Access Control and Authorization
Acceptable use policy established
Establish and maintain an acceptable use policy that outlines permissible activities, systems, and data access for all users, contractors, and third parties interacting with the organization’s information assets and technologies.
Access management policy established
Establish systematic controls in your access management policy for managing user access rights that ensure appropriate, authorized access to systems and data while maintaining security.
MFA required for critical services
Require multi-factor authentication (MFA) for accessing critical services and infrastructure. MFA adds an extra layer of security by requiring users to provide additional authentication factors beyond their passwords.
Password management policy enforced
Strictly enforce the organization’s password management policy to guarantee compliance with security standards. Enforcing this policy includes implementing technical controls, monitoring adherence, and responding to non-compliance.
Password management policy established
Enforce a password management policy that mandates strong and complex passwords, and prohibits the reuse of previously used passwords. This policy helps protect user accounts from unauthorized access due to weak or compromised passwords.
Data Management and Protection
Data encrypted at rest
Encrypt all sensitive data when it is stored on systems or devices. Encryption of data at rest helps protect sensitive information from unauthorized access.
Data encrypted in-transit
Encrypt all data when it is transmitted over networks, both within the organization’s internal network and external connections. Encryption of data in-transit helps protect sensitive information from eavesdropping and unauthorized access.
Data inventory maintained
Establish and maintain an accurate, detailed, and up-to-date inventory of all data assets. This can include data stored in databases, file shares, and cloud storage.
Data management and retention policy established
Establish a data management and retention policy, which outlines the guidelines for how long data should be retained and how it should be managed throughout its lifecycle.
Intellectual Property & Copyright Compliance Policy established
Ensure that all use of intellectual property and copyrighted works (including software, media, and marketing materials) is governed by clearly defined license terms, documented appropriately, and monitored for compliance.
Physical Media Transfer Procedure established
Ensures that whenever sensitive data is transported outside the organization via physical media, it is encrypted, packaged securely, tracked through a chain of custody, and handled only by authorized parties to protect confidentiality, integrity, and availability.
Disaster Recovery
Automated backups enabled
Enable automated backups for all high-risk data and critical systems. Automated backups ensure that important data is regularly and securely backed up, reducing the risk of data loss in the event of a disaster or cyber incident.
Business continuity and disaster recovery policy established
Establish a comprehensive business continuity and disaster recovery policy that outlines the organization’s strategies for responding to disruptive incidents and supporting business continuity.
Data recovery process established
Establish a data recovery process that defines procedures for recovering data in case of data loss, corruption, or system failures. A robust data recovery process helps minimize downtime and data loss in critical situations.
Disaster recovery plans tested
Regularly test the organization’s disaster recovery plans to ensure their effectiveness and identify areas for improvement. Testing helps validate the ability to recover critical systems and operations in the event of a disaster.
Recovery data isolated
Isolate the recovery data from the production environment to prevent accidental overwriting or corruption of backups. Keeping recovery data separate helps maintain the integrity and availability of backup copies.
Email Security
Electronic Messaging (Email & Messaging) Policy Established
Define how employees must appropriately and securely use organization-provided electronic messaging (email, chat, SMS, etc.), including permissible content, monitoring, and account ownership rules.
DMARC policy and verification used
Implement and utilize DMARC (Domain-based Message Authentication, Reporting, and Conformance) policy and verification mechanisms to prevent email spoofing and phishing attacks. DMARC helps protect the organization’s email domains from unauthorized use.
Email settings block malicious content
Email settings are configured to block malicious content, including malicious attachments, links, and scripts.
Endpoint Security
Anti-malware deployed on end-user devices
Deploy anti-malware or antivirus solutions on end-user devices, such as laptops and workstations. This provides an additional layer of protection against malware threats that may be introduced through user activities.
Mobile device management (MDM)
Utilize a mobile device management (MDM) solution to manage and secure end-user devices. This allows for the protection of sensitive data, ensures device compliance, and provides device management capabilities for IT staff.
Firewall maintained on end-user devices
Ensure that firewalls are installed and properly maintained on end-user devices, such as laptops and workstations. End-user firewalls provide an additional layer of protection against unauthorized network traffic.
Infrastructure Security
Active discovery tools used
Utilize an active discovery tool to identify assets connected to the enterprise’s network. Configure the active discovery tool to execute daily, or more frequently.
Administrator access restricted
Restrict administrator access to critical systems and sensitive data based on the principle of least privilege, granting elevated permissions only when necessary for specific tasks and revoking them promptly after completion. Implement strong authentication mechanisms, such as multi-factor authentication, and regularly review and update administrator access rights to ensure they align with job responsibilities and maintain a secure environment.
