.
- Retention Period:
- Microsoft 365 backups: Retained for 90 days.
- Veeam backups: Retention policies are defined based on the system's importance, ranging from 90 days to several years for compliance reasons.
5. Backup Storage and Protection
- Backup Locations:
- Veeam backups are stored in our private cloud with replication to an off-site location for redundancy.
- N-able SaaS backups are stored in a secure cloud-based storage environment.
- Security Measures:
- Backups are encrypted both in transit and at rest.
- Access to backup systems is restricted to authorized personnel only.
- Multi-factor authentication (MFA) is enforced for backup management access.
- Regular integrity checks and test restores are performed to validate backup reliability.
6. Backup Retention Policy
- Data is retained according to business, legal, and compliance requirements.
- Older backups that exceed the retention period are automatically deleted unless required for long-term archival.
- Special backup retention may be applied for compliance audits or legal holds.
7. Backup Restoration
- Procedures Restorations are conducted based on business needs and priority levels.
- Authorized personnel can request restores via the IT service desk.
- Critical system recovery tests are performed periodically to ensure backup effectiveness.
8. Policy Review & Updates
- This backup policy is reviewed annually or when significant changes occur in IT infrastructure or business needs.
- Updates will be documented and communicated to relevant stakeholders.
9. Compliance & Enforcement
- This policy aligns with regulatory requirements such as GDPR, NIS2, and ISO 27001.
- Non-compliance with backup procedures may result in disciplinary action or security remediation measures.
IMPORTANT_PR.IP-4.2: The reliability and integrity of backups shall be verified and tested on regular basis.
Task owner shall ensure that the restoration of backups is tested at regular intervals according to the review interval set for the task.
Task owner is responsible for creating and directing guidelines for restoring backups to the relevant units.
IMPORTANT_PR.IP-4.3: A separate alternate storage site for system backups shall be operated and the same security safeguards as the primary storage location shall be employed.
1. Purpose
This backup policy ensures that all critical data, applications, and systems are securely backed up and can be restored in the event of data loss, disaster, or system failure. The policy outlines the responsibilities, backup frequency, retention periods, storage locations, and security measures in place.
2. Scope
This policy applies to all systems, applications, and data under our responsibility, including those hosted in our private cloud and Microsoft 365 environments.
3. Backup Responsibilities
Our backup infrastructure consists of the following platforms:
- Veeam: Used for backing up servers and M365 in our private cloud.
- N-able SaaS: Used for backing up Microsoft 365 services, including emails, SharePoint, Teams, and OneDrive.
4. Backup Strategy
- Criticality Assessment: Each data asset is assessed based on its criticality to determine the backup frequency and retention period.
- Backup Frequency:
- Microsoft 365 (N-able SaaS)
- Emails are backed up four times per day.
- Files (SharePoint, Teams, OneDrive) are backed up three times per day.
- Private Cloud (Veeam)
- Virtual machines, databases, and critical infrastructure components are backed up daily with incremental backups every hour for mission-critical workloads.
- Retention Period:
- Microsoft 365 backups: Retained for 90 days.
- Veeam backups: Retention policies are defined based on the system's importance, ranging from 90 days to several years for compliance reasons.
5. Backup Storage and Protection
- Backup Locations:
- Veeam backups are stored in our private cloud with replication to an off-site location for redundancy.
- N-able SaaS backups are stored in a secure cloud-based storage environment.
- Security Measures:
- Backups are encrypted both in transit and at rest.
- Access to backup systems is restricted to authorized personnel only.
- Multi-factor authentication (MFA) is enforced for backup management access.
- Regular integrity checks and test restores are performed to validate backup reliability.
6. Backup Retention Policy
- Data is retained according to business, legal, and compliance requirements.
- Older backups that exceed the retention period are automatically deleted unless required for long-term archival.
- Special backup retention may be applied for compliance audits or legal holds.
7. Backup Restoration
- Procedures Restorations are conducted based on business needs and priority levels.
- Authorized personnel can request restores via the IT service desk.
- Critical system recovery tests are performed periodically to ensure backup effectiveness.
8. Policy Review & Updates
- This backup policy is reviewed annually or when significant changes occur in IT infrastructure or business needs.
- Updates will be documented and communicated to relevant stakeholders.
9. Compliance & Enforcement
- This policy aligns with regulatory requirements such as GDPR, NIS2, and ISO 27001.
- Non-compliance with backup procedures may result in disciplinary action or security remediation measures.
IMPORTANT_PR.IP-5.1: The organization shall define, implement, and enforce policy and procedures regarding emergency and safety systems, fire protection systems, and environment controls for its critical systems.
Task owner plans, monitors, and updates the process by which:
- basic services are tested regularly
- basic services are equipped with appropriate alarm systems that detect malfunctions
- basic services are brought to the premises via several supply lines running on different physical routes
Whenever computing equipment or other important equipment is installed and located, the following rules shall apply:
- Equipment shall be located so that access to work areas is inherently kept to a minimum.
- Critical facilities shall be protected, if necessary, by separate additional arrangements. , in order to keep the overall protection required limited
- Processing of sensitive information shall be carried out in a location that does not allow illicit viewing
Task owner shall ensure that the equipment is installed and located in accordance with this description only.
1. Risk Assessment and Equipment Classification
- Identify critical equipment that requires surge protection and UPS backup (e.g., servers, network devices, security systems).
- Assess the power stability in the environment and determine the need for additional protective measures.
- Ensure compliance with industry standards (e.g., ISO 27001 A.13 for power supply security, IEC 62040 for UPS systems).
2. Surge Protection Implementation
- Install surge protectors at:
- Power entry points to prevent voltage spikes from damaging systems.
- Workstations and server racks to protect individual devices.
- Network and communication lines to shield against transient surges.
- Conduct regular inspections and replacements of surge protectors to ensure functionality.
3. UPS Installation and Configuration
- Connect critical equipment to an appropriately sized UPS system to:
- Provide temporary power during short outages.
- Prevent data loss by allowing a graceful shutdown if power loss is prolonged.
- Stabilize power fluctuations and reduce the risk of hardware damage.
- Configure UPS monitoring and alerting systems to track power status and battery health.
4. Regular Testing and Maintenance
- Perform tests on surge protectors and UPS systems to ensure reliability.
- Monitor battery health and replace aging UPS batteries as needed.
- Maintain a log of power incidents, including UPS activations and system shutdowns.
IMPORTANT_PR.IP-6.1: The organization shall ensure that its critical system's data is destroyed according to policy.
Guidelines for securely disposing paper data are defined directly in Cyberday and are automatically monitored through the Teams application.
Task owner reviews comments related to the guidelines and updates the guidelines as needed.
Retention periods documented: The organization has documented the retention periods for various data sets, clearly specifying the duration for which each type of data must be retained based on functional and statutory requirements.
Archiving and destruction methods detailed: The organization has detailed the archiving methods and locations, as well as the approved data destruction methods such as overwriting or cryptographic erasure, ensuring secure disposal of data.
Evidence preservation requirements discussed: The organization has established the need to preserve evidence of data destruction and has included these requirements in the documentation, ensuring a transparent and accountable process.
Supplier contracts updated: The organization has updated supplier contracts to include specific data destruction requirements and the need for evidence when third parties are involved in the destruction process.
Data owner responsibilities defined: The organization has defined the responsibilities of data owners in the archiving or destruction process, making them accountable for ensuring that data is either archived or destroyed securely and punctually at the end of the retention period.
Retention times for data sets are documented in organization's information security management system. The owners of the associated data stores are responsible for completing the documentation and are instructed by the task owner if necessary.
Task owner regularly reviews the listing as a whole and assesses the legality and consistency of retention times.
Process for Secure Disposal of Removable Media Containing Confidential Information
1. Purpose
To ensure the secure disposal of removable media containing confidential information, preventing data recovery through industry-accepted methods. This process outlines the destruction methods for different types of media and the proper disposal procedures.
2. Scope
This process applies to all removable storage media, including but not limited to hard disk drives (HDDs), solid-state drives (SSDs), and other IT hardware components.
3. Secure Disposal Procedure
3.1 Hard Disk Drives (HDDs)
- Data Wiping: All HDDs undergo a multi-pass zero-filling process to overwrite all stored data, ensuring it is irretrievable.
- The zero-filling process is performed at least three times to eliminate any residual data.
- Verification checks are conducted to confirm complete data removal.
- Physical Destruction: After the zero-filling process, HDDs are physically destroyed by drilling through the platters to render them unusable.
- Final Disposal: The remains of the HDDs are placed in the designated trash bin intended for incineration in a furnace.
3.2 Solid-State Drives (SSDs)
- Physical Destruction: Due to the nature of SSD storage, they are directly destroyed by drilling multiple holes through the memory chips to prevent data recovery.
- Final Disposal: The remains of the SSDs are placed in the designated trash bin intended for incineration in a furnace.
3.3 Other Hardware Components
- Non-storage IT equipment and peripherals (excluding storage media) are collected for proper recycling.
- Recycling Partner: All recyclable components are handed over to Recupel, ensuring environmentally responsible disposal and compliance with electronic waste regulations.
4. Labeling and Handling
- Media requiring disposal must be clearly marked as “For Secure Disposal.”
- Only authorized personnel are permitted to perform the disposal process.
- Disposal activities are logged for compliance and audit purposes.
5. Compliance and Verification
- The destruction process ensures that no data remains recoverable, even through forensic means.
- Compliance with data protection and security policies is maintained.
- Periodic audits are conducted to ensure adherence to disposal procedures.
6. Responsibilities
- IT Security Team: Ensures proper execution of disposal procedures.
- Compliance Officer: Verifies that disposal logs are maintained and audits the process.
- Authorized Personnel: Conducts media destruction and ensures secure disposal in accordance with this process.
7. Review and Updates
- This process is reviewed annually or as needed to align with evolving security best practices and regulatory requirements.
IMPORTANT_PR.IP-7.1: The organization shall incorporate improvements derived from the monitoring, measurements, assessments, and lessons learned into protection process updates (continuous improvement).
Continuous improvement initiatives: The organization has embarked upon a path of continuous improvement of its information security management system. This involves beside audits or clear non-conformities, other methods such as employee feedback, risk reviews, and benchmarking against industry standards.
Documenting improvements: The task owner has taken on the responsibility of documenting any improvements made to the management system. This provides a written record of the changes that can be used for future references and audits.
Task division and delegation: The documented improvements have been divided into specific tasks and assigned to respective teams or individuals for execution. This helps ensure efficient implementation of the improvements.
Task execution monitoring: The task owner monitors the execution of these tasks to ensure they are completed as planned and on schedule.
Periodic review of the ISMS: The organization ensures that the information security management system is regularly reviewed to identify new opportunities for improvement. This review is conducted with the involvement of top management to ensure full commitment and support.
Regular incident analysis: The organization has regularly analyzed incidents as a whole, examining their type, amount, and cost. This analysis aims to identify recurrent and significant incidents that require more action.
Creation or expansion of management tasks: The organization has created new management tasks or expanded current ones based on the identification of recurrent incidents requiring a response. This ensures that appropriate management oversight is in place.
Refining of security guidelines: The organization has refined or extended security guidelines in areas where recurrent incidents have been identified. This improves the framework for handling similar incidents in the future.
Development of case examples: The organization has developed case examples of incidents, which are used to train staff to respond to or avoid similar incidents. This educational approach helps reduce the likelihood and impact of future incidents.
Identifying recurrent incidents: The organization has identified recurrent incidents requiring further response and has taken steps to mitigate or prevent these. This proactive stance helps in reducing the frequency and severity of security incidents.
IMPORTANT_PR.IP-8.1: The organization shall collaborate and share information about its critical system's related security incidents and mitigation measures with designated partners.
Informing original reporter and involved personnel: The organization has defined procedures to ensure that the original reporter and other personnel involved in the incident are informed of the outcome of the incident management. This communication ensures transparency and closure for all parties involved.
Documentation of linked personnel: The organization has provided an optional field on the incident documentation template to document linked personnel. This allows easy tracking and ensures all relevant parties are informed appropriately.
Outcome communication: The organization has communicated the results of the incident management process to the original reporter and any other personnel involved. This includes details of the incident resolution and any follow-up actions taken.
Confirmation of receipt: The organization has implemented a system to confirm receipt of incident outcome information by the original reporter and involved personnel. This ensures that the communicated information has been acknowledged and understood.
Feedback collection: The organization has established a feedback mechanism to collect input from the original reporter and involved personnel regarding the incident management process. This feedback helps improve future incident handling procedures.
