Items marked without a
*: applicable only to internal it.
Items marked with a*: applicable to both customers and internal it.
- Security:
- [MANDATORY] No empty/default passwords.
* - [HIGH] Theft-protection of moving equipment containing data, e.g. corporate laptops/phones
- [MEDIUM] Only allow access to company VPN using trusted equipment (e.g. corporate laptops).
- [MEDIUM] Encryption: lock-down as needed of company folders created by custom installers (file-system / registry)
* - Software:
- [HIGH] Signing of own binaries/installers/scripts
* - [HIGH] Follow 3rd party security bulletins (by designated responsible)
* - [MEDIUM] Versioning of configuration changes
* - [MEDIUM] Tamper protection of configuration & database changes (fingerprint hashes)
* - [MEDIUM] Supervised security patching on servers instead of “automatic updates”
*
- [HIGH] Signing of own binaries/installers/scripts
- Virus/Malware protection:
- [MANDATORY] Company-wide enforced real-time Anti-virus shield
- [MANDATORY] Only allow trusted equipment on LAN (no smartphones on Wifi-LAN)
- [HIGH] Virus-scan on FileServers & wiki’s
- [HIGH] Virus-scan on every incoming e-mail
- [HIGH] Separate DMZ for non-trusted equipment (BYOD, supplier/customer equipment, test-platform, ...)
- Operational:
- [MANDATORY] No shared credentials/passwords (individual authentication of everyone that can access or change the system)
* - [MANDATORY] When somebody leaves the company, any shared credentials he/she had access to, MUST be changed
* - [MANDATORY] Physical security (e.g. locked computer room)
* - [MANDATORY] Logbook / intervention reports
* - [HIGH] NT-security (single sign-on) on own software
* - [HIGH] NT-security for all operational actions (dedicated accounts) + single sign-on
* - [HIGH] Auditing of operational actions
* - [HIGH] Auditing of user actions
* - [MEDIUM] List of approved software
* - [MEDIUM] Other policies (e.g. connecting personal USB-sticks)
*
- [MANDATORY] No shared credentials/passwords (individual authentication of everyone that can access or change the system)
- Storage:
- [HIGH] Custom stored passwords: one-way hashing or irreversible encryption
* - [LOW] Audit of logging
*
- [HIGH] Custom stored passwords: one-way hashing or irreversible encryption
- Privacy:
- [HIGH] Up-to-date documentation of non-system data (storage & transfers)
* - [MEDIUM] Custom stored sensitive data (e.g. credit card info): two-way encryption
* - [MEDIUM] Auditing of data access
*
- [HIGH] Up-to-date documentation of non-system data (storage & transfers)
- External communication: (outside company/customer network)
- [HIGH] Webservice-APIs: https instead of http
* - [LOW] Support for signed and/or encrypted e-mails containing test-results / test-reports
* - [MEDIUM] External VoIP traffic: SIPS / RTPS (VoIP over SSL)
*
- [HIGH] Webservice-APIs: https instead of http
- Internal communication: (inside company/customer network)
- [MEDIUM] strong security (SSL)
* - [MEDIUM] Webservice-APIs: https instead of http
* - [LOW] Internal VoIP traffic: SIPS / RTPS (VoIP over SSL)
*
- [MEDIUM] strong security (SSL)
- Legal & Risk:
- [MANDATORY] Automated off-site backup, periodical restore dry-run
* - [HIGH] Periodical disaster dry-run (set-up of shadow system with all server side components)
* - [HIGH] No commercially restricted Freeware/Shareware like winrar, winzip, ...
* - [HIGH] Up-to-date documentation of 3rd party components/sources with their licenses
* - [HIGH] Ensure virus-scan on all outgoing software (own software that will be installed at and/or by customers)
- [MEDIUM] Periodical internal escrow of all software used at top 80% customers
- [MANDATORY] Automated off-site backup, periodical restore dry-run