You prevent unauthorised access to systems and applications, for example by passwords, technical vulnerability management and malware prevention tools.
Ways to meet our expectations:
- You restrict access to systems or applications processing personal data to the absolute minimum in accordance with the principle of least privilege (for example read/write/delete/execute access rules are applied).
- You apply minimum password complexity rules and limited log on attempts to systems or applications processing personal data.
- You have password management controls in place, including default password changing, controlled use of any shared passwords and secure password storage (not in plain text).
- Email content and attachment security solutions (encryption) appropriately protect emails containing sensitive personal data.
- You log and monitor user and system activity to detect anything unusual.
- You implement anti-malware and anti-virus (AV) protection across the network and on critical or sensitive information systems if appropriate.
- Anti-malware and anti-virus protection is kept up-to-date and you configure it to perform regular scans.
- Your organisation has access to and acts upon any updates on technical vulnerabilities to systems or software, for example vendor’s alerts or patches.
- You regularly run vulnerability scans.
- You deploy URL or web content filtering to block specific websites or entire categories.
- You strictly control or prohibit the use of social media, or messaging apps such as WhatsApp to share personal data.
- You have external and internal firewalls and intrusion detection systems in place as appropriate to ensure the security of information in networks and systems from unauthorised access or attack, for example denial of service attacks.
- You do not have unsupported operating systems in use, for example Windows XP or Windows Server 2003.
- You establish special controls to safeguard the confidentiality and integrity of data passing over public networks or over wireless networks and to protect the connected systems and applications.
Can you answer yes to the following questions?
- Would a sample of systems access at various job levels confirm that you apply access levels appropriately?
- Are the passwords complex?
- Could staff demonstrate that anti-virus and anti-malware has been implemented on key information systems?
- Do you install vendor updates in a timely manner?
- Could we access a black-listed site or an unsupported operating system on-site?