Establishment of threat intelligence sharing networks: The organization has established networks for sharing threat intelligence information with other organizations. This exchange improves the organization's understanding of the threat landscape and helps others too.
IMPORTANT_PR.IP-8.2: Communication of effectiveness of protection technologies shall be shared with appropriate parties.
Informing original reporter and involved personnel: The organization has defined procedures to ensure that the original reporter and other personnel involved in the incident are informed of the outcome of the incident management. This communication ensures transparency and closure for all parties involved.
Documentation of linked personnel: The organization has provided an optional field on the incident documentation template to document linked personnel. This allows easy tracking and ensures all relevant parties are informed appropriately.
Outcome communication: The organization has communicated the results of the incident management process to the original reporter and any other personnel involved. This includes details of the incident resolution and any follow-up actions taken.
Confirmation of receipt: The organization has implemented a system to confirm receipt of incident outcome information by the original reporter and involved personnel. This ensures that the communicated information has been acknowledged and understood.
Feedback collection: The organization has established a feedback mechanism to collect input from the original reporter and involved personnel regarding the incident management process. This feedback helps improve future incident handling procedures.
Establishment of threat intelligence sharing networks: The organization has established networks for sharing threat intelligence information with other organizations. This exchange improves the organization's understanding of the threat landscape and helps others too.
IMPORTANT_PR.IP-9.1: Incident response plans (Incident Response and Business Continuity) and recovery plans (Incident Recovery and Disaster Recovery) shall be established, maintained, approved, and tested to determine the effectiveness of the plans, and the readiness to execute the plans.
Continuity planning for unexpected events: The organization has implemented continuity planning to ensure that operations can continue as quickly and smoothly as possible following an unexpected event, such as a fire, flood, or equipment failure.
Event description: Each continuity plan specifies the particular event or scenario it addresses, such as fires, floods, equipment failures, or similar disruptions.
Goal for recovery time: The plan sets a clear target for the recovery time objective (RTO), which defines the maximum acceptable downtime before critical operations must be restored.
Responsible persons and stakeholders: The plan identifies the responsible persons and relevant stakeholders, including their roles and responsibilities. It also includes detailed contact information for quick and effective communication.
Planned immediate actions: The continuity plan outlines the immediate actions to be taken in response to the event. These actions are designed to mitigate impact, ensure safety, and stabilize the situation quickly.
Planned recovery steps: The plan describes the specific steps that need to be taken to recover and restore operations. This includes detailed procedures for assessing damage, prioritizing actions, and resuming critical business functions.
Regular testing and review of continuity plans: The organization conducts regular and at least annual tests and reviews of its information security continuity plans to ensure they remain valid and effective under adverse conditions.
Stakeholder involvement: Stakeholders critical to each continuity plan are involved in the testing process, ensuring that those who play key roles in the plans are familiar with their duties and can execute the plans effectively when needed.
Documentation of tests: Each test and review is thoroughly documented, including the test scenario, participants, outcomes, and any identified weaknesses or points for improvement.
BASIC_PR.IP-11.1: Personnel having access to the organization’s most critical information or technology shall be verified.
Review of recommendations: The organization has included a review of recommendations as part of the background check process. This involves contacting references provided by the applicant to verify their professional reputation and reliability.
Verification of CV accuracy: The organization has procedures in place to verify the accuracy of information provided in the candidate’s CV. This includes confirming previous employment, job titles, and responsibilities to ensure the applicant’s experience matches their claims.
Verification of educational qualifications: The organization has verified the educational qualifications of applicants. This involves contacting educational institutions to confirm degrees, certifications, and other credentials.
IMPORTANT_PR.IP-11.2: Develop and maintain a human resource information/cyber security process that is applicable when recruiting, during employment and at termination of employment.
Responsibilities and rights in employment contracts: The organization has included specified responsibilities of the employee and the organization for cybersecurity in the employment contracts. These contractual obligations ensure clear understanding and compliance with security policies.
Legal responsibilities and rights: The employment contracts have outlined the employee's legal responsibilities and rights, such as those related to copyright or data protection law. This includes compliance with relevant legal frameworks and regulations.
Following instructions: The contracts have specified the employee's responsibility for following instructions related to the use of hardware and data, and the classification of information. Employees are required to adhere to organizational policies and procedures to maintain data integrity and security.
Processing external information: The contracts have detailed the employee's or temporary employee's responsibility for processing information received from other companies or parties. This ensures that data is handled according to organizational standards and legal requirements.
Violation measures: The contracts have highlighted the measures to be taken if the employee or temporary worker violates the organization's safety requirements. This includes potential disciplinary actions, up to and including termination of employment.
Hardware recovery: The organization has defined procedures for coordinating the recovery of hardware at the time of termination of employment. This ensures that all company-owned devices are returned promptly and securely.
Removal of access rights: The organization has established a process for the immediate removal of access rights upon termination of employment. This includes revoking access to all data systems, networks, and applications to ensure security.
Restoration of information assets: The organization has outlined procedures for restoring other information assets when an employee leaves. This involves transferring or archiving relevant data and ensuring that all information is securely handled.
Inventory check: The organization has conducted an inventory check to verify the return of all hardware and information assets. This step ensures that no company property is outstanding.
Exit checklist: The organization has implemented an exit checklist to coordinate all tasks related to the termination of employment, including hardware recovery, access rights removal, and information asset restoration. This checklist helps ensure that all steps are completed systematically and nothing is overlooked.
Communication with relevant departments: The organization has coordinated with relevant departments such as IT, HR, and the departing employee's immediate team to ensure smooth and secure termination procedures.
IMPORTANT_PR.IP-12.1: The organization shall establish and maintain a documented process that allows continuous review of vulnerabilities and strategies to mitigate them.
We identify, assess, and remediate vulnerabilities on endpoints, servers, and network infrastructure using automated tools and structured processes.
Implementation
- Endpoint vulnerabilities are detected via SentinelOne.
- Server and infrastructure vulnerabilities are detected via ManageEngine Vulnerability Manager Plus (VAS).
- High and critical vulnerabilities are prioritized based on CVSS score, exploitability, and asset criticality.
- Vulnerabilities are tracked and managed in Jira from detection to closure.
- Patch management is coordinated between the Security Team and Infrastructure Team.
Monitoring and Review
- SentinelOne alerts reviewed daily for critical vulnerabilities.
- VAS vulnerability scans reviewed weekly.
Regular vulnerability scanning: The organization routinely carries out vulnerability scans across various systems, including computers, workstations, networks, and applications. This practice enables the early detection and mitigation of potential vulnerabilities.
Accounting for configuration errors and outdated practices: The organization is aware that vulnerabilities can arise not just from software errors, but also from configuration mistakes and outdated practices, such as the use of obsolete encryption algorithms. Measures are in place to avoid such pitfalls and stay updated with best practices.
Utilized security systems:
- Veeam Backup & Replication
- Microsoft Azure Active Directory
- XDR
- Microsoft Authenticator
- Microsoft Defender for Endpoint
- Microsoft Defender for Cloud Apps
- Devolution RDM
- Microsoft Defender for Office 365 (MDO)
- Microsoft BitLocker
- Heimdal
- FileVault
Quick-response team setup: The organization has determined the composition of a quick-response team that is primed to respond to identified vulnerabilities. This team is made up of individuals with the requisite skills and expertise to promptly and effectively tackle such issues.
Reporting process for located vulnerabilities: Upon locating a vulnerability, the concerned individual is tasked with promptly informing the entire team through an agreed-upon channel. This ensures that all team members are promptly aware and can begin coordinated response efforts.
Determining vulnerability severity: The team assesses the severity of the vulnerability (low, medium, high) based on pre-defined criteria. This categorization aids in prioritizing response actions and allocating resources effectively.
Deciding response approach: Based on the assessed severity, the team decides whether to handle the vulnerability as a security breach (necessitating more urgent attention) or under general change management. This decision informs the timeline and intensity of the response efforts.
Choosing individuals for vulnerability management: The organization selects the necessary individuals to continue addressing the vulnerability, considering roles, skills, and availability. The selected individuals then collaborate to rectify the vulnerability and reinstate secure operations.
Addressing high-risk data system vulnerabilities: Vulnerabilities related to high-risk data systems are always considered of high severity. The organization prioritizes addressing these vulnerabilities first, given their potential impact on data security and system functionality.
Regular monitoring of vulnerability management process: The organization continuously monitors its technical vulnerability management process. This involves checking for timely detection, accurate categorization, effective mitigation, and proper documentation of vulnerabilities.
Evaluation of vulnerability management process: The organization evaluates the effectiveness and efficiency of the vulnerability management process on a regular basis. This evaluation includes metrics such as time to detect, time to mitigate, and the rate of recurring vulnerabilities.
BASIC_PR.MA-1.1: Patches and security updates for Operating Systems and critical system components shall be installed.
Implementation of software update management process: The organization has an established process to manage software updates. This process ensures the timely installation of the latest approved patches and application updates on all approved software.
Retention of earlier software versions: The organization retains earlier versions of software as a precautionary measure. These versions can be used for recovery in case of an update causing unexpected issues.
Utilized Security Systems:
- Microsoft Azure Active Directory
- Microsoft Entra
IMPORTANT_PR.MA-1.2: The organization shall plan, perform and document preventive maintenance and repairs on its critical system components according to approved processes and tools.
Task owner will ensure that guidelines are provided to all persons ordering maintenance. The guidelines describe the responsibilities of the person ordering the maintenance, which include e.g. ensuring that:
- Repairs and maintenance is only executed by qualified personnel
- Confidential information is removed from the equipment before maintenance is performed, if necessary
- Equipment is inspected after maintenance before their deployment to ensure that devices are not tampered with or still malfunctioning
IMPORTANT_PR.MA-1.3: The organization shall enforce approval requirements, control, and monitoring of maintenance tools for use on the its critical systems.
1. Scheduled Maintenance Cycle
- Every Sunday, the on-call system engineer performs routine maintenance on the equipment.
- Maintenance tasks include preventive actions, remedial actions, and defect checks.
2. Logging Maintenance Activities
- The system engineer records maintenance activities in a Maintenance Log, including:
- Suspected and actual defects identified during the inspection.
- Preventive actions taken to avoid future failures.
- Remedial actions applied to resolve existing defects.
- Post-maintenance equipment check results to confirm proper functionality.
- If an issue is critical, an immediate incident report is created and escalated.
3. Review and Approval
- The completed maintenance log is reviewed by the IT operations manager or a designated authority.
- Any recurring defects or trends are analyzed for long-term improvements.
4. Escalation for Major Issues
- If a significant defect is found that affects system reliability or security, it is:
- Escalated to senior engineers for further diagnosis.
- Documented in an incident management system for tracking.
IMPORTANT_PR.MA-1.4: The organization shall verify security controls following hardware maintenance or repairs, and take action as appropriate.
1. Scheduled Maintenance Cycle
- Every Sunday, the on-call system engineer performs routine maintenance on the equipment.
- Maintenance tasks include preventive actions, remedial actions, and defect checks.
2. Logging Maintenance Activities
- The system engineer records maintenance activities in a Maintenance Log, including:
- Suspected and actual defects identified during the inspection.
- Preventive actions taken to avoid future failures.
- Remedial actions applied to resolve existing defects.
- Post-maintenance equipment check results to confirm proper functionality.
- If an issue is critical, an immediate incident report is created and escalated.
3. Review and Approval
- The completed maintenance log is reviewed by the IT operations manager or a designated authority.
- Any recurring defects or trends are analyzed for long-term improvements.
4. Escalation for Major Issues
- If a significant defect is found that affects system reliability or security, it is:
- Escalated to senior engineers for further diagnosis.
- Documented in an incident management system for tracking.
BASIC_PR.PT-1.1: Logs shall be maintained, documented, and reviewed.
Documentation of responsible systems: Associated with the data system list, the organization has described the systems for which it is responsible for the implementation of the logging.
Documentation of logged data: For these identified systems, the organization has documented which data is saved on the log.
Documentation of retention period for log data: The organization has indicated how long log data is retained. The documented retention period complies with both internal policy needs and applicable regulatory requirements.
IMPORTANT_PR.PT-1.2: The organization shall ensure that the log records include an authoritative time source or internal clock time stamp that are compared and synchronized to an authoritative time source.
Use of Network Time Protocol (NTP): The organization has adopted the Network Time Protocol (NTP) as a standard for time synchronization between its critical systems. This protocol is globally recognized and ensures accuracy and synchronization of the system's internal clocks with a reliable external time source.
Automated synchronization: The organization has implemented an automated time synchronization for all critical systems. This ensures that all clocks have the exact same time, with tolerances defined by the business needs.
