Data, system and network security

Centrally select and install malware detection and repair programs and update them regularly for preventive or regular scanning of computers and media.

Programs should check at least the following:

• files received over the network or storage media are scanned for malware before use
• email attachments and downloaded files are scanned for malware before use
• websites are scanned for malware

To protect information transferred via public or private networks from reading or manipulation by third parties, the organization has:

• Identified and documented network services used to transfer information
• Determined policies and procedures in accordance with the classification requirements for the use of network services
• Implemented measures to protect the actual transferred data against unauthorized access

Laptops are protected by full-disk encryption.

Cyber criminals can exploit configuration errors or technical vulnerabilities in applications, firewalls, or networks to access our information.

An organization must use defense-in-depth technologies to protect against, detect, and respond to cyber-attacks. The techniques should be suitable for controlling physical, logical and administrative controls.

The organization should have measures to ensure that teleworking and use of private endpoint devices are secured enough to not cause an impact to the organizations critical activities.

The organization must have process to securely delete data that in longer needs either on premises or data that is stored externally.

There also must be a secure process to dispose and decommission data storage devices, on-premises or external, that contain confidential information.

Implementing data deletion policies and using certified data erasure tools can enhance data security and compliance.

Control access to services based on knowledge of users and devices.

One example is if a user logs in via an unmanaged device (the organisation trusts the user but does not control the device) and gains access to fewer services than if the user logs in via an organisation-managed device (the organisation knows both the user and the device).

The organisation must have measures for ensuring correct addressing and correct transfer of information.

An electronic data exchange must be conducted using content or transport encryption suitable for the classification of data in transfer.

Arranging suitable equipment and storage for teleworking if the use of personal equipment beyond the control of the organization is not permitted.

If personal devices are used organization should utilize separate profiles (e.g. using Apple® Configuration Profile or AndroidTM Work Profile) to separate work data and apps from personal data and apps.

Endpoint security management system can be used to demand the desired security criteria from the devices before they are allowed to connect to the network resources. Devices can be laptops, smartphones, tablets or industry-specific hardware.

Criteria for the use of network resources may include e.g. approved operating system, VPN and antivirus systems, and the timeliness of these updates.

Storing confidential information on removable media should be avoided. When removable media is used to transfer confidential information, appropriate security is used (e.g., full disk encryption with pre-boot authentication).

Devices that support full-device encryption are selected as smartphones and tablets for work use, and encryption is turned on.

When working remotely, the employee must follow the following guidelines:

• remote work may only be performed in rooms where eavesdropping is not possible
• remote work must be agreed in advance (e.g. on a one-off basis or in an employment contract with flexible work arrangements) or remote work must be requested by the employer
• the employee must ensure the required security for remote work equipment (e.g. backup, malware protection, firewall, encryption, updates)

The organization maintains documentation of interfaces and other connections between data system and the data transmission methods used in the interfaces.

The documentation concerning the interfaces shall be reviewed regularly and after significant changes to data systems.

The data to be transmitted must be protected using cryptographic methods. The protection of the confidentiality and integrity of the data transmitted applies to the internal and external network and to all systems that can transmit data. These include:

• Servers
• Computers
• Mobile devices
• Printers

The data to be transferred can be protected by physical or logical means.

• Physical protection is obtained from a protected distribution system, for example an optical fiber line, which has sufficient protection to prevent, for example, electromagnetic leakage and controls to prevent its unauthorized use.
• Logical protection is achieved with strong encryption of communications.

The organization must implement practices and procedures so that the information coming out of the services is complete and timely. The procedures must take into account:

• Protection of outgoing information, when stored or transferred, from theft, destruction, modification or other events affecting the integrity of the information
• Outcoming information is shared only with intended targets< /li>
• Logging of outgoing data

The DLP system aims to prevent the loss or leakage of sensitive data. The system can be used to prevent unwanted actions by monitoring, detecting and preventing the processing of sensitive data without meeting the desired conditions. Blocking can be done during use (in-use, terminal operations), in motion (in-transit, network traffic) or in storage locations (at-rest).