3.3.8 Infrastructure Security
| No: 381000091275 | Date(g): 24/5/2017 | Date(h): 28/8/1438 | Status: In-Force |
Effective from May 24 2017 - May 23 2017
To view other versions open the versions tab on the right
Principle
The Member Organization should define, approve and implement cyber security standards for their infrastructure components. The compliance with these standards should be monitored and the effectiveness should be measured and periodically evaluated.
Objective
To support that all cyber security controls within the infrastructure are formally documented and the compliance is monitored and its effectiveness is evaluated periodically within the Member Organization.
Control considerations
| 1. | The infrastructure security standards should be defined, approved and implemented. | |||
| 2. | The compliance with the infrastructure security standards should be monitored. | |||
| 3. | The effectiveness of the infrastructure cyber security controls should be measured and periodically evaluated. | |||
| 4. | The infrastructure security standards should cover all instances of infrastructure available in the main datacenter(s), the disaster recovery data site(s) and office spaces. | |||
| 5. | The infrastructure security standards should cover all instances of infrastructure (e.g., operating systems, servers, virtual machines, firewalls, network devices, IDS, IPS, wireless network, gateway servers, proxy servers, email gateways, external connections, databases, file-shares, workstations, laptops, tablets, mobile devices, PBX). | |||
| 6. | The infrastructure security standard should include: | |||
| a. | the cyber security controls implemented (e.g., configuration parameters, events to monitor and retain [including system access and data], data-leakage prevention [DLP], identity and access management, remote maintenance); | |||
| b. | the segregation of duties within the infrastructure component (supported with a documented authorization matrix); | |||
| c. | the protection of data aligned with the (agreed) classification scheme (including privacy of customer data and, avoiding unauthorized access and (un)intended data leakage); | |||
| d. | the use of approved software and secure protocols; | |||
| e. | segmentation of networks; | |||
| f. | malicious code/software and virus protection (and applying application whitelisting and APT protection); | |||
| g. | vulnerability and patch management; | |||
| h. | DDOS protection (where applicable); this should include: | |||
| 1. | the use of scrubbing services; | |||
| 2. | specification of the bandwidth agreed; | |||
| 3. | 24x7 monitoring by Security Operating Center (SOC), Service Provider (SP) and scrubbing provider; | |||
| 4. | testing of DDOS scrubbing (minimum twice a year); | |||
| 5. | DDOS services should be implemented for the main datacenter(s) as well as the disaster recovery site(s); | |||
| i. | back-up and recovery procedures; | |||
| j. | periodic cyber security compliance review. | |||