IMPORTANT_PR.PT-2.1: The usage restriction of portable storage devices shall be ensured through an appropriate documented policy and supporting safeguards.
By default, the use of removable media in an organization is permitted only with the express permission of the task owner. Task owner creates guidelines for staff that remind them of this principle.
Removable media includes e.g. flash memories, SD memories, removable storage drives, USB sticks and DVDs.
To ensure the highest level of security and compliance with privacy regulations, the use of removable media (such as USB sticks, external hard drives, SD cards, and other portable storage devices) for storing or transferring sensitive and private data is strictly prohibited.
Why is this restriction in place?
- Data Protection: Removable media can easily be lost or stolen, leading to potential data breaches.
- Compliance Requirements: Regulatory frameworks such as GDPR, NIS2, and ISO 27001 require strict controls over the handling of sensitive data.
- Security Risks: These devices are susceptible to malware, unauthorized access, and potential misuse.
Alternatives for Secure Data Storage and Transfer:
- Use company-approved encrypted cloud storage or secure file-sharing platforms.
- When necessary, transfer files via secure internal networks or encrypted email attachments.
- For exceptional cases, contact IT Security for approved methods of secure data transfer.
Failure to comply with this policy may result in disciplinary actions and could lead to serious security risks for the organization. If you have any questions or require assistance, please reach out to the IT Security team.
IMPORTANT_PR.PT-2.2: The organisation should technically prohibit the connection of removable media unless strictly necessary; in other instances, the execution of autoruns from such media should be disabled.
To ensure the highest level of security and compliance with privacy regulations, the use of removable media (such as USB sticks, external hard drives, SD cards, and other portable storage devices) for storing or transferring sensitive and private data is strictly prohibited.
Why is this restriction in place?
- Data Protection: Removable media can easily be lost or stolen, leading to potential data breaches.
- Compliance Requirements: Regulatory frameworks such as GDPR, NIS2, and ISO 27001 require strict controls over the handling of sensitive data.
- Security Risks: These devices are susceptible to malware, unauthorized access, and potential misuse.
Alternatives for Secure Data Storage and Transfer:
- Use company-approved encrypted cloud storage or secure file-sharing platforms.
- When necessary, transfer files via secure internal networks or encrypted email attachments.
- For exceptional cases, contact IT Security for approved methods of secure data transfer.
Failure to comply with this policy may result in disciplinary actions and could lead to serious security risks for the organization. If you have any questions or require assistance, please reach out to the IT Security team.
IMPORTANT_PR.PT-3.1: The organization shall configure the business critical systems to provide only essential capabilities.
The organization proactively detects and blocks unauthorized or unapproved software using a combination of endpoint protection and application control technologies. These mechanisms help prevent malware, reduce the attack surface, and maintain system integrity across all devices.
Application Whitelisting and Blocking
- The organization uses Heimdal Application Control to enforce a default-deny policy for software execution on endpoints.
- Only pre-approved software is allowed to run.
- Any execution attempt of unknown or unauthorized applications is automatically blocked and logged.
- Application control policies are maintained and reviewed by the Security Team in alignment with business requirements and risk assessments.
Real-Time Monitoring and Detection
- SentinelOne provides real-time detection of unknown or potentially unwanted applications (PUAs), even if not explicitly blacklisted.
- It flags suspicious executables, scripts, and anomalous behavior.
- It can automatically quarantine or kill unauthorized processes and isolate affected devices.
- Detected applications or behavior are reviewed by the Security Team through the SentinelOne console.
Use of Intrusion Detection Functionality
- The organization does not currently operate a traditional network-based Intrusion Detection System (IDS).
- However, equivalent functionality is provided at the endpoint level through:
- Heimdal and SentinelOne behavioral analysis
- DNS filtering to prevent unauthorized communications
- Alerting mechanisms for known malicious or unauthorized software behavior
Future IDS or NDR (Network Detection and Response) capabilities may be evaluated as part of the organization’s maturing security roadmap.
Utilized security systems:
- Microsoft Authenticator
- Heimdal
- SentinelOne Singularity
- Sophos Intercept X: Next-Gen Endpoint
BASIC_PR.PT-4.1: Web and e-mail filters shall be installed and used.
- The organization has deployed SentinelOne as the primary malware protection platform.
- SentinelOne is an enterprise-grade EDR (Endpoint Detection and Response) solution that provides real-time protection, behavioral detection, and autonomous response.
- Sophos is being onboarded to further strengthen endpoint security, web filtering, and malware detection across the environment.
All endpoint protection tools are selected based on:
- Coverage across Windows/macOS environments
- Real-time detection capabilities
- Centralized policy management and alerting
- Integration potential with other security platforms
Deployment and Coverage
- SentinelOne is installed on all corporate laptops and workstations.
- Deployment is managed centrally by the Security Team and monitored via the SentinelOne console.
- Sophos is being rolled out in phases and will be fully integrated upon completion of testing and policy configuration.
Ongoing Software Updates
- Signature databases and behavioral detection rules in SentinelOne are updated automatically.
- Software agents are centrally managed and monitored for update compliance.
- Sophos endpoint agents will follow the same approach once live, receiving real-time updates from the Sophos Central platform.
File, Email, and Download Scanning
- SentinelOne performs real-time scanning of:
- Files written to disk
- Scripts executed on the system
- Payloads dropped by applications or browser sessions
- Microsoft Defender for Office 365 (via Entra ecosystem) provides cloud-based scanning of:
- Email attachments
- Embedded links
- Downloaded files in Microsoft 365 services
- Sophos is expected to introduce additional web-layer scanning and inspection of HTTPS traffic (once deployed).
Web Threat Prevention
- The organization currently uses Heimdal DNS Security to block known malicious domains before users can connect to them.
- SentinelOne detects and blocks access to known Command & Control domains or payload delivery sites based on threat intelligence.
- Sophos will extend protection with URL classification, web content filtering, and file reputation scoring once fully implemented.
Routine Scanning and Monitoring
- SentinelOne performs continuous behavioral monitoring rather than scheduled signature-based scans.
- Any detected threats trigger automated responses, including isolation, remediation, and alerting.
- Routine scanning of removable media is managed through endpoint policy enforcement.
Employee Awareness
- The organization includes malware awareness as part of onboarding and periodic security training.
- Employees are instructed to:
- Avoid downloading software from unverified sources
- Report suspicious attachments or files
- Notify IT Security in case of unusual system behavior
Training reinforces the shared responsibility model for device security and encourages prompt incident reporting.
The organization uses pfSense as its primary firewall and traffic monitoring system. This platform is responsible for filtering inbound and outbound traffic and monitoring for potential anomalies.
The Network Operations Center (NOC) team is responsible for the configuration and lifecycle management of pfSense. Their duties include:
- Managing firewall rules and NAT configurations
- Updating and maintaining pfSense software and packages
- Reviewing and applying changes based on operational or security needs
- Documenting configuration changes and retaining version history as part of internal change management
- Ensuring that only authorized personnel have administrative access to pfSense
System settings and configurations are reviewed periodically, and after significant changes or security events. Reviews and changes are tracked via internal IT tools.
Utilized security systems
- Microsoft Azure Active Directory
- XDR
- Microsoft Defender for Endpoint
- Microsoft Authenticator
- Microsoft Defender for Cloud Apps
- AdminDroid
- Microsoft Defender for Office 365 (MDO)
- Heimdal
- SentinelOne Singularity
- Tailscale
- pfSense
PROTECT
Develop and implement appropriate safeguards to ensure delivery of critical infrastructure services.
DETECT
IMPORTANT_DE.AE-2.1: The organization shall review and analyze detected events to understand attack targets and methods.
Incident confirmation and recording: The organization has confirmed reported incidents or determined them unnecessary to record. This step ensures that only relevant incidents are documented for further action.
Documentation of type and cause: The organization has documented the type and cause of each confirmed incident, providing a clear understanding of what occurred and why.
Risk documentation: The organization has documented the risks associated with each incident. This includes identifying and recording potential impacts on operations and security.
Risk re-evaluation and treatment: The organization has re-evaluated the risks following each incident and treated them if necessary. This process ensures that any new or increased risks are appropriately managed.
Risk mitigation measures: The organization has documented risk mitigation measures or decisions to accept the risks following each incident. This ensures a clear record of how risks are managed.
Identification of informed parties: The organization has identified individuals or groups who need to be informed of the results of the incident treatment, including external stakeholders. This ensures that all relevant parties are kept updated.
Post-incident analysis: The organization has determined the need for a post-incident analysis. This step helps in understanding the incident's impact and preventing future occurrences.
The organization uses a combination of automated filtering, targeted alerting, and platform-specific audit tools to extract and highlight security-relevant events from system logs. While a full SIEM integration is not currently in place, several systems provide log analyzation capabilities that support threat detection, auditing, and incident response.
Filtering Relevant Log Information
Most of the systems in use (e.g., Microsoft 365, Entra ID, SentinelOne, Heimdal) provide built-in filtering mechanisms to surface relevant events, such as:
- Failed login attempts
- Privilege escalations
- Malware detection
- Suspicious application execution
- DNS filtering violations
Where supported, filters and dashboards are configured to prioritize security-related log entries and suppress routine operational noise.
Automatic Log Forwarding or Copying
While centralized SIEM log aggregation is not currently implemented, the organization makes use of:
- AdminDroid, which collects and summarizes Microsoft 365 audit data and sends alert emails for preconfigured criteria
- Heimdal and SentinelOne, which surface actionable events through their internal alerting engines
- Microsoft Defender for Endpoint, which provides real-time alerts and investigation capabilities
Once Sophos is fully onboarded, it is expected to serve as a central point for aggregating and monitoring security-relevant logs from Microsoft systems and endpoints.
Utilizing Audit Tools
Each platform provides native audit tools or dashboards used to analyze logs:
- Entra ID & M365: Log filtering and export through the Microsoft 365 Compliance Center and Entra portal
- AdminDroid: Prebuilt reports and alerts based on M365 logs
- Heimdal: Web-based dashboard for DNS/app control filtering and alerting
- SentinelOne: Alert console for real-time threat insights
- FortiGate/pfSense: Admin dashboards for firewall traffic and VPN logs
These tools allow the organization to quickly isolate anomalies and investigate security-related events.
Criteria for Relevant Messages
Security-relevant log messages are defined based on:
- Authentication anomalies (e.g., repeated failed logins, risky sign-ins)
- Privileged role assignments or changes
- Threat detection (malware, ransomware, exploit attempts)
- Unusual user behavior (e.g., unexpected file sharing, mailbox access)
- Network anomalies (e.g., unexpected VPN connections, port scanning)
These criteria are reviewed periodically and refined as part of ongoing risk assessments and incident response learnings.
Integration with SIEM (Future State)
The organization does not currently operate a centralized SIEM such as Microsoft Sentinel. However:
- Logs from Microsoft systems are available through AdminDroid and Defender interfaces
- Security event correlation is handled at the platform level
- Sophos onboarding is in progress, and will support log analysis and possibly central correlation in the future
Integration with a SIEM will be reevaluated once Sophos is fully operational, depending on its capabilities and organizational needs.
Utilized security systems
- AdminDroid
- Heimdal
- SentinelOne Singularity
- Sophos Intercept X: Next-Gen Endpoint
Follow-up analysis: The organization has performed a separate follow-up analysis when the source of a security incident is difficult to identify based on the primary treatment. This step aims to delve deeper into the incident to find the root cause.
Root cause identification: During the follow-up analysis, the organization has sought to identify the root cause of the security incident. This process includes thorough investigation and examination of all possible factors leading to the incident.
Comprehensive report: The organization has compiled a comprehensive report of the follow-up analysis, documenting the findings and identifying the root cause. This report provides detailed insights into the incident and supports preventive measures.
Review of existing controls: The organization has reviewed the existing security controls during the follow-up analysis to ascertain their effectiveness and identify any gaps that may have contributed to the incident. This review helps in strengthening the security posture.
BASIC_DE.AE-3.1: The activity logging functionality of protection / detection hardware or software (e.g. firewalls, anti-virus) shall be enabled, backed-up and reviewed.
Comprehensive event logging: Security systems, such as firewalls and malware protection, often have the capability to record logs of events. The organization ensures that comprehensive logs are regularly accumulated from these systems.
Regular log reviews: At regular intervals, designated personnel review the logs to ensure they are comprehensive and cover all relevant events. This review helps in maintaining a complete record for future analysis.
Identification of suspicious activities: The organization actively analyzes the logs to identify any suspicious activities. This involves looking for unusual patterns, anomalies, and potential security incidents.
