Implement a formal access granting process that ensures new access privileges are assigned based on the principle of least privilege, and require at least one employee to endorse the granting of new access.

Establish systematic controls in your access management policy for managing user access rights that ensure appropriate, authorized access to systems and data while maintaining security.

Maintain an inventory of all user accounts, including accounts on high-risk vendors, that have access to in scope systems and services. This inventory must include essential details such as account owners, access privileges, associated roles, and vendor relationships where applicable.

Regularly review user accounts and disable or remove accounts that have been inactive for an extended period. Dormant accounts pose security risks as they may become targets for unauthorized access or misuse.

Establish a regular access review process to promptly remove access privileges from employees who no longer require them. This ensures that former employees or users do not retain unauthorized access to organizational resources.

Require multi-factor authentication (MFA) for accessing critical services and infrastructure. MFA adds an extra layer of security by requiring users to provide additional authentication factors beyond their passwords.

Strictly enforce the organization’s password management policy to guarantee compliance with security standards. Enforcing this policy includes implementing technical controls, monitoring adherence, and responding to non-compliance.

Enforce a password management policy that mandates strong and complex passwords, and prohibits the reuse of previously used passwords. This policy helps protect user accounts from unauthorized access due to weak or compromised passwords.

Encrypt all sensitive data when it is stored on systems or devices. Encryption of data at rest helps protect sensitive information from unauthorized access.

Encrypt all data when it is transmitted over networks, both within the organization's internal network and external connections. Encryption of data in-transit helps protect sensitive information from eavesdropping and unauthorized access.

Establish and maintain an accurate, detailed, and up-to-date inventory of all data assets. This can include data stored in databases, file shares, and cloud storage.

Establish a data management and retention policy, which outlines the guidelines for how long data should be retained and how it should be managed throughout its lifecycle.

Enable automated backups for all high-risk data and critical systems. Automated backups ensure that important data is regularly and securely backed up, reducing the risk of data loss in the event of a disaster or cyber incident.

Establish a comprehensive business continuity and disaster recovery policy that outlines the organization's strategies for responding to disruptive incidents and supporting business continuity.

Establish a data recovery process that defines procedures for recovering data in case of data loss, corruption, or system failures. A robust data recovery process helps minimize downtime and data loss in critical situations.

Regularly test the organization's disaster recovery plans to ensure their effectiveness and identify areas for improvement. Testing helps validate the ability to recover critical systems and operations in the event of a disaster.

Isolate the recovery data from the production environment to prevent accidental overwriting or corruption of backups. Keeping recovery data separate helps maintain the integrity and availability of backup copies.

Implement and utilize DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy and verification mechanisms to prevent email spoofing and phishing attacks. DMARC helps protect the organization's email domains from unauthorized use.

Access to email accounts is restricted to administrators only, and isn't delegated to other non-admin users within the organization.

Email settings are configured to block malicious content, including malicious attachments, links, and scripts.

Deploy anti-malware or antivirus solutions on end-user devices, such as laptops and workstations. This provides an additional layer of protection against malware threats that may be introduced through user activities.

Data stored on end-user devices (e.g., laptops, mobile devices) is encrypted to protect it in case of device loss or theft. Encryption adds an additional layer of security and ensures that even if the device falls into the wrong hands, the data remains inaccessible without the proper decryption key.

Ensure that firewalls are installed and properly maintained on end-user devices, such as laptops and workstations. End-user firewalls provide an additional layer of protection against unauthorized network traffic.

Utilize a mobile device management (MDM) solution to manage and secure end-user devices. This allows for the protection of sensitive data, ensures device compliance, and provides device management capabilities for IT staff.

Utilize an active discovery tool to identify assets connected to the enterprise's network. Configure the active discovery tool to execute daily, or more frequently.

Deploy automated security scanning software (such as anti-malware or antivirus solutions, intrusion detection systems, or data breach protection) on all infrastructure components including servers and network devices. This helps detect and prevent malware infections and other malicious activities targeting critical systems.

Ensure that cloud storage buckets are not exposed to the public internet. Misconfigured public access settings can lead to unauthorized access or data exposure.

Implement a configuration management system to manage and control the configuration of systems, applications, and infrastructure. Configuration management helps maintain consistency and security across the IT environment.

Configure firewalls to restrict public access to the organization's infrastructure components. Proper firewall rules help minimize the exposure of critical systems to the public internet.

Maintain a log of all infrastructure changes to track and document modifications made to critical systems and services. Logging infrastructure changes aids in audit trails, incident investigations, and accountability.

Implement a review process for all proposed infrastructure changes before implementation. Reviews ensure that changes comply with security policies, do not introduce vulnerabilities, and align with the organization's requirements.

Adopt an infrastructure-as-code (IaC) approach to deploy and manage the organization's infrastructure components. IaC tools enable consistent and version-controlled infrastructure deployment, reducing the risk of configuration errors.

Limit access to production deployment environments to authorized personnel only. This control helps prevent unauthorized changes or deployments that may disrupt critical services.

Ensure that a process exists to address unauthorized assets on a periodic basis. This process should include regular audits of all assets and a procedure for handling unauthorized assets when they are discovered.

Enforce unique authentication mechanisms for accessing production databases, such as a unique username and password or SSH key.

Implement a Web Application Firewall (WAF) to protect web applications from various cyber threats, such as SQL injection, cross-site scripting, and other application-layer attacks.

Maintain a robust and up-to-date audit log management process. This process should include guidelines for capturing, storing, and monitoring audit logs, ensuring the availability and integrity of essential security event data.

Enable the collection of audit logs from critical systems and applications. Audit logs capture essential security events and activities, providing valuable information for incident detection, investigation, and compliance purposes.

