graphgrc

ISO 27002 - A.8 - Technological controls

A.8.1

User end point devices

Information stored on, processed by or accessible via user end point devices shall be protected.

Mapped SCF controls

• AST-06 - Unattended End-User Equipment
• AST-07 - Kiosks & Point of Interaction (PoI) Devices
• AST-12 - Use of Personal Devices
• END-01 - Endpoint Security
• END-02 - Endpoint Protection Measures
• IAC-22 - Account Lockout
• MDM-01 - Centralized Management Of Mobile Devices
• MDM-02 - Access Control For Mobile Devices
• MDM-05 - Remote Purging

A.8.2

Privileged access rights

The allocation and use of privileged access rights shall be restricted and managed.

Mapped SCF controls

• IAC-16 - Privileged Account Management (PAM)
• IAC-16.1 - Privileged Account Inventories
• IAC-17 - Periodic Review of Account Privileges

A.8.3

Information access restriction

Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control.

Mapped SCF controls

• CFG-01 - Configuration Management Program
• CFG-02 - System Hardening Through Baseline Configurations
• CFG-03 - Least Functionality
• IAC-08 - Role-Based Access Control (RBAC)
• IAC-21 - Least Privilege
• NET-04 - Data Flow Enforcement – Access Control Lists (ACLs)

A.8.4

Access to source code

Read and write access to source code, development tools and software libraries shall be appropriately managed.

Mapped SCF controls

• TDA-20 - Access to Program Source Code

A.8.5

Secure authentication

Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control.

Mapped SCF controls

• CFG-02 - System Hardening Through Baseline Configurations
• END-01 - Endpoint Security
• END-02 - Endpoint Protection Measures
• SEA-17 - Secure Log-On Procedures

A.8.6

Capacity management

The use of resources shall be monitored and adjusted in line with current and expected capacity requirements.

Mapped SCF controls

• CAP-01 - Capacity & Performance Management
• CAP-03 - Capacity Planning

A.8.7

Protection against malware

Protection against malware shall be implemented and supported by appropriate user awareness.

Mapped SCF controls

• END-04 - Malicious Code Protection (Anti-Malware)
• END-04.1 - Automatic Antimalware Signature Updates

A.8.8

Management of technical vulnerabilities

Information about technical vulnerabilities of information systems in use shall be obtained, the organization’s exposure to such vulnerabilities shall be evaluated and appropriate measures shall be taken.

Mapped SCF controls

• CFG-03.1 - Periodic Review
• CPL-02 - Cybersecurity & Data Protection Controls Oversight
• CPL-03.2 - Functional Review Of Cybersecurity & Data Protection Controls
• IRO-10.3 - Vulnerabilities Related To Incidents
• PRI-08 - Testing, Training & Monitoring
• VPM-01 - Vulnerability & Patch Management Program (VPMP)
• VPM-01.1 - Attack Surface Scope
• VPM-02 - Vulnerability Remediation Process
• VPM-03 - Vulnerability Ranking
• VPM-05 - Software & Firmware Patching
• VPM-06 - Vulnerability Scanning

A.8.9

Configuration management

Configurations, including security configurations, of hardware, software, services and networks shall be established, documented, implemented, monitored and reviewed.

Mapped SCF controls

• CFG-01 - Configuration Management Program
• CFG-01.1 - Assignment of Responsibility
• CFG-02 - System Hardening Through Baseline Configurations
• CFG-02.1 - Reviews & Updates
• CFG-03 - Least Functionality

A.8.10

Information deletion

Information stored in information systems, devices or in any other storage media shall be deleted when no longer required.

Mapped SCF controls

• AST-09 - Secure Disposal, Destruction or Re-Use of Equipment
• DCH-08 - Physical Media Disposal
• DCH-09 - System Media Sanitization
• DCH-09.1 - System Media Sanitization Documentation
• DCH-09.3 - Sanitization of Personal Data (PD)
• DCH-18 - Media & Data Retention
• DCH-21 - Information Disposal
• PRI-05 - Personal Data Retention & Disposal

A.8.11

Data masking

Data masking shall be used in accordance with the organization’s topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration.

Mapped SCF controls

• DCH-03.2 - Masking Displayed Data
• DCH-23.4 - Removal, Masking, Encryption, Hashing or Replacement of Direct Identifiers
• PRI-05.3 - Data Masking

A.8.12

Data leakage prevention

Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information.

