The company’s systems, networks and devices must be secured so the company reduces the likelihood of incidents based on the most common threats.
The goal is to both reduce the risk of attacks and data breaches and to enable the company to quickly and efficiently detect, contain and mitigate the consequences, as well as to restore important data and systems when the breach or attack occurs.
3.1 Network security and encryption
The company’s network should be protected. External access to the company’s systems should only be possible through an encrypted connection. Employees can only gain access to the company’s systems via a secure internet connection.
3.1.1 Protection of administrative interfaces, networks and devices
3.1.2 Encryption of external network access
3.2 Correct configuration
The company should ensure that IT systems, services, network components, devices and software are configured. Inherent security should be reduced to the minimum and systems should only provide the services that are essential to their specific purpose.
3.2.1 Setup and maintenance of correct configuration
3.3 User access management
The company should ensure that administrator accounts are only assigned to authorised persons. Administrative user accounts should only be assigned where absolutely necessary, as misuse of an administrator account could have serious consequences.
3.3.1 Protection of user access and privileged access rights
3.4 Protection against malware
The company shall prevent malware or virus infection of its devices and IT systems, so unauthorised persons are prevented from acquiring unlawful access to these devices, e.g. to carry out criminal acts.
3.4.1 Implementation of protection mechanisms against malware
3.4.2 Protection against unwanted e-mails
3.5 Continuous updating of software and operating systems
The company should ensure that IT systems, network components, devices and software are not vulnerable to known security loopholes which cannot be patched with the available updates.
3.5.1 Continuous updating of software and operating systems
3.6 Protection against loss of important and confidential data
The company should take backups of any data that is confidential and important to its operations. The company should also ensure that this data can be quickly and effectively restored to production with a procedure which is tested and corrected on a regular basis.
3.6.1 Procedure for automatic and regular backup
3.7 Logging and monitoring of system activity
The company should monitor business-critical systems and security checks. This includes a requirement to review and retain log data.
3.7.1 Logging and monitoring of system activity