Requirements - Standard Set of Requirements
- Test - The purpose of the cyber security guidelines within the Information security manual (ISM) is to provide practical guidance on how an organisation can protect their information technology and operational technology systems, applications and data from cyber threats.
Principles - Security Principles are the fundamental guidelines and best practices designed to protect information systems and data from threats and vulnerabilities.
13 Controls
Data - Must be able to implement or support protection for data at-rest and data in-transit, data sanitisation controls and utilise data sanitisation controls, secure data sharing and data disposal methods to prevent unauthorised access, disclosure or modification of all instances (including copies, backups and archives) of classified data or documents.
15 Controls
Identity - Must be able to provide or support user identity and access management, including support for secure authentication methods, Multi-Factor-Authentication (MFA) and strong user account and password policy
Identity; Authorisation - Must be able to implement or support Role Based (RBAC) and/or Attribute or Context Based access controls for user access authorisation (privilege management) and provide a method to audit and report on user access and privilege status.
Identity; Privileged User Access Management - Must provide or support the implementation of a Secure Administration and Privileged User Access Management (PAM) method including for secure remote access methods.
Encryption - Must provide or support a method for managing and protecting cryptographic keys, certificates, application secrets and service account and cloud tenancy passwords that are used to secure data and platforms.
Application; Platform - Application and platform components (i.e. web/cloud applications, workstation/server applications, mobile applications and operating systems) must be securely developed, configured, hardened and maintained including authenticating critical inter-component and external connections to prevent unauthorised access or impact from threats.
Database - Database Systems must be protected using industry recommended security controls and hardening practices.
Device Management - Must be able to provide or support a method to authenticate, validate and control devices connecting to the product or service including mobile devices, personal computing devices and external storage devices.
Vulnerabilities - Must be able to routinely identify technical vulnerabilities of application and platform components and timely apply the necessary security patches and updates and have continuous security awareness and training for staff on threats, product security and good security practices.
11 Controls
Malware - Must be able to protect product or service platform and infrastructure components from malware, unauthorised mobile code and other similar threats
Logging; Monitoring; Alerting - Must support continuous logging, auditing and monitoring of crucial application and platform level security events, user events and critical application or data transactions including: - Supporting connectivity to a continuous Security Event Monitoring service (e.g. SIEM); - Having ability to retain and protect audit, system and security logs.
Incident Management - Must have arrangements to respond, contain, investigate and manage security incidents including agreed breach notification procedures
Service Resiliency - Must be able to meet recovery, service continuity and high-availability/resiliency requirements including establishing recovery objectives and support arrangements to meet operational, regulatory or legal requirements.
Infrastructure - Must be able to provide network protection controls and secure communication services such as firewalling, secure gateways, proxy services and wireless network controls (if used) and use network access control lists to protect exposed product or service components from external and internal threats.
Asset Management - Must be able to support a capability to manage technical assets and maintain and validate technical security configuration baselines (for hardware and software on servers, workstations, networks and mobile devices) and must follow controlled change management procedures for applications, platform and network infrastructure.
Messaging - If used, web browsers and /or the classified content in Emails or Messaging Services must be protected using industry recommended methods and use secure messaging infrastructure.
Governance;Risk - Must demonstrate adequate governance and processes in place to manage security risks to data, products and services including threats from sub-contractors, partners and related third-parties.
Physical Security - Must be able to demonstrate adequate Physical Security and Environmental Protection for data and product components.
Mobile Application - Ensure security measures and practices are implemented to protect mobile applications from threats and vulnerabilities that could compromise the confidentiality, integrity, and availability of the application and its data.
16 Controls
API - Must ensure Application Program Interfaces (API’s) incorporate protection controls to safeguard from internal and external threats.
9 Controls
Integration - Ensure the security and integrity of systems and data when integrating different applications or services.
Breach - Establish a comprehensive control mechanism to manage and mitigate the impact of security breaches, ensuring the protection of sensitive data and maintaining the integrity of the organisation's systems.
Public Storage - Public Storage When considering guidelines for blob storage, it's essential to focus on both security and efficient management: