Title
Description
Inventory Control (Hardware) Maintain an Asset Register
Create an asset register, recording details such as; serial number, MAC address, delegated owner, and date of use etc.
Asset Management Tool
Employ a tool that will automatically recognise devices connected on the network and flag new unidentified ones.
Network Access Control
Ensure a level of control on what devices can connect to the network by setting up and configuring port level access control.
Inventory Control (Software) Maintain a Software Register
Create a software register, recording details of all approved applications installed on the network and their intended use.
Software Management Tool
Employ a tool that will record the name, version and author of,all applications installed on the network that have been verified.
Administrative Privileges Maintain Accounts Register
Employ a tool that will record all accounts with administrative privleges and ensure they are for authorised personel only.
Password Security
Employ a password management tool that will create robust passwords for users with a predefined alphanumeric character set.
Two-Factor Authentication
Where possible, enable two-factor authentication for all adminstrative accounts.
End Devices Configuration
Keep an up to date set of security standards for all software approved on the network and how they should be configured.
Management Tool
Implement a management tool that will periodically scan the network and update configuration settings on devices if necessary.
Monitoring & Audit Audit Control
Enable automated logging on inter-connected network devices to ensure a clear audit trail.
Log Management
Implement a system that records and stores logs of unexpected changes available for ongoing review and monitoring.
Email & Web Domain Name System
Deploy a DNS service that will blacklist specific domains known to host malicious content.
URL Log
Maintain a log of all websites visted by users on all devices to monitor and identify activity that may pose a security risk.
Scripting Languages
Disable scripting languages such as JavaScript from automatically running within web browser and email clients by default.
File Types
Certain file types known to be a risk should automatically be blocked or flagged when entering the network through the email server.
Malware Anti-Malware Software
Ensure the company's anti-malware software receives uninterepted updates to its signature database.
Removable Devices
Automatically scan removable media when connected to a network workstation.
Appendix ii
Information Security Framework
Title
Description
Disable Auto-Run
Manage devices to prevent them from running content automatically such as removable media.
Network Services Scanning
Ensure vulnerable open ports on the network are automatically identified and flagged using a scanning tool used for detecting them.
Ports & Services
Ensure the system is configured to run only the necessary protocols, ports and services. Disabling those that cause a vulnerability.
Firewall
Configure default and custom rules on what traffic is permitted and what is not across various ports.
Data Recovery Data Backup
Ensure all system data is backed at regular intervals using automated software.
System Backup
Ensure key systems are backed fully to allow the recovery of an entire system.
Offline Backup
Ensure at least one offline backup location that is not connected or dependent to the network.
Network Devices Configuration of Network Devices
Maintain a set of configuration standards for authorised network devices.
Configuration Rules for Traffic
All configuration rules allowing traffic to access the network should be documented in a configuration manual.
Two-Factor Authentication
Manage all portable and personal network devices to ensure the use of two-factor authentication and data encryption .
Intrusion Detection IP Addresses
A database of trusted and untrusted IP addresses should be used to blacklist those not authorised to establish a communication.
Unauthorised Ports
Incoming traffic targetting vulnerable ports on the network should be detected and blocked at source.
Remote Login
Two-factor authentication should be required for all staff connecting to the network from a remote location.
Data Protection Cloud Storage
Ensure authorised cloud storage providers are verified and trusted before storing data on an third party platform.
Portable Devices
A register of portable devices should be in place to permit or deny the use of storage devices on the network.
Access Control Encryption
Ensure all private data being shared on the network is encrypted using a strong algorithm.
Access Control Register
Ensure access control lists are in place to limit the unautorised use of sensitive resources including applications, file repositories and system files.
Wireless Access Control
Appendix ii
Information Security Framework
Title
Description
Wireless Access Register
Maintain an inventory of authorised wireless access points connected to the wired network.
Encryption
Ensure all private data being shared on the network is encrypted using a strong algorithm such AES.
Separate Wireless Networks
Implement a dedicated wireless network for guest and personal use that allows clients to connect to while on site.
Account Monitoring Workstation Sessions
Configure devices to be locked automatically and require the user to login again to continue a session after an idle period.
Two-Factor Authentication
Enable two-factor authentication for all users accessing web-based accounts.
Inactive Accounts
Deactivate or terminate accounts of users no longer employed by the company.
Staff Training Programme Sensitive Data
Train staff on how to handle senstive data and ensure they are aware of the risks involved in not doing so.
Social Engineering
Prepare staff on how to recognise and defend against various phishing scams by phone, email, online and in person.
Security Awareness
Implement a risk awareness programme for all staff to undertake with content specific to their role in the organisation. To be completed and updated annualy to ensure staff have the relevant knowledge and understanding of the ongoing threats.
Application Security Firewall
Invest in a reputable web application firewall to help protect the network from various forms of attacks on the web server.
Software
Ensure all applications deployed on the network are up to date and receiving ongoing security fixes by the software developer.
Encryption
Use only industry standard and trusted encryption algorithms such as AES that offer the strongest level of security in protecting data .
Incident Management Planning
A system should be in place to identify roles of responsibilty and set out procedures of how incidents are to be reported/handled.
Penetration Testing Testing Programme
A programme should be introduced that demonstrates the threat of various kinds of network attacks and any relevant evasive action.
Testing Tools
Softwate tools should be used as a means of assessing vulnerabilituies on the network and help focus efforts on the findings.
Appendix ii
Information Security Framework