Use of advanced tools: The organization utilizes advanced tools and algorithms to automate the identification of suspicious activities within the logs. These tools can help identify potential threats faster and more accurately.
Disturbance and violation investigation: Logs are instrumental in investigating disturbances or security violations. The organization uses the accumulated log data to trace incidents back to their root causes, understand the sequence of events, and determine potential compromises.
Retention and archiving: The organization has policies in place for the retention and archiving of logs. These policies ensure that logs are kept for an appropriate period to support investigations and compliance requirements.
Integration with monitoring systems: Logs from security systems are integrated with the organization's monitoring systems, such as SIEM (Security Information and Event Management), to enable real-time analysis and alerting.
Utilized Security Systems:
- AdminDroid
- XDR
- Microsoft Defender for Endpoint
- Heimdal
IMPORTANT_DE.AE-5.1: The organization shall implement automated mechanisms and system generated alerts to support event detection and to assist in the identification of security alert thresholds.
Identification of security-related events: The organization has identified potential security-related events in its data systems. These could include unauthorized data access attempts, detection of malware or other potentially harmful software, and unusual or suspicious network traffic patterns.
Establishment of alarm policies: The organization has set up alarm policies which are triggered when these potential security incidents occur. The alarms ensure timely detection and can range from triggered emails, SMS alerts, or dashboard notifications.
Regular revision of alarm policies: These alarm policies have been consistently reviewed and updated based on the organization's experience. This ensures the policies stay effective and relevant, keeping up with evolving threats and organizational changes.
Active monitoring of security events: The organization has implemented a system for actively monitoring security events. This ensures that any alarms triggered by the system are quickly addressed, minimizing the potential damage a security incident could cause.
Integration of security tools: The organization has integrated its alarm policies with its overall security toolset, including Microsoft 365. This ensures that all potential security incidents are tracked across platforms, giving a more comprehensive view of the organization’s security landscape.
Employee training on alarm policies: The organization has conducted training sessions for relevant employees to ensure they understand the alarm policies, their role in responding to these alarms, and possible actions required.
Regular testing of alarm systems: The alarm systems have been regularly tested to ensure their effectiveness. This helps to identify any glitches in the system and any updating required, ensuring the alarms are triggered as and when required.
Response plan establishment: The organization has established a clear response plan for when alarms are triggered. This step-by-step plan provides direction on the actions to be taken following a security alert.
Utilized security systems
- Microsoft Azure Active Directory
- XDR
- Microsoft Defender for Endpoint
- Microsoft Defender for Cloud Apps
- AdminDroid
- Microsoft Defender for Office 365 (MDO)
- Microsoft BitLocker
- Heimdal
- SentinelOne Singularity
BASIC_DE.CM-1.1: Firewalls shall be installed and operated on the network boundaries and completed with firewall protection on the endpoints.
The organization has established clear security arrangements for the deployment and operation of critical network services and equipment. These include network connections, routers, firewalls (e.g., pfSense), and wireless infrastructure (e.g., UniFi).
Key security arrangements include:
- Use of security technologies: All critical services utilize technologies such as strong authentication (admin access control), encrypted communications (e.g., HTTPS, VPN), and firewall protection.
- Defined technical parameters: Network devices are configured with strict access rules, port restrictions, and default service deactivation to minimize exposure.
- Service-level requirements: Critical equipment is monitored and maintained by the Network Operations Center (NOC), with regular updates and configuration backups in place.
- Access and usage criteria: Only authorized personnel have access to manage or configure network equipment. Usage is restricted through VLANs, network segmentation, and role-based access.
- Lifecycle management: Any implementation or update of network equipment includes security requirement verification before deployment.
Confluence page regarding this topic can be found here:
IMPORTANT_DE.CM-1.2: The organization shall monitor and identify unauthorized use of its business critical systems through the detection of unauthorized local connections, network connections and remote connections.
Step 1: Data Collection & Logging
Input:
- Network traffic data (inbound/outbound)
- Access logs from critical systems and network devices
- Security tool logs (firewalls, IDS/IPS, antivirus)
- Configuration change logs
Activities:
- Configure automated log collection from relevant sources.
- Ensure logs are timestamped and stored securely.
- Utilize a centralized log management system (e.g., SIEM).
Output:
- Continuous log data stream for analysis.
Step 2: Anomaly Detection & Analysis
Input:
- Collected logs and monitoring data
- Defined normal behavior baselines
Activities:
- Apply real-time analysis using AI-based detection or rule-based anomaly detection.
- Identify deviations from normal network behavior.
- Flag suspicious activities (e.g., unusual data transfers, unauthorized access attempts).
Output:
Alert reports on detected anomalies.
Step 3: Incident Verification & False Positive Handling
Input:
- Alerts generated by the monitoring system
Activities:
- Investigate alerts to determine
- if they represent an actual security threat.
- Cross-check anomalies against known system behaviors.
- If identified as a false positive, adjust detection rules.
- If confirmed as a security incident, escalate to the response team.
Output:
- Verified security incident report or refined detection rules.
Step 4: Incident Response & Mitigation
Input:
- Verified security incident report
Activities:
- Classify the incident (e.g., unauthorized access, malware, data exfiltration).
- Execute predefined incident response procedures.
- Contain the threat (e.g., isolate compromised systems, block malicious IPs).
- Apply security patches or system reconfigurations as necessary.
Output:
- Incident resolution report with applied mitigation actions.
Utilized security systems:
- Heimdal
- SentinelOne Singularity
- Atera RMM
- pfSense
IMPORTANT_DE.CM-2.1: The physical environment of the facility shall be monitored for potential information/cybersecurity events.
When guests visit the premises, the time of their arrival and departure and the person responsible will be recorded in the visitor log. Visitors will only be given access to designated facilities and systems and will be instructed on other security requirements and emergency procedures related to the visit, if necessary.
Guidelines related to visitors are managed directly in Cyberday. The guidelines deal with e.g. visitor identification and visit control.
Task owner will review comments related to the instructions and add and update the instructions as needed.
Access to security restricted areas is only possible through an on-call attendant or under the supervision of another technical arrangement that identifies the person and leaves a mark.
To ensure the highest level of security for the real estate property, we implement strategically placed motion detection cameras around the building. These cameras serve as a proactive security measure by detecting and recording any movement within their field of view. Our approach includes the following key actions:
- Strategic Camera Placement: We conduct a thorough security assessment of the property to identify vulnerable entry points, high-traffic areas, and blind spots. Cameras are positioned at these locations to maximize coverage and minimize potential security gaps.
- Real-Time Monitoring & Alerts: The motion detection cameras are connected to a centralized monitoring system, which instantly alerts security personnel or property management when movement is detected outside of scheduled activity hours.
- High-Resolution Video & Night Vision: Our cameras are equipped with high-definition (HD) recording and infrared night vision to ensure clear visibility, even in low-light conditions. This feature enhances security during nighttime hours when properties are more vulnerable to intrusions.
- Automated Recording: When motion is detected, the system automatically records footage. This ensures that all security events are documented and accessible for future review or evidence if needed.
- Remote Access & Mobile Notifications: Property owners and security teams can remotely access live camera feeds through a secure mobile app or web portal. This allows for real-time viewing and incident verification from anywhere, providing flexibility and control over security management.
1. Purpose
To ensure that access to areas where highly confidential information is processed or stored is restricted to authorized individuals using a strong authentication mechanism.
2. Scope
This process applies to all physical and digital access points to secure areas, including data centers, server rooms, document archives, and any other designated spaces handling highly confidential information.
3. Authentication Mechanism
Access control to these areas must be enforced through a two-step authentication mechanism. This includes:
- Primary Authentication: Access card, biometric authentication (fingerprint, facial recognition), or security token.
- Secondary Authentication: PIN, passcode, or one-time password (OTP) generated via an authenticator app.
- VPN Requirement: For accessing highly secure data storage, a VPN connection must be established in addition to the above authentication steps to ensure secure remote access.
4. Roles & Responsibilities
- Security Officer: Oversees the implementation and enforcement of access control measures.
- IT Administrator: Manages authentication systems, including biometric devices, access control logs, and password policies.
- Facility Manager: Ensures physical security infrastructure, such as access doors, locks, and surveillance, is in place and operational.
- Authorized Personnel: Must comply with authentication policies and report any anomalies in access control.
5. Access Request & Approval Process
- Request Submission: Employees requiring access must submit a request to the Security Officer.
- Authorization Check: Security Officer reviews the request based on job function, clearance level, and necessity.
- Approval & Enrollment: If approved, the IT Administrator enrolls the individual in the authentication system and provides necessary credentials.
- Access Granting: The employee is granted access based on predefined timeframes or conditions.
6. Authentication Enforcement
- All personnel must authenticate using both primary and secondary authentication before entering a secure area.
- Multi-factor authentication (MFA) mechanisms must be periodically tested and updated to mitigate security risks.
- Temporary access (e.g., for maintenance or audits) must be limited and monitored.
- For remote access to very secure data storage, a VPN connection must be used to ensure encrypted and controlled data access.
7. Monitoring & Logging
- All access attempts must be logged, including date, time, and user identity.
- Any failed authentication attempts or unauthorized access attempts must trigger an alert to security personnel.
- Logs should be reviewed regularly to identify potential security threats.
8. Incident Response & Escalation
- Unauthorized Access Attempt:
- Immediate lockdown of the secure area.
- Security team notified for investigation.
- Lost or Stolen Credentials:
- Immediate deactivation of lost credentials.
- Reissuance of new authentication factors.
- Suspicious Activity Detection:
- Investigation and audit of access logs.
- Implementation of additional security measures if necessary.
9. Periodic Review & Compliance
- Conduct quarterly reviews of access control policies.
- Ensure compliance with regulatory requirements and internal security policies.
- Perform periodic penetration tests and security audits on the authentication mechanisms.
10. Revocation of Access
- Access must be revoked immediately when an employee resigns, is terminated, or no longer requires access.
- Regular audits should be performed to ensure that only authorized individuals have active access rights.
11. Training & Awareness
- All personnel must be trained on access control policies and the importance of secure authentication.
- Regular awareness programs should be conducted to highlight security risks and best practices.
Utilized security systems:
- Microsoft Azure Active Directory
- Microsoft Authenticator
- Devolution RDM
- OpenVPN
- Tailscale
BASIC_DE.CM-3.1: End point and network protection tools to monitor end-user behavior for dangerous activity shall be implemented.
The organization uses pfSense as its primary firewall and traffic monitoring system. This platform is responsible for filtering inbound and outbound traffic and monitoring for potential anomalies.
The Network Operations Center (NOC) team is responsible for the configuration and lifecycle management of pfSense. Their duties include:
- Managing firewall rules and NAT configurations
- Updating and maintaining pfSense software and packages
- Reviewing and applying changes based on operational or security needs
- Documenting configuration changes and retaining version history as part of internal change management
- Ensuring that only authorized personnel have administrative access to pfSense
System settings and configurations are reviewed periodically, and after significant changes or security events. Reviews and changes are tracked via internal IT tools.
Utilized security systems:
- Tailscale
- pfSense
IMPORTANT_DE.CM-3.2: End point and network protection tools that monitor end-user behavior for dangerous activity shall be managed.
The organization uses pfSense as its primary firewall and traffic monitoring system. This platform is responsible for filtering inbound and outbound traffic and monitoring for potential anomalies.
The Network Operations Center (NOC) team is responsible for the configuration and lifecycle management of pfSense. Their duties include:
- Managing firewall rules and NAT configurations
- Updating and maintaining pfSense software and packages
- Reviewing and applying changes based on operational or security needs
- Documenting configuration changes and retaining version history as part of internal change management
- Ensuring that only authorized personnel have administrative access to pfSense
System settings and configurations are reviewed periodically, and after significant changes or security events. Reviews and changes are tracked via internal IT tools.
Utilized security systems:
- Tailscale
- pfSense
BASIC_DE.CM-4.1: Anti-virus, -spyware, and other -malware programs shall be installed and updated.
- The organization has deployed SentinelOne as the primary malware protection platform.
- SentinelOne is an enterprise-grade EDR (Endpoint Detection and Response) solution that provides real-time protection, behavioral detection, and autonomous response.
- Sophos is being onboarded to further strengthen endpoint security, web filtering, and malware detection across the environment. All endpoint protection tools are selected based on: Coverage across Windows/macOS environments Real-time detection capabilities Centralized policy management and alerting Integration potential with other security platforms
Deployment and Coverage
- SentinelOne is installed on all corporate laptops and workstations.
- Deployment is managed centrally by the Security Team and monitored via the SentinelOne console.
- Sophos is being rolled out in phases and will be fully integrated upon completion of testing and policy configuration.
