Access ControlMinimises potential damage on a misused or stolen staff account by giving permissions on a least privileged basis. Extra permissions given by request.Details
Accountability and GovernanceDemonstration of GDPR compliance by implementing data protection measures/safeguards for reducing the risks to people's privacy in an organisation.Details
Administrative AccountsPrivileged user accounts with access to sensitive information, applications and computers within an organisation, resulting in high risk of attack.Details
Asset ManagementIdentification and classification of all data, people and systems (assets) for delivery, maintenance or support of networks/ information systems.Details
AssuranceGaining confidence in the effectiveness of security of technology, people and processes relevant to essential functions.Details
BackupsYou hold accessible and secured current backups of data and information needed to recover operation of your essential function Details
Board DirectionYou have effective organisational security management led at board level and articulated clearly in corresponding policies. Details
Build and Maintain a Secure Network and SystemsEnsure Network and Systems are build and secured in a secure manner.Details
Communications securityPrevention of unauthorised access to telecommunications traffic/ written information, including encryption and physical protection.Details
ComplianceCompliance with legal requirements, security policies and stamdards, technical compliance and audit considerations.Details
CryptographyProcesses and technologies involved in the encryption and key management used to protect an organisation's informationDetails
Cyber Security CultureDeveloping and pursuing a positive cyber security culture lead by board example.Details
Cyber Security TrainingEmployment of a range of approaches to cyber security training, awareness and communication for people supporting the operation of essential function.Details
Data SecurityProtection of unauthorised modification, destruction or disclosure of data through physical and logical accessibility controls.Details
Data security, international transfers and breachesSecurity measures to protect personal data, procedures for reporting data breaches and restrictions on transfers outwith the EU.Details
Data in TransitProtection of data in transit, including the transfer of data to third parties through a combination of network protection and encryption.Details
Decision-makingRestrictions from making solely automated decisions, including those based on profiling, that have a legal/similarly significant effect on individualsDetails
Design for ResilienceDesigning network and information systems to be resilient to cyber security incidents, by segregating systems and mitigating resource limitation.Details
Device ManagementUnderstanding and trusting the devcies used to access networks, information systems and data that supports an organisations function.Details
Education and TrainingEducation of Cyber Security risks and risk mitigating behaviours, and supporting staff to make a positive contribution to Cyber security.Details
External CommunicationsTransmission of information between an organisation and another person or entity outwith the internal environment.Details
FirewallsA network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules.Details
Generating AlertsDefining rules within information security monitoring systems which trigger alerts where suspicious activity is identified.Details
Human resource securityProcesses to ensure employees are qualified for and understand their roles/responsibilities, and that access is removed once employment is terminated.Details
Identifying Security IncidentsImplementation of monitoring tools to detect security events, incidents and weaknesses consistently.Details
Identity and Access ControlUnderstanding, documenting and controlling access to networks and information systems supporting essential functions.Details
Identity and Access ManagementPolicies, processes and systems which enable the right individuals to access the right resources at the right time.Details
Implement Strong Access Control MeasuresSystems and processes must be in place to limit access based on need to know and according to job responsibilities.Details
Incident Root Cause AnalysisDiscovering the underlying or systemic causes of an information security incident. Details
Individuals' rightsThe policies, processes and technologies used within an organisation to detect alerts, events and warning which lead to an security incident.Details
Information security aspects of business continuity managementIdentification of vulnerabilities, priorities, dependencies, and plans to facilitate continuity and recovery before, during, and after disruption.Details
Information security incident managementProcedures to manage (report, assess, respond to and learn from) security events, incidents and weaknesses consistently.Details
Information security policiesA set of policies to clarify an organisation's direction of, and support for, information security, including a top level information security policy.Details
Internal ProcessesProcesses defined and conducted internally to protect the confidentiality, integrity and availability of an organisation's dataDetails
Lawfulness, fairness and transparencyGDPR principle that requires personal data to be processed in a lawful, fair and transparent manner in relation to the subjects of the data held.Details
Maintain a Vulnerability Management ProgramAnti-virus software must be used on all systems commonly affected by malware.Details
Maintain an Information Security PolicyA strong security policy sets the security tone for the whole entity and informs personnel what is expected of them.Details
