fbpx

CIMSNex User Guides

System Guides

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

A.8.24 Use of Cryptography would include:

  1. Cryptography Policy: Documentation of a formal cryptography policy that outlines the organization's approach to using cryptographic techniques to protect sensitive information and communications.

  2. Encryption Algorithms and Protocols: Information about the encryption algorithms and protocols used by the organization, including their strength, suitability for the intended purposes, and compliance with industry standards.

  3. Key Management: Documentation of key management practices, including key generation, distribution, storage, rotation, and destruction, to ensure the secure and effective use of cryptographic keys.

  4. Digital Certificates: Evidence of the use of digital certificates for secure communication and authentication, along with documentation of certificate management processes.

  5. Secure Communication Channels: Documentation of the use of secure communication channels, such as SSL/TLS, to protect data transmitted over networks.

  6. Cryptographic Modules: Information about any cryptographic modules or hardware security modules (HSMs) used to perform cryptographic operations, along with evidence of their compliance with industry standards.

  7. Cryptographic Controls for Data-at-Rest: Evidence of cryptographic controls used to protect sensitive data stored on devices, databases, or other storage media.

  8. Secure Hashing: Documentation of the use of secure hash functions for data integrity verification, password storage, and other purposes.

  9. Compliance with Regulations: Evidence that the organization's cryptographic practices align with relevant industry regulations, standards, and best practices.

  10. Training and Awareness: Evidence of employee training and awareness programs related to the use of cryptography, ensuring that employees understand how to correctly and securely use cryptographic tools.

  11. Cryptography Incident Response: Documentation of incident response procedures for handling cryptographic-related security incidents, such as key compromises or unauthorized access to encrypted data.

  12. Periodic Cryptographic Reviews: Records of periodic reviews and audits of the organization's cryptographic practices to ensure that they remain effective and in compliance with the policy and standards.

By reviewing these pieces of evidence, an auditor can assess the organization's implementation of cryptographic controls to protect sensitive information and communications. The goal is to ensure that cryptography is used correctly and securely to safeguard data and maintain the confidentiality, integrity, and authenticity of critical information assets.

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

 A.8.23 Web Filtering would include:

  1. Web Filtering Policy: Documentation of a formal web filtering policy that outlines the organization's approach to filtering web content and the criteria used to determine what should be blocked or allowed.

  2. Web Filtering Solution: Information about the web filtering solution in use, including its configuration, capabilities, and deployment across the organization's network.

  3. Blocked Website List: A list of websites that are blocked by the web filtering solution, demonstrating that access to potentially harmful or inappropriate content is restricted.

  4. Allowed Website List: A list of websites that are allowed by the web filtering solution, showing that access to essential and approved resources is maintained.

  5. User Access Logs: Logs and records of user web access, indicating which websites users have attempted to visit, whether they were allowed or blocked, and any attempts to bypass the filtering controls.

  6. Web Filtering Exceptions: Documentation of any exceptions or overrides to the web filtering rules, explaining the reasons for these exceptions and how they are approved and monitored.

  7. Compliance with Regulations: Evidence that the web filtering solution aligns with relevant industry regulations, standards, and best practices for web content filtering.

  8. Security Incidents: Records of any security incidents related to web filtering, including attempts to access blocked content or successful circumvention of filtering controls.

  9. Review and Monitoring: Documentation showing that the web filtering solution is regularly reviewed and updated to address new threats and adapt to changing security requirements.

  10. Training and Awareness: Evidence of employee training and awareness programs related to web filtering policies, ensuring that employees understand the importance of adhering to web filtering rules.

  11. Web Traffic Analysis: Analysis of web traffic data to identify patterns or anomalies that may indicate potential security risks or violations of the web filtering policy.

  12. Change Management: Documentation of change management processes related to the web filtering solution, ensuring that any changes to filtering rules or configurations are properly authorized and documented.

By reviewing these pieces of evidence, an auditor can assess the effectiveness of the organization's web filtering controls in preventing access to malicious or inappropriate content and protecting the network from web-based security threats. The goal is to ensure that the web filtering solution is appropriately configured and managed to support the organization's security objectives and compliance requirements

ISMS Guides
Star InactiveStar InactiveStar InactiveStar InactiveStar Inactive

 A.8.22 Segregation of Networks would include:

  1. Network Architecture Diagrams: Detailed diagrams illustrating the network topology, including the physical and logical segregation of different networks within the organization.

  2. Network Segmentation: Documentation of how networks are segmented to isolate critical assets and sensitive data from general network traffic.

  3. Access Controls: Evidence of access controls and network segmentation measures to restrict unauthorized access between different network segments.

  4. Network Access Policies: Documentation of policies governing network access, including the rules for communication between different segments and the restrictions on inter-segment traffic.

  5. VLAN (Virtual Local Area Network) Configuration: Configuration details of VLANs used to segregate network traffic and create separate broadcast domains.

  6. Firewall Rules: Logs and configurations of firewall rules that control traffic flow between network segments and protect critical assets.

  7. Network Gateway Controls: Documentation of gateway controls and routing configurations used to manage traffic between different networks.

  8. Network Monitoring: Evidence of network monitoring practices, including traffic analysis and anomaly detection, to identify unauthorized attempts to access different network segments.

  9. Network Security Audits: Reports from network security audits and assessments conducted to evaluate the effectiveness of network segregation controls.

  10. Incident Response Records: Records of any incidents related to unauthorized access or attempted breaches of network segregation.

  11. Network Access Logs: Logs of network access, including details of authorized users accessing specific network segments.

  12. Change Management for Network Segregation: Documentation of change management processes related to network segmentation, ensuring that any changes are properly authorized and tested.

By examining these pieces of evidence, an auditor can assess the organization's compliance with network segregation principles and the effectiveness of controls in place to protect critical assets and data. The goal is to verify that network segments are appropriately isolated and that unauthorized access between different network segments is adequately prevented to minimize the risk of unauthorized access and data breaches.

USER GUIDES

Image
Empowering organizations to achieve their performance objectives through a unique blend of consulting expertise and technology-driven solutions.

More Links

FEATURED SERVICES

Performance Improvement Consulting

ISO Management Systems Training

Customized Consulting Services

Technology Integration Solutions

 

ISO Compliance Software
Integrate . Mantain . Comply

Search