Ongoing Software Updates
- Signature databases and behavioral detection rules in SentinelOne are updated automatically.
- Software agents are centrally managed and monitored for update compliance.
- Sophos endpoint agents will follow the same approach once live, receiving real-time updates from the Sophos Central platform.
File, Email, and Download Scanning
- SentinelOne performs real-time scanning of:
- Files written to disk
- Scripts executed on the system
- Payloads dropped by applications or browser sessions
- Microsoft Defender for Office 365 (via Entra ecosystem) provides cloud-based scanning of:
- Email attachments
- Embedded links
- Downloaded files in Microsoft 365 services
- Sophos is expected to introduce additional web-layer scanning and inspection of HTTPS traffic (once deployed).
Web Threat Prevention
- The organization currently uses Heimdal DNS Security to block known malicious domains before users can connect to them.
- SentinelOne detects and blocks access to known Command & Control domains or payload delivery sites based on threat intelligence.
- Sophos will extend protection with URL classification, web content filtering, and file reputation scoring once fully implemented.
Routine Scanning and Monitoring
- SentinelOne performs continuous behavioral monitoring rather than scheduled signature-based scans.
- Any detected threats trigger automated responses, including isolation, remediation, and alerting.
- Routine scanning of removable media is managed through endpoint policy enforcement.
Employee Awareness
- The organization includes malware awareness as part of onboarding and periodic security training.
- Employees are instructed to:
- Avoid downloading software from unverified sources
- Report suspicious attachments or files
- Notify IT Security in case of unusual system behavior
Training reinforces the shared responsibility model for device security and encourages prompt incident reporting.
Utilized security systems
- Microsoft Azure Active Directory
- XDR
- Microsoft Defender for Endpoint
- Microsoft Authenticator
- Microsoft Defender for Cloud Apps
- AdminDroid
- Microsoft Defender for Office 365 (MDO)
- Heimdal
- SentinelOne Singularity
- Sophos Intercept X: Next-Gen Endpoint
Automated update check for malware protection systems: The organization has configured its malware protection systems to automatically check for updates at specified intervals.
Automatic installation of malware software updates: The organization has enabled the automatic installation of updates, ensuring that the malware protection software is always up-to-date with the latest threat definitions and protective measures.
Scheduled malware scans: The organization has scheduled the malware protection software to run scans at a specific frequency, automating the scanning process and eliminating the need for manual initiation.
Independent operation without user action: The organization has set up its malware protection systems to operate, update, and scan independently without the need for user intervention.
Automated alerts and reports: The organization has activated automated alerts and reports, which provide immediate notification of any potential threats detected during the scans. This allows for quick response times in dealing with detected malware.
The organization has implemented layered web filtering controls to reduce the risk of malware infections, phishing, and accidental access to non-compliant or malicious websites. This includes DNS-level filtering and, in the near future, HTTPS traffic inspection via endpoint agents.
Website Classification
The organization uses category-based filtering to determine which websites are allowed or blocked. These categories include:
- Business-critical: Always allowed (e.g., SaaS tools, corporate portals)
- Acceptable use: Allowed but monitored (e.g., news, productivity tools)
- Restricted: Blocked categories, such as:
- Adult content
- Gambling
- Hacking-related resources
- Cryptocurrency mining
- Piracy and illegal downloads
The categorization is managed through Heimdal’s DNS filtering policies.
Blocking of Malicious or Phishing Sites
The organization blocks access to websites identified as:
- Malware distribution sources
- Phishing pages
- Botnet command & control servers
- Recently registered or suspicious domains (via Heimdal’s threat intelligence feed)
Heimdal continuously updates its blocklists based on threat intelligence sources, and devices receive real-time enforcement of DNS rules.
Blocking of Illegal Content
Access to websites known to host or distribute illegal content is explicitly blocked. This includes:
- Pirated software or media
- Unlicensed software download sites
- Sites flagged by Heimdal under “Illegal Content” categories
Blocking these sites helps maintain legal compliance and reduce reputational and regulatory risks.
Safe Browsing Solutions in Use
- Heimdal DNS Security (in production)
- Protects users at the DNS layer by preventing name resolution for blocked domains
- Includes policy management, alerting, and dashboard visibility
- Sophos Web Filtering (planned)
- Will provide HTTPS-level inspection and content filtering
- Expected to be deployed as part of the endpoint protection platform
- Will complement DNS filtering by identifying threats in real-time based on URL and content inspection
Additional Notes
- Blocking policies apply to all managed devices and remote users via the endpoint agent (Heimdal).
- Security Team is responsible for managing Heimdal policies and will also handle Sophos filtering once deployed.
- Any policy exceptions or site allow-list requests must go through IT Security review and approval.
process and classification of websites described in Security Confluence.
The organization ensures that all systems supporting critical business processes are continuously protected through real-time malware monitoring, automated scanning, and defined incident response procedures. These systems are a priority in the organization's overall cybersecurity posture.
Routine Malware Inspection of Critical Systems
- Systems that support critical business operations (e.g., identity systems, communication tools, endpoint devices used for privileged access, backup infrastructure) are prioritized for continuous malware inspection.
- SentinelOne, the organization’s active endpoint protection platform, provides real-time monitoring of all running processes, memory operations, and file activities.
- Scheduled scans are not required due to SentinelOne’s behavior-based detection engine, which continuously analyzes system behavior for signs of compromise.
Automated Scanning Systems
- All critical endpoints are monitored 24/7 by SentinelOne agents, which automatically detect and respond to:
- Fileless malware
- Ransomware
- Exploit attempts
- Known and unknown threats based on machine learning
- Detected threats are immediately quarantined, and the affected system is isolated from the network when necessary.
- Heimdal DNS filtering adds an additional layer of protection by blocking communication to known malicious domains, even before payloads are delivered.
Once Sophos is fully deployed, it will:
- Enhance protection of web-based and content-based threats
- Add HTTPS traffic filtering for systems accessing the internet
Incident Response Procedure
If malware is detected:
- SentinelOne generates an automated alert and initiates the appropriate remediation action (e.g., kill process, quarantine, rollback).
- The Security Team is notified through the SentinelOne console and email (optional configuration).
- If the threat is confirmed to impact critical systems or data, the incident response plan is triggered, which includes:
- Containment (e.g., isolating affected system)
- Analysis and triage
- Root cause investigation (using log data and EDR forensics)
- Recovery and post-incident review
All incidents are documented in the internal ticketing system or security incident log, and lessons learned may be incorporated into future detection criteria or playbooks.
The organization employs a layered malware protection strategy using products from multiple security vendors. This enhances detection capabilities, provides redundancy, and improves visibility into a wide range of threats.
Multi-Vendor Malware Protection Deployment
The following security vendors are used across endpoints and systems:
- SentinelOne – Primary endpoint detection and response (EDR) solution
- Microsoft Defender – Running in passive mode, providing additional insight via Microsoft 365 integration
- Heimdal Security – DNS-based filtering, Application Control
- Sophos – Endpoint and web protection (currently being onboarded)
This setup ensures malware detection across DNS, runtime behavior, and web activity levels.
Vendor Diversity to Detect Varied Threats
Each vendor adds value by focusing on different layers of the threat landscape:
- SentinelOne provides real-time behavioral detection, rollback, and isolation capabilities.
- Defender, while in passive mode, contributes to:
- Microsoft 365 threat analytics
- Cloud-delivered protection (e.g., SmartScreen)
- Alert correlation in Defender for Endpoint portal
- Heimdal blocks malicious domains and applications pre-execution.
- Sophos (once live) will add HTTPS content inspection and file-based scanning.
This diversity ensures coverage of:
- Fileless malware
- Domain-based threats (phishing, C2 servers)
- Behavioral anomalies
- Threats that may bypass signature-based tools
Redundancy in Malware Defense
- If one layer misses a threat, others may catch it:
- Heimdal blocks access before contact is made with a malicious host
- SentinelOne reacts to process behavior at runtime
- Microsoft Defender detects suspicious file downloads through SmartScreen or Defender for Office
- Endpoint agents operate independently, adding resilience if one service fails or is unavailable.
Periodic Vendor Evaluation
- The Security Team evaluates the vendor stack regularly to: Eliminate unnecessary overlap
- Ensure efficient performance on endpoints
- Align capabilities with current threats and business needs
- Sophos deployment is being assessed to ensure it complements, not duplicates, existing functionality from SentinelOne and Defender.
IMPORTANT_DE.CM-5.1: The organization shall define acceptable and unacceptable mobile code and mobile code technologies; and authorize, monitor, and control the use of mobile code within the system.
Guidelines related to the use of mobile devices are defined directly in the Cyberday, and their approval is automatically monitored using the Teams app. Guidelines cover e.g. installing and updating software, monitoring own mobile devices, problem situations when using the devices and acceptable user content.
The owner of the task processes the comments related to the guidelines and adds and updates the guidelines if necessary.
1. Enroll Devices into MDM
- Company-Owned Devices: Enroll in Microsoft Intune for centralized management.
- Apple Devices: Use Apple Business Manager for streamlined deployment and management.
- Bring Your Own Device (BYOD): Enforce conditional access policies in Microsoft Entra to secure personal devices before granting access to corporate resources.
2. Apply Security Policies
- Configure device compliance policies (e.g., encryption, password strength, and OS updates).
- Enforce remote wipe capabilities for lost or stolen devices.
- Restrict access to corporate data on non-compliant devices.
3. Monitor and Audit Devices
- Use Intune reporting to track device compliance and security status.
- Regularly review access logs and security reports to detect anomalies.
4. Manage Application Access
- Restrict corporate apps and data to managed devices only.
- Use app protection policies to prevent unauthorized data sharing.
5. Review and Update Policies
- Regularly assess and refine mobile security policies based on evolving threats.
- Ensure BYOD users remain compliant with security requirements before accessing corporate resources.
Restrictions on software installations: The organization has defined the types of software or updates each user can install on their devices. This helps in controlling unmanaged installations, reducing vulnerabilities, and maintaining tight security.
Installation by designated personnel: In the organization, only specially designated individuals are allowed to install new software on the devices. This restriction ensures that unauthorized or potentially malicious software is not installed.
Installation of pre-approved software: The organization has a list of pre-approved, secure software which can be installed by any user. This supports productivity while still maintaining control over software installations.
Prohibition of certain software: The organization has identified specific software that is prohibited for installation. This helps prevent potential security risks associated with malicious or vulnerable software applications.
Software updates and security patches: The organization allows any user to install updates and security patches for existing software. This promotes keeping software up-to-date, optimizing performance, and reducing the risk of security breaches.
The organization proactively detects and blocks unauthorized or unapproved software using a combination of endpoint protection and application control technologies. These mechanisms help prevent malware, reduce the attack surface, and maintain system integrity across all devices.
Application Whitelisting and Blocking
- The organization uses Heimdal Application Control to enforce a default-deny policy for software execution on endpoints.
- Only pre-approved software is allowed to run.
- Any execution attempt of unknown or unauthorized applications is automatically blocked and logged.
- Application control policies are maintained and reviewed by the Security Team in alignment with business requirements and risk assessments.
Real-Time Monitoring and Detection
- SentinelOne provides real-time detection of unknown or potentially unwanted applications (PUAs), even if not explicitly blacklisted.
- It flags suspicious executables, scripts, and anomalous behavior.
- It can automatically quarantine or kill unauthorized processes and isolate affected devices.
- Detected applications or behavior are reviewed by the Security Team through the SentinelOne console.
Use of Intrusion Detection Functionality
- The organization does not currently operate a traditional network-based Intrusion Detection System (IDS).
- However, equivalent functionality is provided at the endpoint level through:
- Heimdal and SentinelOne behavioral analysis
- DNS filtering to prevent unauthorized communications
- Alerting mechanisms for known malicious or unauthorized software behavior
Future IDS or NDR (Network Detection and Response) capabilities may be evaluated as part of the organization’s maturing security roadmap.
IMPORTANT_DE.CM-6.1: All external connections by vendors supporting IT/OT applications or infrastructure shall be secured and actively monitored to ensure that only permissible actions occur during the connection.
Appointment of designated responsible person: The organization has assigned a designated responsible person who actively monitors and ensures that suppliers comply with the security terms of their contracts.
Execution of service-level monitoring: The designated responsible person has set up a watch on the promised level of service from suppliers to guarantee their contractual obligations are met.
Regular review of supplier reports: Post analysis of periodic supplier reports, the responsible person has engaged in follow-up meetings to address any issues or changes.
Audit problem follow-ups: Issues identified during audits have been systematically tracked and managed until resolution.
