Protect enterprise information to maintain the level of information security risk acceptable to the enterprise in accordance with the security policy. Establish and maintain information security roles and access privileges and perform security monitoring.
Minimize the business impact of operational information security vulnerabilities and incidents.
Protect Against Malware
Communicate malicious software awareness and enforce prevention procedures and responsibilities.
Install and activate malicious software protection tools on all processing facilities, with malicious software definition files that are updated as required (automatically or semi-automatically).
Distribute all protection software centrally (version and patch-level) using centralized configuration and change management.
Regularly review and evaluate information on new potential threats (e.g., reviewing vendors’ products and services security advisories).
Filter incoming traffic, such as email and downloads, to protect against unsolicited information (e.g., spyware, phishing emails).
Conduct periodic training about malware in email and Internet usage. Train users to not install shared or unapproved software.
Manage Network and Connectivity Security
Based on risk assessments and business requirements, establish and maintain a policy for security of connectivity.
Manage Endpont Security
Securely configure operating systems.
Implement device lockdown mechanisms.
Encrypt information in storage according to its classification.
Manage remote access and control.
Securely manage network configuration.
Implement network traffic filtering on endpoint devices.
Protect system integrity.
Provide physical protection of endpoint devices.
Dispose of endpoint devices securely.
Manage User Identity and Logical Access
Manage Physical access to IT Assets
Manage the requesting and granting of access to the computing facilities. Formal access requests are to be completed and authorized by the management of the IT site, and the request records retained. The forms should specifically identify the areas to which the individual is granted access.
Ensure that access profiles remain current. Base access to IT sites (server rooms, buildings, areas, or zones) on job functions and responsibilities.
Log and monitor all entry points to IT sites. Register all visitors, including contractors and vendors, to the site.
Instruct all personnel to display visible identification at all times. Prevent the issuance of identity cards or badges without proper authorization.
Require visitors to be escorted at all times while on-site. If an unaccompanied, unfamiliar individual who is not wearing staff identification is identified, alert security personnel.
Restrict access to sensitive IT sites by establishing perimeter restrictions, such as fences, walls, and security devices on the interior and exterior doors. Ensure that the devices record entry and trigger an alarm in the event of unauthorized access. Examples of such devices include badges or key cards, keypads, closed-circuit television, and biometric scanners.
Conduct regular physical security awareness training.
Manage Sensitive Documents and Output Devices
Establish procedures to govern the receipt, use, removal, and disposal of special forms and output devices into, within, and out of the enterprise.
Assign access privileges to sensitive documents and output devices based on the least-privilege principle, balancing risk and business requirements.
Establish an inventory of sensitive documents and output devices, and conduct regular reconciliations.
Establish appropriate physical safeguards over special forms and sensitive devices.
Destroy sensitive information and protect output devices (e.g., degaussing of electronic media, physical destruction of memory devices, making shredders or locked paper baskets available to destroy special forms and other confidential papers).
Monitor the Infrastructure for Security-Related events
Log security-related events reported by infrastructure security monitoring tools, identifying the level of information to be recorded based on a consideration of risk. Retain them for an appropriate period to assist in future investigations.
Define and communicate the nature and characteristics of potential security-related incidents so they can be easily recognized and their impacts understood to enable a commensurate response.
Regularly review the event logs for potential incidents.
Maintain a procedure for evidence collection in line with local forensic evidence rules and ensure that all staff is made aware of the requirements.
Ensure that security incident tickets are created in a timely manner when monitoring identifies potential security incidents.