Establish an incident response policy that outlines the organization's approach and procedures for detecting, responding, and recovering from cybersecurity incidents.

Monitor the performance of the organization's infrastructure components to ensure optimal operation and detect potential issues or anomalies that may impact security or reliability.

Implement a centralized log management solution to collect, store, and analyze logs from various systems and applications. Centralized log management simplifies log review, correlation, and monitoring for potential security incidents.

Implement monitoring mechanisms for the network infrastructure to detect and respond to suspicious or unauthorized activities. Network monitoring helps ensure the integrity and availability of network resources.

Establish and maintain an acceptable use policy that outlines permissible activities, systems, and data access for all users, contractors, and third parties interacting with the organization's information assets and technologies.

Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data. This can include end-user devices, network devices, IoT devices, and servers.

Establish an asset management policy that outlines the guidelines for managing the organization's assets throughout their lifecycle.

Establish a code of conduct that outlines the expected behavior and ethical standards for all employees. A code of conduct helps promote a positive work environment and fosters a culture of integrity.

Externally communicate key company commitments and policies, including the Master Service Agreement (MSA), Security Information page, and Terms of Service. External communication provides customers with important contractual and security information.

All employees have acknowledged and signed a confidentiality agreement. This agreement reinforces the commitment to safeguarding sensitive information and trade secrets.

Create and maintain up-to-date data-flow diagram(s) that show all account data flows across systems and networks, updating them as needed when changes occur in the environment. Begin by creating a diagram that captures all systems and networks handling data in your environment. Map out data flows, including entry and exit points, processing steps, storage locations, and transmission paths. To note, one single diagram can be enough depending on your context. Once your initial diagrams are complete, establish a maintenance process. Assign responsibility for updates, create a straightforward procedure for incorporating changes, and set a regular review schedule (e.g., quarterly). When updating the diagram, document the changes, including dates and approvers. Finally, make sure your team is trained in using and maintaining the diagram to maximize its effectiveness as a security tool.

Conduct thorough background checks on potential employees to verify their identity, employment history, education, and criminal record. Background checks help ensure the suitability and integrity of candidates.

Provide external support resources, such as documentation, user guides, and knowledge bases, to assist users in utilizing the organization's services effectively. Accessible support resources promote self-service and reduce support requests.

Establish an offboarding process for departing employees to ensure that they return all company assets and are removed from relevant systems and accounts.

Establish an onboarding process for new employees to ensure that they are properly trained and equipped to perform their job responsibilities. Onboarding helps new employees integrate into the organization and become productive quickly.

Conduct regular performance evaluations for employees to assess their job performance, identify areas for improvement, and recognize exceptional contributions. Performance evaluations support talent development and performance management.

Restrict physical access to the organization's facilities, equipment, and systems to authorized personnel only.

This control ensures everyone formally acknowledges and understands security policies, creating a clear record of their commitment to protect organizational assets and establishing accountability for security responsibilities.

Conduct reference checks when hiring new employees to verify their qualifications, experience, and suitability for the role. Reference checks help ensure that candidates have a track record of honesty and reliability.

Clearly define roles and responsibilities for all employees within the organization. Specifying roles helps establish accountability and ensures that employees understand their duties and expectations.

Provide regular security awareness training to all employees to educate them about various cybersecurity threats and best practices. Security awareness training promotes a security-conscious culture within the organization. Security awareness training should include training on recognizing and mitigating social engineering attacks, authentication best practices, such as password hygiene and multi-factor authentication (MFA), and best practices for handling and protecting sensitive data.

Communicate clear and detailed service descriptions to customers or users, outlining the scope, features, and limitations of the services provided. Service descriptions set appropriate expectations and promote transparency.

Implement a well-defined and documented development lifecycle for software and applications. A structured development lifecycle supports secure coding practices, quality assurance, and timely software releases.

Communicate relevant system changes, updates, or maintenance activities to external users or customers who may be impacted. External communication helps manage expectations and maintain transparency.

Ensure that system changes, updates, and maintenance activities are communicated internally to relevant teams and stakeholders. Internal communication helps coordinate efforts and minimize potential disruptions.

Conduct regular risk assessments to identify and evaluate potential threats and vulnerabilities that could impact the organization's assets. Risk assessments help prioritize security efforts and inform risk mitigation strategies.

Develop and implement a risk management policy that outlines the organization's approach to identifying, assessing, and mitigating information security risks.

Maintain an accurate and up-to-date inventory of all Vendors that the organization engages with. The inventory should include details such as the services provided, contract details, and the scope of access they have.

Implement a vendor management program to assess, monitor, and manage the risks associated with third-party vendors. The program ensures that external partners meet security and compliance standards.

Automate the process of deploying software patches and updates to systems and applications. Automated patch management helps ensure that critical security patches are applied promptly to address known vulnerabilities.

Remediate vulnerabilities identified during penetration testing. Prompt remediation helps address security gaps and prevent potential exploitation.

Conduct regular penetration testing to identify potential vulnerabilities in the organization's systems, applications, and infrastructure. Penetration testing simulates real-world attacks to evaluate the effectiveness of existing security measures.

Detected vulnerabilities are promptly remediated to minimize the risk of exploitation. This includes establishing clear protocols for prioritizing vulnerabilities based on severity and ensuring timely resolution of critical security issues.

Regular vulnerability scans are conducted on systems and applications to identify potential security flaws. This includes automated scanning tools that systematically examine infrastructure, applications, and code repositories for known vulnerabilities.

All employees have acknowledged and agreed to the vulnerability management policy. This policy outlines the procedures for identifying, assessing, and remediating vulnerabilities in the organization's systems and applications.

Establish a vulnerability management policy that outlines the procedures for identifying, assessing, and remediating vulnerabilities in the organization's systems and applications.