Malware protectionMinimising risk of malware through processed and technologies including anti-malware software, application whitelisting and application sandboxing.Details
Media / Equipment SanitisationAppropriate sanitisation of media and equipment holding data important to the operation of an organisations essential function.Details
Mobile DataProtectiong data important to the operation of the essential function on mobile devices, through policies and protection technologies including MDM.Details
Monitoring CoverageData sources used for monitoring allow for timely identification of security events which might affect the operation of essential function.Details
Monitoring Tools and SkillsMonitoring staff skills, tools and roles against governance and reporting requirements, threats and network complexities.Details
Office Firewalls and Internet GatewaysConfiguration of boundary firewalls and internet gateways to prevent unauthorised access and protect against cyber threats through firewall rules.Details
Operations securityProcedures for correct and secure operations of processing facilities, including change and capacity managementand seperation of environments.Details
Organisation of information securityThe assignment of responsibilities for managing information security within the organisation and the information accessed by external parties.Details
Patch managementPatch management consists of keeping information systems and network devices up to date and secure by acquiring, testing and installing patches.Details
Physical and environmental securityMeasures implemented to control physical premises and equipment and protect against physical threats including access, damage and interference.Details
Policy and ProcessDetails
Policy and Process DevelopmentDevelopment of the security processes and policies within an organisations to protect the confidentiality, availability and integrity of assets.Details
Policy and Process ImplementationSuccessful implementation of security policies and processes, with ability to demonstrate the security benefits achieved.Details
Privileged User ManagementManaging privileged user access to networks and information systems through access control policies, processes and technologies.Details
Proactive Attack DiscoveryDetecting anomalous events in relevant network and information systems to discover attack attempts.Details
Protect Cardholder DataProtection methods such as encryption, truncation, masking, and hashing are critical components of cardholder data protection.Details
Regularly Monitor and Test NetworksLogging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise.Details
Resilience PreparationThe activities and processes designed to build resilience capabilities for protecting against a cyber security attack.Details
Response and Recovery CapabilityImplementing incident management and mitigation process to allow recovery from Cyber attack.Details
Response PlanUp-to-date incident response plan based on a thorough risk assessment taking account of essential functions and covering a range of scenarios. Details
Risk Management ProcessIdentification and assessment of security risks and the governance and technical processes within an organisation to manage these risks.Details
Roles and Responsibilities Roles and responsibilities for all levels of security of networks and information systems with clear communication and escalation channels.Details
Secure ConfigurationBuilding and installing information systems and network devices in order to reduce cyber vulnerabilities and attack vectors.Details
Secure by DesignDesigning systems with established context which make compromise and disruption difficult, easy compromise detection and reduced compromise impact.Details
Secure ManagementControls implemented in order to protect the confidentiality, availability and integrity of assets from threats and vulnerabilities.Details
Securing LogsRestricting and securing access to logging data to prevent unaothorised modification or deletion of logs before the retention period is completed.Details
Software PatchingSoftware patching means applying updates to devices or software to improve security and/or enhance functionality.Details
Stored DataTechnologies and processes in place for protected stored data on hard disks, removable media or backups.Details
Supplier RelationshipsThe agreements set with an organisation's suppliers contract and the measurement of compliance against these agreements.Details
Supply ChainThe understanding and management of security risks to networks and information systems which arise from dependies on suppliers.Details
System acquisition, development and maintenanceDefining security requirements of information systems, incorporating securirty in development and support processes and protecting test data.Details
System Abnormalities for Attack DetectionDefine examples of abnormalities in system behaviour that provide practical ways of detecting malicious activity that is otherwise hard to identify. Details
Testing and ExercisingConducting exercises to test response plans, using past incidents, and scenarios that draw on threat intelligence and internal risk assessment.Details
User AccountsSecurely managing user access to information systems and network through the assignment of unique user accounts with controlled access privileges.Details
Using Incidents to Drive ImprovementsUsing lessons learned from incidents to improve security measures and response capabilities.Details
Vulnerability ManagementThe management of known vulnerabilities in networks and information systems to prevent adverse impact on the organisations function.Details