Mapped SCF controls

• CFG-01 - Configuration Management Program
• CFG-02 - System Hardening Through Baseline Configurations
• CFG-02.5 - Configure Systems, Components or Services for High-Risk Areas
• CFG-03 - Least Functionality
• DCH-01 - Data Protection
• IAC-21 - Least Privilege
• PES-13 - Information Leakage Due To Electromagnetic Signals Emanations
• SEA-01 - Secure Engineering Principles
• SEA-01.1 - Centralized Management of Cybersecurity & Data Privacy Controls

A.8.13

Information backup

Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup.

Mapped SCF controls

• BCD-11 - Data Backups
• BCD-11.1 - Testing for Reliability & Integrity
• BCD-11.2 - Separate Storage for Critical Information
• BCD-11.4 - Cryptographic Protection

A.8.14

Redundancy of information processing facilities

Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements.

Mapped SCF controls

• BCD-08 - Alternate Storage Site
• BCD-09 - Alternate Processing Site
• BCD-11.7 - Redundant Secondary System

A.8.15

Logging

Logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.

Mapped SCF controls

• MON-01 - Continuous Monitoring
• MON-01.4 - System Generated Alerts
• MON-02 - Centralized Collection of Security Event Logs
• MON-02.1 - Correlate Monitoring Information
• MON-02.2 - Central Review & Analysis
• MON-03 - Content of Event Logs
• MON-03.3 - Privileged Functions Logging
• MON-06 - Monitoring Reporting
• MON-08 - Protection of Event Logs

A.8.16

Monitoring activities

Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential information security incidents.

Mapped SCF controls

• MON-01 - Continuous Monitoring
• MON-01.1 - Intrusion Detection & Prevention Systems (IDS & IPS)
• MON-01.2 - Automated Tools for Real-Time Analysis
• MON-01.3 - Inbound & Outbound Communications Traffic
• MON-01.8 - Reviews & Updates
• MON-02.2 - Central Review & Analysis

A.8.17

Clock synchronization

The clocks of information processing systems used by the organization shall be synchronized to approved time sources.

Mapped SCF controls

• SEA-20 - Clock Synchronization

A.8.18

Use of privileged utility programs

The use of utility programs that can be capable of overriding system and application controls shall be restricted and tightly controlled.

Mapped SCF controls

• IAC-20.3 - Use of Privileged Utility Programs

A.8.19

Installation of software on operational systems

Procedures and measures shall be implemented to securely manage software installation on operational systems.

Mapped SCF controls

• CHG-01 - Change Management Program
• CHG-02 - Configuration Change Control
• CHG-02.2 - Test, Validate & Document Changes
• END-03 - Prohibit Installation Without Privileged Status
• END-03.2 - Governing Access Restriction for Change

A.8.20

Networks security

Networks and network devices shall be secured, managed and controlled to protect information in systems and applications.

Mapped SCF controls

• AST-04 - Network Diagrams & Data Flow Diagrams (DFDs)
• NET-01 - Network Security Controls (NSC)
• NET-02 - Layered Network Defenses
• NET-03 - Boundary Protection
• NET-04 - Data Flow Enforcement – Access Control Lists (ACLs)
• NET-04.1 - Deny Traffic by Default & Allow Traffic by Exception
• NET-06 - Network Segmentation
• NET-08.1 - DMZ Networks

A.8.21

Security of network services

Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored.

Mapped SCF controls

• NET-01 - Network Security Controls (NSC)
• NET-03 - Boundary Protection
• NET-08 - Network Intrusion Detection / Prevention Systems (NIDS / NIPS)
• NET-15 - Wireless Networking
• TPM-05 - Third-Party Contract Requirements
• TPM-08 - Review of Third-Party Services

A.8.22

Segregation of networks

Groups of information services, users and information systems shall be segregated in the organization’s networks.

Mapped SCF controls

• NET-06 - Network Segmentation
• NET-06.1 - Security Management Subnets
• WEB-02 - Use of Demilitarized Zones (DMZ)

A.8.23

Web filtering

Access to external websites shall be managed to reduce exposure to malicious content.

Mapped SCF controls

• NET-18 - DNS & Content Filtering

A.8.24

Use of cryptography

Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented.

Mapped SCF controls

• CRY-01 - Use of Cryptographic Controls
• CRY-03 - Transmission Confidentiality
• CRY-04 - Transmission Integrity
• CRY-05 - Encrypting Data At Rest
• CRY-09 - Cryptographic Key Management
• CRY-09.3 - Cryptographic Key Loss or Change
• CRY-09.4 - Control & Distribution of Cryptographic Keys

A.8.25

Secure development life cycle

Rules for the secure development of software and systems shall be established and applied.