Incident management oversight: The responsible person has overseen the supplier's management of security incidents to assess responsiveness, effectiveness, and implementation of improvements if necessary.
Supplier’s performance rating system: The organization has developed a performance rating system to ensure that service levels are consistently met by the supplier. Through this, the supplier's performance can be objectively assessed and potential deficiencies can be addressed.
IMPORTANT_DE.CM-6.2: External service providers' conformance with personnel security policies and procedures and contract security requirements shall be monitored relative to their cybersecurity risks.
1. Overview
We remain responsible for security and compliance in outsourced development. This process ensures monitoring and quality control.
Appointment of designated responsible person: The organization has assigned a designated responsible person who actively monitors and ensures that suppliers comply with the security terms of their contracts.
2. Key Requirements
- Code Review: Internal teams approve code
- Testing Evidence: Partners must provide unit, integration, and security test results.
- Communication: Regular meetings and real-time updates via collaboration platforms.
- Audit Rights: Contracts must allow audits of development processes and tools.
- Documentation: Maintain design documents, change logs, and security reports.
3. Oversight & Improvement
- Periodic security audits and reviews.
- Continuous refinement based on feedback and evolving compliance needs.
Execution of service-level monitoring: The designated responsible person has set up a watch on the promised level of service from suppliers to guarantee their contractual obligations are met.
Regular review of supplier reports: Post analysis of periodic supplier reports, the responsible person has engaged in follow-up meetings to address any issues or changes.
Audit problem follow-ups: Issues identified during audits have been systematically tracked and managed until resolution.
Incident management oversight: The responsible person has overseen the supplier's management of security incidents to assess responsiveness, effectiveness, and implementation of improvements if necessary.
Supplier’s performance rating system: The organization has developed a performance rating system to ensure that service levels are consistently met by the supplier. Through this, the supplier's performance can be objectively assessed and potential deficiencies can be addressed.
IMPORTANT_DE.CM-7.1: The organization's business critical systems shall be monitored for unauthorized personnel access, connections, devices, access points, and software.
Configuration documentation: The organization has documented the current configurations of devices, data systems, and networks, ensuring a comprehensive record is maintained.
Configuration change log: The organization has maintained a log of configuration changes to track all modifications and ensure accountability.
Owner and contact information: The organization has included property owner and contact point information in the configuration documentation to ensure responsibility and communication channels are clear.
Date of last configuration change: The organization has documented the date of the last configuration change for all devices, data systems, and networks to maintain an accurate timeline.
Configuration reviews: The organization has established regular reviews of configuration documentation to ensure it remains accurate and up-to-date.
Network traffic is logged and monitored using pfSense, which provides detailed logs of network activity including blocked/allowed connections, port usage, and traffic patterns.
The Network Operations Center (NOC) team monitors this traffic and has a clear understanding of what constitutes “normal” network behavior — including expected protocols, destinations, and volumes.
pfSense logs are reviewed:
- Periodically (e.g., weekly/monthly) by the NOC
- In response to anomalies, such as user reports, alerts, or system behavior changes
If unusual traffic is detected (e.g., port scanning, suspicious external connections, abnormal data transfer), the team investigates and takes corrective actions. Logs are used during incident investigations and stored temporarily depending on system capacity and retention practices.
IMPORTANT_DE.CM-8.1: The organization shall monitor and scan for vulnerabilities in its critical systems and hosted applications ensuring that system functions are not adversely impacted by the scanning process.
Regular vulnerability scanning: The organization routinely carries out vulnerability scans across various systems, including computers, workstations, networks, and applications. This practice enables the early detection and mitigation of potential vulnerabilities.
Accounting for configuration errors and outdated practices: The organization is aware that vulnerabilities can arise not just from software errors, but also from configuration mistakes and outdated practices, such as the use of obsolete encryption algorithms. Measures are in place to avoid such pitfalls and stay updated with best practices.
Utilized security systems:
- Veeam Backup & Replication
- Microsoft Azure Active Directory
- XDR
- Microsoft Authenticator
- Microsoft Defender for Endpoint
- Microsoft Defender for Cloud Apps
- Devolution RDM
- Microsoft Defender for Office 365 (MDO)
- Microsoft BitLocker
- Heimdal
- FileVault
Identification of Information sources: The organization has identified diverse information sources such as authorities or hardware and software manufacturers. These sources are handpicked to identify and keep track of any information about potential technical vulnerabilities.
Routine evaluation of data sources: The organization has put in place a mechanism to periodically evaluate the effectiveness and relevance of these data sources. The data sources are updated whenever new and useful sources are identified.
Vendor systems vulnerability tracking: The organization has come up with a way to find vulnerabilities directly from the vendor systems it uses. This is done by either staying informed about the updates from the vendor or using specific tools for vulnerability detection.
IMPORTANT_DE.CM-8.2: The vulnerability scanning process shall include analysis, remediation, and information sharing.
Regular vulnerability scanning: The organization routinely carries out vulnerability scans across various systems, including computers, workstations, networks, and applications. This practice enables the early detection and mitigation of potential vulnerabilities.
Accounting for configuration errors and outdated practices: The organization is aware that vulnerabilities can arise not just from software errors, but also from configuration mistakes and outdated practices, such as the use of obsolete encryption algorithms. Measures are in place to avoid such pitfalls and stay updated with best practices.
Utilized security systems:
- Veeam Backup & Replication
- Microsoft Azure Active Directory
- XDR
- Microsoft Authenticator
- Microsoft Defender for Endpoint
- Microsoft Defender for Cloud Apps
- Devolution RDM
- Microsoft Defender for Office 365 (MDO)
- Microsoft BitLocker
- Heimdal
- FileVault
Identification of Information sources: The organization has identified diverse information sources such as authorities or hardware and software manufacturers. These sources are handpicked to identify and keep track of any information about potential technical vulnerabilities.
Routine evaluation of data sources: The organization has put in place a mechanism to periodically evaluate the effectiveness and relevance of these data sources. The data sources are updated whenever new and useful sources are identified.
Vendor systems vulnerability tracking: The organization has come up with a way to find vulnerabilities directly from the vendor systems it uses. This is done by either staying informed about the updates from the vendor or using specific tools for vulnerability detection.
IMPORTANT_DE.DP-2.1: The organization shall conduct detection activities in accordance with applicable federal and regional laws, industry regulations and standards, policies, and other applicable requirements.
Other requirements that affect an organization's security, including at least legislation and customer requirements, are documented directly in the organization's information security management system.
Task owner ensures that the requirements have owners and there's a set review interval for according to which owners need to review changes to requirements.
Task owner regularly reviews the listing to ensure it is accurate, up-to-date, and consistent.
IMPORTANT_DE.DP-4.1: The organization shall communicate event detection information to predefined parties.
Informing original reporter and involved personnel: The organization has defined procedures to ensure that the original reporter and other personnel involved in the incident are informed of the outcome of the incident management. This communication ensures transparency and closure for all parties involved.
Documentation of linked personnel: The organization has provided an optional field on the incident documentation template to document linked personnel. This allows easy tracking and ensures all relevant parties are informed appropriately.
Outcome communication: The organization has communicated the results of the incident management process to the original reporter and any other personnel involved. This includes details of the incident resolution and any follow-up actions taken.
Confirmation of receipt: The organization has implemented a system to confirm receipt of incident outcome information by the original reporter and involved personnel. This ensures that the communicated information has been acknowledged and understood.
Feedback collection: The organization has established a feedback mechanism to collect input from the original reporter and involved personnel regarding the incident management process. This feedback helps improve future incident handling procedures.
IMPORTANT_DE.DP-5.1: Improvements derived from the monitoring, measurement, assessment, testing, review, and lessons learned, shall be incorporated into detection process revisions.
Regular incident analysis: The organization has regularly analyzed incidents as a whole, examining their type, amount, and cost. This analysis aims to identify recurrent and significant incidents that require more action.
Creation or expansion of management tasks: The organization has created new management tasks or expanded current ones based on the identification of recurrent incidents requiring a response. This ensures that appropriate management oversight is in place.
Refining of security guidelines: The organization has refined or extended security guidelines in areas where recurrent incidents have been identified. This improves the framework for handling similar incidents in the future.
Development of case examples: The organization has developed case examples of incidents, which are used to train staff to respond to or avoid similar incidents. This educational approach helps reduce the likelihood and impact of future incidents.
Identifying recurrent incidents: The organization has identified recurrent incidents requiring further response and has taken steps to mitigate or prevent these. This proactive stance helps in reducing the frequency and severity of security incidents.
Follow-up analysis: The organization has performed a separate follow-up analysis when the source of a security incident is difficult to identify based on the primary treatment. This step aims to delve deeper into the incident to find the root cause.
Root cause identification: During the follow-up analysis, the organization has sought to identify the root cause of the security incident. This process includes thorough investigation and examination of all possible factors leading to the incident.
Comprehensive report: The organization has compiled a comprehensive report of the follow-up analysis, documenting the findings and identifying the root cause. This report provides detailed insights into the incident and supports preventive measures.
Review of existing controls: The organization has reviewed the existing security controls during the follow-up analysis to ascertain their effectiveness and identify any gaps that may have contributed to the incident. This review helps in strengthening the security posture.
DETECT
Develop and implement appropriate activities to identify the occurrence of a cybersecurity event.
RESPOND
BASIC_RS.RP-1.1: An incident response process, including roles, responsibilities, and authorities, shall be executed during or after an information/cybersecurity event on the organization's critical systems.
1. Purpose and Scope
The Incident Response Plan (IRP) outlines the procedures for identifying, responding to, recovering from, and learning from security incidents affecting critical information systems. The plan ensures business continuity, mitigates risks, and maintains compliance with relevant regulatory requirements.
2. Roles and Responsibilities
- Incident Response Team (IRT):
- Incident Manager: Leads and coordinates the response.
- Technical Response Team: Investigates, contains, and mitigates the incident.
- Legal & Compliance Officer: Ensures regulatory and legal compliance.
- Communication Coordinator: Handles internal and external communications.
- Business Continuity Officer: Ensures business processes continue with minimal disruption.
- Contact Information for Key Personnel: Maintain an up-to-date list of all assigned roles and their contact details.
3. Incident Response Phases
A. Preparation
- Define incident categories (e.g., ransomware, data breach, system failure).
- Implement monitoring tools to detect anomalies.
- Conduct employee training and awareness.
- Establish communication and escalation procedures.
B. Identification
- Identify anomalies using:
- Security Information and Event Management (SIEM)
- Intrusion Detection Systems (IDS)
- End-point Detection and Response (EDR)
- Classify incidents based on severity levels (Low, Medium, High, Critical).
- Document the incident details in the Incident Log.
C. Containment
- Short-term Containment:
- Isolate affected systems.
- Disable compromised user accounts.
- Block malicious IPs and URLs.
- Long-term Containment:
- Apply patches and security updates.
- Remove backdoors and malicious code.
- Strengthen access controls.
D. Eradication
- Conduct forensic analysis to determine the root cause.
- Remove malware, compromised accounts, or vulnerabilities.
- Validate that all malicious artifacts are eradicated.
E. Recovery
- Define Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
- Restore systems using verified backups.
- Monitor for re-infection or further compromise.
- Ensure normal operations resume securely.
F. Post-Incident Review
- Conduct incident post-mortem to analyze response effectiveness.
- Update response playbooks to prevent recurrence.
- Measure incident response effectiveness with metrics (e.g., mean time to detect (MTTD), mean time to respond (MTTR)).
4. Business Continuity Considerations
- Maintain backup communication channels.
- Establish alternative processing facilities if needed.
- Ensure critical services remain operational even if primary systems are affected.
5. Incident Response Plan Maintenance
- Distribution & Approval:
- Ensure leadership and compliance teams approve and distribute the plan.
- Testing & Exercises:
- Conduct tabletop exercises and simulated attack scenarios (e.g., phishing, ransomware attack).
- Validate response effectiveness with penetration testing.
- Regular Updates:
- Review and update the plan annually or after major incidents.
- Ensure alignment with NIS2, GDPR, ISO 27001, and SOC 2 standards.
6. Metrics for Incident Management Capability
- Detection Metrics:
- Time taken to detect an incident (MTTD).
- Number of security incidents detected per month.
- Response Metrics:
- Mean time to respond (MTTR).
- Number of incidents fully resolved within SLA.
- Recovery Metrics:
- Percentage of incidents meeting RTO & RPO.
- Downtime duration of critical systems.
- Compliance Metrics:
- Percentage of incidents documented and reported.
- Number of compliance-related violations detected.
IMPORTANT_RS.CO-1.1: The organization shall ensure that personnel understand their roles, objectives, restoration priorities, task sequences (order of operations) and assignment responsibilities for event response.
