1. IT Governance
1.1. Confidentiality
1.1.1. - Vendor management. - Outsorcing policy. - Data Classification – DLP. - NDA agreement with vendors.
1.2. Integrity
1.2.1. - Audit rights with vendor. - SoD. - SIEM tool – Splunk.
1.3. Availability
1.3.1. - Vendor management. - SLA & OLA. - Escrow agreement. - Audit rights with vendor.
2. Network
2.1. Confidentiality
2.1.1. - VPN. - Encrytpion. - Web filtering content. - NAC. - Hardening Configuration. - Using Demilitarized Zone-DMZ. - IPS/IDS. - Patch management. - End Of Life devices. - Hardware Security module.
2.2. Intigrity
2.2.1. - Web filtering content. - SIEM tool – Splunk. - NAC. - Hardening Configuration. - IPS/IDS. - Change management. - PAM tool – ARCOS.
2.3. Availability
2.3.1. - Multiple sevice provider. - Network monitoring tools. - High Availability. - Network Diagram. - RIPE service. - High Availability setup.
3. Servers / PC’s
3.1. Confidentiality
3.1.1. - Firewall. - VPN. - Patch management. - VA/PT. - WAF. - Hardening configuration. - Physical access. - Email security. - IAM role – AWS. - SOC report – cloud. - End Of Life O.S.
3.2. Integrity
3.2.1. - Active Directory. - Change management. - SIEM tool – Splunk. - WAF. - Hardening configuration. - PAM tool - ARCOS - Anti-malware. - O.S testing. - Blocking USB/CD. - Email security. - VA/PT. - IAM role – AWS. - SOC report – cloud. - Mobile Device Management – MDM. - BIOS protection.
3.3. Availability
3.3.1. - VA/PT. - Anti-malware. - Manage Engine. - Nagios. - Capacity planning. - Physical access. - Bug tracking – JIRA. - SOC report. - High Availability setup. - Preventative Maintenance.
4. Applications
4.1. Confidentiality
4.1.1. - SoD. - 2FA. - PAM tool – ARCOS. - Password policy. - Use HTTPS. - SOC report – SaaS sevices. - Seperation between environments. - Patch management of critical updates. - Authority Reviews.
4.2. Integrity
4.2.1. - SDLC process. - Testing process –unit, functional, integration, stress and regression. - UAT. - Release approvals. - SoD. - Dual authentication. - Github. - Source code review – Codebeat & Codacy. - PAM tool – ARCOS. - Automation testing – Selenium. - Reviewing testing results – Allure. - Password policy. - CI/CD – Jenkins. - Use HTTPS . - Segregation between environments. - Integrity monitor - Solidcore on ATM’s. - API key’s. - Fraud trap system.
4.3. Availability
4.3.1. - System Architecture. - Bug tracking – JIRA. - Migration plan – SaaS sevices. - High Availability setup. - Preventative Maintenance.
5. Database
5.1. Confidentiality
5.1.1. - Database Vault. - Patch management. - VA/PT. - Strong Encryption. - End Of Life databse versions. - Data masking. - SoD. - hardening configuration.
5.2. Integrity
5.2.1. - Change management. - SIEM tool – Splunk. - Database Vault. - Patch management. - VA/PT. - SoD. - PAM tool - ARCOS
5.3. Availability
5.3.1. - Nagios. - Capacity planning. - Bug tracking – JIRA. - High Availability setup. - Preventative Maintenance.
6. BCP
6.1. Confidentiality
6.1.1. - Physical security. - Visitors log. - Data Encryption in transit. - Backup encryption.
6.2. Integrity
6.2.1. - Physical security. - Backup encryption.
6.3. Availability
6.3.1. - Backup & Restore. - DRP. - Cyber security response plan. - Annual testing of BCP.
7. Cyber Security
7.1. Confidentiality
7.1.1. - WAF. - PT/VA. - Patch management. - DMZ. - Secure protocols – TLSv1.1 - Block all un-necessary ports. - Web filtering content. - Anti-malware. - Enrcryption. - Use https. - Use SFTP. - VPN. - 2FA. - NAC.
7.2. Integrity
7.2.1. - PT/VA. - Session time out. - Web filtering content. - Anti-malware. - Password policy. - IPS/IDS. - SIEM tool – Splunk. - Disable default accounts. - Patch management. - Hardening Configuration. - S3 bucket permissions.
7.3. Availability
7.3.1. - DMZ. - Network diagram. - Monitoring tool. - IPS/IDS. - Backup & Restore. - DDOS protection from ISP.