Automated security scanning performed on infrastructure
Deploy automated security scanning software (such as anti-malware or antivirus solutions, intrusion detection systems, or data breach protection) on all infrastructure components including servers and network devices. This helps detect and prevent malware infections and other malicious activities targeting critical systems.
Buckets not exposed publicly
Ensure that cloud storage buckets are not exposed to the public internet. Misconfigured public access settings can lead to unauthorized access or data exposure.
Configuration management system established
Implement a configuration management system to manage and control the configuration of systems, applications, and infrastructure. Configuration management helps maintain consistency and security across the IT environment.
Firewall restricts public access to infrastructure
Configure firewalls to restrict public access to the organization’s infrastructure components. Proper firewall rules help minimize the exposure of critical systems to the public internet.
Infrastructure changes require review
Implement a review process for all proposed infrastructure changes before implementation. Reviews ensure that changes comply with security policies, do not introduce vulnerabilities, and align with the organization’s requirements.
Infrastructure deployed using an infrastructure-as-code tool
Adopt an infrastructure-as-code (IaC) approach to deploy and manage the organization’s infrastructure components. IaC tools enable consistent and version-controlled infrastructure deployment, reducing the risk of configuration errors.
Production deployment access restricted
Limit access to production deployment environments to authorized personnel only. This control helps prevent unauthorized changes or deployments that may disrupt critical services.
Offsite Asset Authorization Procedure established
Mandate that any removal of organizational assets offsite be pre-approved, logged with relevant details (asset, serial, user, destination, duration), verified against the asset inventory, and controlled by security staff to ensure accountability and traceability.
Secure Area Access Procedure established
Define required behavior and controls for individuals working in designated secure physical zones, such as controlling access, escorting visitors, safeguarding credentials, and prohibiting unauthorized recording, to maintain protection of organizational assets.
Physical Security Policy established
Outline the controls and responsibilities for protecting physical facilities, equipment, and access points, including secure area enforcement, visitor management, asset lifecycle controls, and environmental safeguards, to prevent unauthorized access, damage, or theft.
Teleworking Policy established
Ensure that teleworking arrangements include appropriate risk assessments, use of organization-supplied equipment, secured communications (VPN, backups, antivirus), and clear procedures for termination to protect RUNSTACK’s information assets.
Unique production database authentication enforced
Enforce unique authentication mechanisms for accessing production databases, such as a unique username and password or SSH key.
Web Application Firewall (WAF) used
Implement a Web Application Firewall (WAF) to protect web applications from various cyber threats, such as SQL injection, cross-site scripting, and other application-layer attacks.
Monitoring and Incident Response
Audit log management process
Maintain a robust and up-to-date audit log management process. This process should include guidelines for capturing, storing, and monitoring audit logs, ensuring the availability and integrity of essential security event data.
Audit logs collected
Enable the collection of audit logs from critical systems and applications. Audit logs capture essential security events and activities, providing valuable information for incident detection, investigation, and compliance purposes.
Incident response policy established
Establish an incident response policy that outlines the organization’s approach and procedures for detecting, responding, and recovering from cybersecurity incidents.
Incident review process implemented
Establish a structured process for conducting incident reviews following any security or operational incident affecting critical systems. This process is essential for understanding root causes, assessing the impact, and identifying improvement actions to prevent similar incidents in the future. Establish criteria for incidents requiring formal review, including any events affecting critical functions. Define the scope to include root cause analysis, impact assessment, response effectiveness, and corrective actions. For each qualifying incident, hold a review meeting promptly after resolution. Ensure that relevant stakeholders participate. Record detailed findings from each review, including root causes, identified vulnerabilities, and gaps in response. Document action items, timelines, and responsible parties for implementing corrective measures to prevent recurrence. Establish a follow-up process to verify that corrective actions are completed and effective.
Infrastructure performance monitored
Monitor the performance of the organization’s infrastructure components to ensure optimal operation and detect potential issues or anomalies that may impact security or reliability.
Network infrastructure monitored
Implement monitoring mechanisms for the network infrastructure to detect and respond to suspicious or unauthorized activities. Network monitoring helps ensure the integrity and availability of network resources.
Nonconformity Management Procedure established
This procedure ensures that any deviations from defined ISMS requirements are promptly identified, logged, analyzed, corrected, and prevented from recurring.
Information Security Event Assessment Procedure established
Establish how security events are detected, classified (e.g. informational, warning, exception), logged, correlated, and assessed to decide whether to escalate them into formal incidents.
Log management used
Implement a centralized log management solution to collect, store, and analyze logs from various systems and applications. Centralized log management simplifies log review, correlation, and monitoring for potential security incidents.