Incident reporting process: The organization has established and maintained a process for reporting incidents to help staff report them efficiently and consistently. This process ensures that incidents are documented, addressed promptly, and contribute to the overall security posture of the organization.
Personnel guidelines: The personnel guidelines emphasize the obligation to report security incidents as soon as possible, following the agreed-upon process. Employees are instructed to immediately report incidents through the designated channels to ensure a swift and organized response.
Other operations in the event of an incident: The instructions also describe additional actions to be taken in the event of an incident. This includes recording error messages and other relevant details, ensuring comprehensive documentation that can aid in incident analysis and response.
Assignment of incident management responsibilities: The organization has ensured that specific individuals are clearly assigned to incident management responsibilities. These responsibilities include tasks such as incident detection and reporting, first response handling, incident analysis, communication coordination, recovery and restoration, documentation, and follow-up and improvement.
Instruction and training of incident management personnel: The organization has instructed and trained incident management personnel to understand the organization’s priorities and protocols when dealing with security incidents. Comprehensive training covers understanding the incident response plan, priority setting, communication protocols, use of incident management tools, legal and regulatory requirements, team coordination, incident simulation drills, and best practices for reporting and documentation.
Assignment and review of roles: The organization has established a routine process to review and update the roles and responsibilities of incident management personnel. This ensures that clear roles are maintained and role reassignment is made as needed based on changes in the organization or team composition.
IMPORTANT_RS.CO-2.1: The organization shall implement reporting on information/cybersecurity incidents on its critical systems in an organization-defined time frame to organization-defined personnel or roles.
Notification to supervisory authority: The organization has reported personal data breaches to the supervisory authority when the breach may pose a risk to data subjects' rights and freedoms. This ensures compliance with regulatory requirements and timely communication with authorities.
Informing affected data subjects: The organization has informed data subjects when the breach is likely to pose a high risk to their rights and freedoms. This enables the affected individuals to take steps to mitigate potential adverse effects, such as closing their credit cards.
Clear description of the breach: The organization has provided a clear description of the personal data breach in the notifications. This includes details on what occurred and the nature of the compromised data.
Likely consequences: The organization has outlined the likely consequences of the personal data breach in the notifications. By doing so, affected data subjects are better informed about the potential impact on their rights and freedoms.
Mitigation measures: The organization has detailed the measures proposed or already taken by the controller in the notifications. Where appropriate, the organization has also included actions to mitigate possible adverse effects, which helps in protecting affected data subjects and minimizing further risks.
Incident reporting process: The organization has established and maintained a process for reporting incidents to help staff report them efficiently and consistently. This process ensures that incidents are documented, addressed promptly, and contribute to the overall security posture of the organization.
Personnel guidelines: The personnel guidelines emphasize the obligation to report security incidents as soon as possible, following the agreed-upon process. Employees are instructed to immediately report incidents through the designated channels to ensure a swift and organized response.
Other operations in the event of an incident: The instructions also describe additional actions to be taken in the event of an incident. This includes recording error messages and other relevant details, ensuring comprehensive documentation that can aid in incident analysis and response.
Incident confirmation and recording: The organization has confirmed reported incidents or determined them unnecessary to record. This step ensures that only relevant incidents are documented for further action.
Documentation of type and cause: The organization has documented the type and cause of each confirmed incident, providing a clear understanding of what occurred and why.
Risk documentation: The organization has documented the risks associated with each incident. This includes identifying and recording potential impacts on operations and security.
Risk re-evaluation and treatment: The organization has re-evaluated the risks following each incident and treated them if necessary. This process ensures that any new or increased risks are appropriately managed.
Risk mitigation measures: The organization has documented risk mitigation measures or decisions to accept the risks following each incident. This ensures a clear record of how risks are managed.
Identification of informed parties: The organization has identified individuals or groups who need to be informed of the results of the incident treatment, including external stakeholders. This ensures that all relevant parties are kept updated.
Post-incident analysis: The organization has determined the need for a post-incident analysis. This step helps in understanding the incident's impact and preventing future occurrences.
IMPORTANT_RS.CO-3.2: The organization shall share information/cybersecurity incident information with relevant stakeholders as foreseen in the incident response plan.
Notification to supervisory authority: The organization has reported personal data breaches to the supervisory authority when the breach may pose a risk to data subjects' rights and freedoms. This ensures compliance with regulatory requirements and timely communication with authorities.
Informing affected data subjects: The organization has informed data subjects when the breach is likely to pose a high risk to their rights and freedoms. This enables the affected individuals to take steps to mitigate potential adverse effects, such as closing their credit cards.
Clear description of the breach: The organization has provided a clear description of the personal data breach in the notifications. This includes details on what occurred and the nature of the compromised data.
Likely consequences: The organization has outlined the likely consequences of the personal data breach in the notifications. By doing so, affected data subjects are better informed about the potential impact on their rights and freedoms.
Mitigation measures: The organization has detailed the measures proposed or already taken by the controller in the notifications. Where appropriate, the organization has also included actions to mitigate possible adverse effects, which helps in protecting affected data subjects and minimizing further risks.
IMPORTANT_RS.CO-5.1: The organization shall share information/cybersecurity event information voluntarily, as appropriate, with external stakeholders, industry security groups,… to achieve broader information/cybersecurity situational awareness.
Establishment of threat intelligence sharing networks: The organization has established networks for sharing threat intelligence information with other organizations. This exchange improves the organization's understanding of the threat landscape and helps others too.
IMPORTANT_RS.AN-1.1: The organization shall investigate information/cybersecurity-related notifications generated from detection systems.
Comprehensive event logging: Security systems, such as firewalls and malware protection, often have the capability to record logs of events. The organization ensures that comprehensive logs are regularly accumulated from these systems.
Regular log reviews: At regular intervals, designated personnel review the logs to ensure they are comprehensive and cover all relevant events. This review helps in maintaining a complete record for future analysis.
Identification of suspicious activities: The organization actively analyzes the logs to identify any suspicious activities. This involves looking for unusual patterns, anomalies, and potential security incidents.
Use of advanced tools: The organization utilizes advanced tools and algorithms to automate the identification of suspicious activities within the logs. These tools can help identify potential threats faster and more accurately.
Disturbance and violation investigation: Logs are instrumental in investigating disturbances or security violations. The organization uses the accumulated log data to trace incidents back to their root causes, understand the sequence of events, and determine potential compromises.
Retention and archiving: The organization has policies in place for the retention and archiving of logs. These policies ensure that logs are kept for an appropriate period to support investigations and compliance requirements.
Integration with monitoring systems: Logs from security systems are integrated with the organization's monitoring systems, such as SIEM (Security Information and Event Management), to enable real-time analysis and alerting.
Utilized security system:
- AdminDroid
- XDR
- Microsoft Defender for Endpoint
- Heimdal
IMPORTANT_RS.AN-2.1: Thorough investigation and result analysis shall be the base for understanding the full implication of the information/cybersecurity incident.
Regular incident analysis: The organization has regularly analyzed incidents as a whole, examining their type, amount, and cost. This analysis aims to identify recurrent and significant incidents that require more action.
Creation or expansion of management tasks: The organization has created new management tasks or expanded current ones based on the identification of recurrent incidents requiring a response. This ensures that appropriate management oversight is in place.
Refining of security guidelines: The organization has refined or extended security guidelines in areas where recurrent incidents have been identified. This improves the framework for handling similar incidents in the future.
Development of case examples: The organization has developed case examples of incidents, which are used to train staff to respond to or avoid similar incidents. This educational approach helps reduce the likelihood and impact of future incidents.
Identifying recurrent incidents: The organization has identified recurrent incidents requiring further response and has taken steps to mitigate or prevent these. This proactive stance helps in reducing the frequency and severity of security incidents.
Incident confirmation and recording: The organization has confirmed reported incidents or determined them unnecessary to record. This step ensures that only relevant incidents are documented for further action.
Documentation of type and cause: The organization has documented the type and cause of each confirmed incident, providing a clear understanding of what occurred and why.
Risk documentation: The organization has documented the risks associated with each incident. This includes identifying and recording potential impacts on operations and security.
Risk re-evaluation and treatment: The organization has re-evaluated the risks following each incident and treated them if necessary. This process ensures that any new or increased risks are appropriately managed.
Risk mitigation measures: The organization has documented risk mitigation measures or decisions to accept the risks following each incident. This ensures a clear record of how risks are managed.
Identification of informed parties: The organization has identified individuals or groups who need to be informed of the results of the incident treatment, including external stakeholders. This ensures that all relevant parties are kept updated.
Post-incident analysis: The organization has determined the need for a post-incident analysis. This step helps in understanding the incident's impact and preventing future occurrences.
IMPORTANT_RS.AN-4.1: Information/cybersecurity incidents shall be categorized according to the level of severity and impact consistent with the evaluation criteria included the incident response plan.
Incident confirmation and recording: The organization has confirmed reported incidents or determined them unnecessary to record. This step ensures that only relevant incidents are documented for further action.
Documentation of type and cause: The organization has documented the type and cause of each confirmed incident, providing a clear understanding of what occurred and why.
Risk documentation: The organization has documented the risks associated with each incident. This includes identifying and recording potential impacts on operations and security.
Risk re-evaluation and treatment: The organization has re-evaluated the risks following each incident and treated them if necessary. This process ensures that any new or increased risks are appropriately managed.
Risk mitigation measures: The organization has documented risk mitigation measures or decisions to accept the risks following each incident. This ensures a clear record of how risks are managed.
Identification of informed parties: The organization has identified individuals or groups who need to be informed of the results of the incident treatment, including external stakeholders. This ensures that all relevant parties are kept updated.
Post-incident analysis: The organization has determined the need for a post-incident analysis. This step helps in understanding the incident's impact and preventing future occurrences.
First level response: The organization has established a first-level response process that includes key steps to ensure timely and effective action.
Incident confirmation: The team has effectively sought to confirm identified incidents as part of the first-level response process. This involves verifying the validity of the security event before proceeding.
Need for immediate response: The team has decided on the need for an immediate response, assessing whether the identified incident requires urgent attention to mitigate risks or damages.
Documentation of actions: The organization has documented all actions taken during the first-level response, ensuring a clear record of decisions and measures implemented.
Training of the response team: The organization has provided specialized training to the response team, ensuring they are prepared to handle confirmed incidents effectively and make swift decisions regarding immediate responses.
IMPORTANT_RS.AN-5.1: The organization shall implement vulnerability management processes and procedures that include processing, analyzing and remedying vulnerabilities from internal and external sources.
We identify, assess, and remediate vulnerabilities on endpoints, servers, and network infrastructure using automated tools and structured processes.
Implementation
- Endpoint vulnerabilities are detected via SentinelOne.
- Server and infrastructure vulnerabilities are detected via ManageEngine Vulnerability Manager Plus (VAS).
- High and critical vulnerabilities are prioritized based on CVSS score, exploitability, and asset criticality.
- Vulnerabilities are tracked and managed in Jira from detection to closure.
- Patch management is coordinated between the Security Team and Infrastructure Team.
Monitoring and Review
- SentinelOne alerts reviewed daily for critical vulnerabilities.
- VAS vulnerability scans reviewed weekly.
Regular vulnerability scanning: The organization routinely carries out vulnerability scans across various systems, including computers, workstations, networks, and applications. This practice enables the early detection and mitigation of potential vulnerabilities.
Accounting for configuration errors and outdated practices: The organization is aware that vulnerabilities can arise not just from software errors, but also from configuration mistakes and outdated practices, such as the use of obsolete encryption algorithms. Measures are in place to avoid such pitfalls and stay updated with best practices.
Utilized security systems:
- Veeam Backup & Replication
- Microsoft Azure Active Directory
- XDR
- Microsoft Authenticator
- Microsoft Defender for Endpoint
- Microsoft Defender for Cloud Apps
- Devolution RDM
- Microsoft Defender for Office 365 (MDO)
- Microsoft BitLocker
- Heimdal
- FileVault
Quick-response team setup: The organization has determined the composition of a quick-response team that is primed to respond to identified vulnerabilities. This team is made up of individuals with the requisite skills and expertise to promptly and effectively tackle such issues.
Reporting process for located vulnerabilities: Upon locating a vulnerability, the concerned individual is tasked with promptly informing the entire team through an agreed-upon channel. This ensures that all team members are promptly aware and can begin coordinated response efforts.
Determining vulnerability severity: The team assesses the severity of the vulnerability (low, medium, high) based on pre-defined criteria. This categorization aids in prioritizing response actions and allocating resources effectively.