Mapped SCF controls

• CFG-02 - System Hardening Through Baseline Configurations
• CFG-02.4 - Development & Test Environment Configurations
• IAO-04 - Threat Analysis & Flaw Remediation During Development
• PRM-07 - Secure Development Life Cycle (SDLC) Management
• TDA-01 - Technology Development & Acquisition
• TDA-02 - Minimum Viable Product (MVP) Security Requirements
• TDA-02.3 - Development Methods, Techniques & Processes
• TDA-06 - Secure Coding
• TDA-07 - Secure Development Environments
• TDA-08 - Separation of Development, Testing and Operational Environments
• TDA-09 - Cybersecurity & Data Privacy Testing Throughout Development

A.8.26

Application security requirements

Information security requirements shall be identified, specified and approved when developing or acquiring applications

Mapped SCF controls

• CFG-02 - System Hardening Through Baseline Configurations
• CLD-04 - Application & Program Interface (API) Security
• CRY-01 - Use of Cryptographic Controls
• CRY-03 - Transmission Confidentiality
• CRY-04 - Transmission Integrity
• PRM-05 - Cybersecurity & Data Privacy Requirements Definition
• SEA-01 - Secure Engineering Principles
• SEA-02 - Alignment With Enterprise Architecture
• TDA-06 - Secure Coding

A.8.27

Secure system architecture and engineering principles

Principles for engineering secure systems shall be established, documented, maintained and applied to any information system development activities.

Mapped SCF controls

• CFG-03.1 - Periodic Review
• SEA-01 - Secure Engineering Principles
• TDA-05 - Developer Architecture & Design
• TDA-06 - Secure Coding

A.8.28

Secure coding

Secure coding principles shall be applied to software development.

Mapped SCF controls

• TDA-06 - Secure Coding

A.8.29

Security testing in development and acceptance

Security testing processes shall be defined and implemented in the development life cycle.

Mapped SCF controls

• IAO-02 - Assessments
• IAO-02.2 - Specialized Assessments
• TDA-02 - Minimum Viable Product (MVP) Security Requirements
• TDA-02.3 - Development Methods, Techniques & Processes
• TDA-06.1 - Criticality Analysis
• TDA-09 - Cybersecurity & Data Privacy Testing Throughout Development

A.8.30

Outsourced development

The organization shall direct, monitor and review the activities related to outsourced system development.

Mapped SCF controls

• RSK-09 - Supply Chain Risk Management (SCRM) Plan
• RSK-09.1 - Supply Chain Risk Assessment
• TDA-01 - Technology Development & Acquisition
• TDA-02 - Minimum Viable Product (MVP) Security Requirements
• TDA-05 - Developer Architecture & Design
• TDA-06 - Secure Coding
• TDA-09 - Cybersecurity & Data Privacy Testing Throughout Development
• TDA-14 - Developer Configuration Management
• TDA-20 - Access to Program Source Code
• TPM-01 - Third-Party Management
• TPM-03 - Supply Chain Protection
• TPM-04 - Third-Party Services
• TPM-05 - Third-Party Contract Requirements
• TPM-06 - Third-Party Personnel Security

A.8.31

Separation of development, test and production environments

Development, testing and production environments shall be separated and secured.

Mapped SCF controls

• TDA-07 - Secure Development Environments
• TDA-08 - Separation of Development, Testing and Operational Environments

A.8.32

Change management

Changes to information processing facilities and information systems shall be subject to change management procedures.

Mapped SCF controls

• CHG-01 - Change Management Program
• CHG-02 - Configuration Change Control
• CHG-02.2 - Test, Validate & Document Changes
• PRM-07 - Secure Development Life Cycle (SDLC) Management
• TDA-14 - Developer Configuration Management

A.8.33

Test information

Test information shall be appropriately selected, protected and managed.

Mapped SCF controls

• DCH-23 - De-Identification (Anonymization)
• TDA-10 - Use of Live Data

A.8.34

Protection of information systems during audit testing

Audit tests and other assurance activities involving assessment of operational systems shall be planned and agreed between the tester and appropriate management.

Mapped SCF controls

• CPL-01 - Statutory, Regulatory & Contractual Compliance
• CPL-02 - Cybersecurity & Data Protection Controls Oversight
• CPL-02.1 - Internal Audit Function
• CPL-03 - Cybersecurity & Data Protection Assessments
• CPL-04 - Audit Activities

This site is open source. Improve this page.