Organizational Security
Acceptable use policy established
Establish and maintain an acceptable use policy that outlines permissible activities, systems, and data access for all users, contractors, and third parties interacting with the organization’s information assets and technologies.
Asset inventory maintained
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data. This can include end-user devices, network devices, IoT devices, and servers.
Asset management policy established
Establish an asset management policy that outlines the guidelines for managing the organization’s assets throughout their lifecycle.
Change management policy established
Establish a change management policy that defines procedures for controlling and documenting changes to systems, applications, and infrastructure.
Changelog established and maintained
Establish and maintain a changelog to document all system changes, updates, and modifications.
Code of conduct established
Establish a code of conduct that outlines the expected behavior and ethical standards for all employees. A code of conduct helps promote a positive work environment and fosters a culture of integrity.
Onboarding process established
Establish an onboarding process for new employees to ensure that they are properly trained and equipped to perform their job responsibilities. Onboarding helps new employees integrate into the organization and become productive quickly.
Data-flow diagrams maintained
Create and maintain up-to-date data-flow diagram(s) that show all account data flows across systems and networks, updating them as needed when changes occur in the environment. Begin by creating a diagram that captures all systems and networks handling data in your environment. Map out data flows, including entry and exit points, processing steps, storage locations, and transmission paths. To note, one single diagram can be enough depending on your context. Once your initial diagrams are complete, establish a maintenance process. Assign responsibility for updates, create a straightforward procedure for incorporating changes, and set a regular review schedule (e.g., quarterly). When updating the diagram, document the changes, including dates and approvers. Finally, make sure your team is trained in using and maintaining the diagram to maximize its effectiveness as a security tool.
External support resources available (i.e., documentation)
Provide external support resources, such as documentation, user guides, and knowledge bases, to assist users in utilizing the organization’s services effectively. Accessible support resources promote self-service and reduce support requests.
Password manager used
Deploy and maintain a company-wide password manager to securely store and share credentials across the organization. Ensure that all shared accounts and secrets are only shared through the password manager, and that all shared accounts are shared using a principle of least privilege.
Offboarding process established
Establish an offboarding process for departing employees to ensure that they return all company assets and are removed from relevant systems and accounts.
Service description communicated
Communicate clear and detailed service descriptions to customers or users, outlining the scope, features, and limitations of the services provided. Service descriptions set appropriate expectations and promote transparency.
Performance evaluations conducted
Conduct regular performance evaluations for employees to assess their job performance, identify areas for improvement, and recognize exceptional contributions. Performance evaluations support talent development and performance management.
Social Media Usage Policy established
This policy provides guidance to employees and contractors on how to responsibly use social media in work-related contexts, including expectations for clarity of representation, content standards, and separation between personal and professional accounts.
Software development lifecycle established
Implement a well-defined and documented development lifecycle for software and applications. A structured development lifecycle supports secure coding practices, quality assurance, and timely software releases.
Risk Management
Legal, Regulatory & Contractual Requirements Procedure established
This procedure ensures all relevant legal, regulatory, and contractual obligations are systematically identified, assessed, documented, and integrated into the ISMS to maintain compliance and manage regulatory risk.
Risk assessments performed
Conduct regular risk assessments to identify and evaluate potential threats and vulnerabilities that could impact the organization’s assets. Risk assessments help prioritize security efforts and inform risk mitigation strategies.
Risk management policy established
Develop and implement a risk management policy that outlines the organization’s approach to identifying, assessing, and mitigating information security risks.
Vendor inventory maintained
Maintain an accurate and up-to-date inventory of all Vendors that the organization engages with. The inventory should include details such as the services provided, contract details, and the scope of access they have.
Vendor management program established
Implement a vendor management program to assess, monitor, and manage the risks associated with third-party vendors. The program ensures that external partners meet security and compliance standards.
Vulnerability Management
Automated software patch management performed
Automate the process of deploying software patches and updates to systems and applications. Automated patch management helps ensure that critical security patches are applied promptly to address known vulnerabilities.
Penetration testing performed
Conduct regular penetration testing to identify potential vulnerabilities in the organization’s systems, applications, and infrastructure. Penetration testing simulates real-world attacks to evaluate the effectiveness of existing security measures.
Penetration testing findings remediated
Remediate vulnerabilities identified during penetration testing. Prompt remediation helps address security gaps and prevent potential exploitation.
Vulnerability management policy established
Establish a vulnerability management policy that outlines the procedures for identifying, assessing, and remediating vulnerabilities in the organization’s systems and applications.
Removable Media Management Procedure established
Define how removable media (e.g. USB sticks, CDs, storage cards) are requested, issued (with encryption and logging), returned, and securely disposed to minimize risk of data loss or leakage.