Deciding response approach: Based on the assessed severity, the team decides whether to handle the vulnerability as a security breach (necessitating more urgent attention) or under general change management. This decision informs the timeline and intensity of the response efforts.
Choosing individuals for vulnerability management: The organization selects the necessary individuals to continue addressing the vulnerability, considering roles, skills, and availability. The selected individuals then collaborate to rectify the vulnerability and reinstate secure operations.
Addressing high-risk data system vulnerabilities: Vulnerabilities related to high-risk data systems are always considered of high severity. The organization prioritizes addressing these vulnerabilities first, given their potential impact on data security and system functionality.
Regular monitoring of vulnerability management process: The organization continuously monitors its technical vulnerability management process. This involves checking for timely detection, accurate categorization, effective mitigation, and proper documentation of vulnerabilities.
Evaluation of vulnerability management process: The organization evaluates the effectiveness and efficiency of the vulnerability management process on a regular basis. This evaluation includes metrics such as time to detect, time to mitigate, and the rate of recurring vulnerabilities.
BASIC_RS.IM-1.1: The organization shall conduct post-incident evaluations to analyse lessons learned from incident response and recovery, and consequently improve processes / procedures / technologies to enhance its cyber resilience.
Regular incident analysis: The organization has regularly analyzed incidents as a whole, examining their type, amount, and cost. This analysis aims to identify recurrent and significant incidents that require more action.
Creation or expansion of management tasks: The organization has created new management tasks or expanded current ones based on the identification of recurrent incidents requiring a response. This ensures that appropriate management oversight is in place.
Refining of security guidelines: The organization has refined or extended security guidelines in areas where recurrent incidents have been identified. This improves the framework for handling similar incidents in the future.
Development of case examples: The organization has developed case examples of incidents, which are used to train staff to respond to or avoid similar incidents. This educational approach helps reduce the likelihood and impact of future incidents.
Identifying recurrent incidents: The organization has identified recurrent incidents requiring further response and has taken steps to mitigate or prevent these. This proactive stance helps in reducing the frequency and severity of security incidents.
IMPORTANT_RS.IM-1.2: Lessons learned from incident handling shall be translated into updated or new incident handling procedures that shall be tested, approved and trained.
Contractual terms fulfillment: The organization has ensured that the partners' compliance with security requirements aligns with the contractual terms, thereby upholding the integrity and security of the provided digital services.
Plan testing analysis: The organization meticulously analyzes the outcomes of continuity plan tests. This involves reviewing what worked well, identifying any weaknesses, and understanding how plans can be enhanced for greater effectiveness.
Training feedback: The organization gathers feedback from training sessions to identify areas where staff may need further education or where plans can be clarified. This feedback loop is essential for ensuring that personnel are adequately prepared and that the plans are practical.
Real-world application: The organization assesses the performance of continuity plans when they are activated during real incidents. This practical application provides valuable insights into the plans’ effectiveness and areas that might require adjustments.
Documentation of findings: All findings from plan testing, training, and real-world application are thoroughly documented. This documentation includes identified strengths, weaknesses, and recommended improvements.
IMPORTANT_RS.IM-2.1: The organization shall update the response and recovery plans to address changes in its context.
Contractual terms fulfillment: The organization has ensured that the partners' compliance with security requirements aligns with the contractual terms, thereby upholding the integrity and security of the provided digital services.
Plan testing analysis: The organization meticulously analyzes the outcomes of continuity plan tests. This involves reviewing what worked well, identifying any weaknesses, and understanding how plans can be enhanced for greater effectiveness.
Training feedback: The organization gathers feedback from training sessions to identify areas where staff may need further education or where plans can be clarified. This feedback loop is essential for ensuring that personnel are adequately prepared and that the plans are practical.
Real-world application: The organization assesses the performance of continuity plans when they are activated during real incidents. This practical application provides valuable insights into the plans’ effectiveness and areas that might require adjustments.
Documentation of findings: All findings from plan testing, training, and real-world application are thoroughly documented. This documentation includes identified strengths, weaknesses, and recommended improvements.
RESPOND
Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
RECOVER
BASIC_RC.RP-1.1: A recovery process for disasters and information/cybersecurity incidents shall be developed and executed as appropriate.
Continuity planning for unexpected events: The organization has implemented continuity planning to ensure that operations can continue as quickly and smoothly as possible following an unexpected event, such as a fire, flood, or equipment failure.
Event description: Each continuity plan specifies the particular event or scenario it addresses, such as fires, floods, equipment failures, or similar disruptions.
Goal for recovery time: The plan sets a clear target for the recovery time objective (RTO), which defines the maximum acceptable downtime before critical operations must be restored.
Responsible persons and stakeholders: The plan identifies the responsible persons and relevant stakeholders, including their roles and responsibilities. It also includes detailed contact information for quick and effective communication.
Planned immediate actions: The continuity plan outlines the immediate actions to be taken in response to the event. These actions are designed to mitigate impact, ensure safety, and stabilize the situation quickly.
Planned recovery steps: The plan describes the specific steps that need to be taken to recover and restore operations. This includes detailed procedures for assessing damage, prioritizing actions, and resuming critical business functions.
1. Purpose and Scope
The Incident Response Plan (IRP) outlines the procedures for identifying, responding to, recovering from, and learning from security incidents affecting critical information systems. The plan ensures business continuity, mitigates risks, and maintains compliance with relevant regulatory requirements.
2. Roles and Responsibilities
- Incident Response Team (IRT):
- Incident Manager: Leads and coordinates the response.
- Technical Response Team: Investigates, contains, and mitigates the incident.
- Legal & Compliance Officer: Ensures regulatory and legal compliance.
- Communication Coordinator: Handles internal and external communications.
- Business Continuity Officer: Ensures business processes continue with minimal disruption.
- Contact Information for Key Personnel: Maintain an up-to-date list of all assigned roles and their contact details.
3. Incident Response Phases
A. Preparation
- Define incident categories (e.g., ransomware, data breach, system failure).
- Implement monitoring tools to detect anomalies.
- Conduct employee training and awareness.
- Establish communication and escalation procedures.
B. Identification
- Identify anomalies using:
- Security Information and Event Management (SIEM)
- Intrusion Detection Systems (IDS)
- End-point Detection and Response (EDR)
- Classify incidents based on severity levels (Low, Medium, High, Critical).
- Document the incident details in the Incident Log.
C. Containment
- Short-term Containment:
- Isolate affected systems.
- Disable compromised user accounts.
- Block malicious IPs and URLs.
- Long-term Containment:
- Apply patches and security updates.
- Remove backdoors and malicious code.
- Strengthen access controls.
D. Eradication
- Conduct forensic analysis to determine the root cause.
- Remove malware, compromised accounts, or vulnerabilities.
- Validate that all malicious artifacts are eradicated.
E. Recovery
- Define Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs).
- Restore systems using verified backups.
- Monitor for re-infection or further compromise.
- Ensure normal operations resume securely.
F. Post-Incident Review
- Conduct incident post-mortem to analyze response effectiveness.
- Update response playbooks to prevent recurrence.
- Measure incident response effectiveness with metrics (e.g., mean time to detect (MTTD), mean time to respond (MTTR)).
4. Business Continuity Considerations
- Maintain backup communication channels.
- Establish alternative processing facilities if needed.
- Ensure critical services remain operational even if primary systems are affected.
5. Incident Response Plan Maintenance
- Distribution & Approval:
- Ensure leadership and compliance teams approve and distribute the plan.
- Testing & Exercises:
- Conduct tabletop exercises and simulated attack scenarios (e.g., phishing, ransomware attack).
- Validate response effectiveness with penetration testing.
- Regular Updates:
- Review and update the plan annually or after major incidents.
- Ensure alignment with NIS2, GDPR, ISO 27001, and SOC 2 standards.
6. Metrics for Incident Management Capability
- Detection Metrics:
- Time taken to detect an incident (MTTD).
- Number of security incidents detected per month.
- Response Metrics:
- Mean time to respond (MTTR).
- Number of incidents fully resolved within SLA.
- Recovery Metrics:
- Percentage of incidents meeting RTO & RPO.
- Downtime duration of critical systems.
- Compliance Metrics:
- Percentage of incidents documented and reported.
- Number of compliance-related violations detected.
IMPORTANT_RC.IM-1.1: The organization shall incorporate lessons learned from incident recovery activities into updated or new system recovery procedures and, after testing, frame this with appropriate training.
Regular incident analysis: The organization has regularly analyzed incidents as a whole, examining their type, amount, and cost. This analysis aims to identify recurrent and significant incidents that require more action.
Creation or expansion of management tasks: The organization has created new management tasks or expanded current ones based on the identification of recurrent incidents requiring a response. This ensures that appropriate management oversight is in place.
Refining of security guidelines: The organization has refined or extended security guidelines in areas where recurrent incidents have been identified. This improves the framework for handling similar incidents in the future.
Development of case examples: The organization has developed case examples of incidents, which are used to train staff to respond to or avoid similar incidents. This educational approach helps reduce the likelihood and impact of future incidents.
Identifying recurrent incidents: The organization has identified recurrent incidents requiring further response and has taken steps to mitigate or prevent these. This proactive stance helps in reducing the frequency and severity of security incidents.
RECOVER
Develop and implement appropriate activities to maintain plans for resilience and to restore capabilities impaired by cybersecurity incidents.
Trust Policies
Risicoprofiel
Afhankelijkheid van Derden
Hosting
Hersteltijddoelstelling
Risicoprofiel
Bepaalt de veerkracht van je systeem en het belang van je dienst voor klanten. Bevat hersteldoelen, datasensitiviteit en afhankelijkheid van derden.
Productbeveiliging
Multi-Factor Authenticatie
Audit Logging
Data Beveiliging
Integraties
Passkey Ondersteuning
Role-Based Access Control
Service-Level Agreement
SSO
Team Management
Productbeveiliging
Bevat technische en organisatorische maatregelen om je product te beveiligen, toegang te controleren en gebruikersrollen te beheren.
Rapporten
Vulnerability Assessment Report
Rapporten
Verwijst naar technische en compliance-documentatie die je kunt aanleveren om je beveiligingsniveau en infrastructuur aan te tonen.
Gegevensprivacy
Cookies
Gegevensprivacy
Deze categorie schetst hoe uw organisatie persoonlijke gegevens beheert en privacy-rechten respecteert. Deze praktijken tonen uw toewijding aan naleving van gegevensprivacy en ethische gegevensverwerking.
Bedrijfsbeveiliging (Corporate Security)
Personeelsbeëindiging/Overplaatsing
Bedrijfsbeveiliging (Corporate Security)
Deze categorie omvat beveiligingspraktijken op organisatieniveau, waaronder personeelsbeleid, training en incidentrespons. Deze maatregelen tonen aan hoe de menselijke en organisatorische aspecten van beveiliging worden beheerd om een algehele beveiligingscultuur te creëren.
Beleidsregels (Policies)
Bewustzijn- en Trainingbeleid (Awareness and Training Policy)
Beleidsregels (Policies)
Deze sectie bevat de formele beleidsregels die uw beveiligingspraktijken sturen en reguleren. Deze documenten demonstreren uw systematische aanpak van beveiligingsbeheer en vormen het fundament voor consistente en effectieve beveiligingsmaatregelen binnen uw organisatie.
Incidentrespons (Incident Response)
Incidentmeldingsproces (Incident Reporting Process)
Incidentrespons (Incident Response)
Deze categorie beschrijft hoe uw organisatie zich voorbereidt op, reageert op en herstelt van beveiligingsincidenten. Deze processen tonen uw vermogen aan om effectief om te gaan met beveiligingsgebeurtenissen en de impact ervan op klanten en bedrijfsactiviteiten te minimaliseren.
Training
Security Awareness Training
Training
Deze categorie beschrijft de beveiligingstraining en bewustwordingsprogramma's voor uw medewerkers. Deze initiatieven tonen aan hoe u een sterke beveiligingscultuur opbouwt en ervoor zorgt dat personeel over de kennis beschikt om veilig te handelen en beveiligingsrisico's te herkennen.
Fysieke & Omgevingsbeveiliging (Physical & Environment)
Bezoekerscontrole (Visitor Control)
Fysieke Toegangsbeveiliging (Physical Access Security)
Fysieke & Omgevingsbeveiliging (Physical & Environment)
Deze categorie omvat maatregelen voor de beveiliging van fysieke faciliteiten en omgevingen waar uw systemen zich bevinden. Deze controles tonen aan hoe u ongeautoriseerde fysieke toegang voorkomt en bescherming biedt tegen omgevingsrisico's zoals brand of stroomuitval.