The organisation's wireless access points shall be secured.
Guidance
Consider the following when wireless networking is used:
- Change the administrative password upon installation of a wireless access points.
- Set the wireless access point so that it does not broadcast its Service Set Identifier (SSID).
- Set your router to use at least WiFi Protected Access (WPA-2 or WPA-3 where possible), with the Advanced Encryption Standard (AES) for encryption.
- Ensure that wireless internet access to customers is separated from your business network.
- Connecting to unknown or unsecured / guest wireless access points, should be avoided, and if unavoidable done through an encrypted virtual private network (VPN) capability.
- Manage all endpoint devices (fixed and mobile) according to the organization's security policies.
Usage restrictions, connection requirements, implementation guidance, and authorizations
for remote access to the organization’s critical systems environment shall be identified, documented, and implemented.
Guidance
Consider the following:
- Remote access methods include, for example, wireless, broadband, Virtual Private Network (VPN) connections, mobile device connections, and communications through external networks.
- Login credentials should be in line with company's user authentication policies.
- Remote access for support activities or maintenance of organizational assets should be approved, logged, and performed in a manner that prevents unauthorized access.
- The user should be made aware of any remote connection to its device by a visual indication.
Remote access to the organization’s critical systems shall be monitored and cryptographic mechanisms shall be implemented where determined necessary.
Guidance
This should include that only authorized use of privileged functions from remote access is allowed.
The organization's networks when accessed remotely shall be secured, including through multi-factor authentication (MFA).
Guidance
Enforce MFA (e.g. 2FA) on Internet-facing systems, such as email, remote desktop, and Virtual Private Network (VPNs).
The security of connections with external systems shall be verified and framed by documented agreements.
Guidance
Access from pre-defined IP addresses could be considered.
Organisation's data can only be processed on a predefined, trusted network, or by using a VPN service defined by the organisation.
For example, a coffee shop's Wi-Fi network is often either completely unencrypted or the password is easily accessible to everyone. In this case, the information sent online is vulnerable to spyware. A VPN connection encrypts information regardless of network settings.
Remote workers have their own operating guidelines, which are monitored. In addition, regular training is provided to staff to identify threats to information security arising from the use of mobile devices and remote work, and to review the guidelines.
Systems containing important information should be logged in using a multi-authentication logon, also known as either “two-factor”, “multi-factor” or “dual factor” authentication.
For example, when first logging in with a password, a one-time authentication code can also be sent to the user as a text message. In this case, he has been identified by two factors (knowing the password and owning the phone).
Biometric identifiers (eg fingerprint) and other devices can also be used for two-stage authentication. However, it is worth considering the costs and implications for privacy.
The organization shall ensure that the monitoring and management of remote connections is automated, that remote connections are encrypted to ensure their integrity and reliability, and that remote connections pass only through approved and managed Network Access Control (NAC).
The organization must also make possible for the remote connections to be closed within a specified time.
The use of the wireless network is secured with sufficient keys and the connection traffic to the network router is encrypted. The wireless network for guest use is isolated from the company's own internal network.
An appropriate log is generated from the use of the network to enable the detection of actions relevant to cyber security.
The normal state of network traffic (traffic volumes, protocols, and connections) is known. In order to detect anomalies, there is a procedure for detecting events that are different from the normal state of network traffic (for example, anomalous connections or their attempts).
Ensure the security of connections with external systems by verifying and documenting them in formal agreements. Review current connections with their security measures, within documented agreements such as:
In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.
.png)
Elevate Your Knowledge with Exclusive Access to Weekly Webinars, Video Courses, Help Articles, and Blogs.
