Governance Policies & Procedures
Risk Management
-
Risk Register: The IT risk register is updated and reviewed periodically (e.g. monthly).
-
IS Risk Assessments: Risk assessments are conducted annually in the form of a white hat ethical hack and penetration tests performed by independent parties. Remedial actions are completed according to agreed timelines.
Access Control
-
Authorisation (Applications): Critical systems are governed by access controls and managed according to best practice (e.g. CIS controls). Access to systems must be authorised by line managers.
-
Recertification (Privileged Access): The user access review process is automated and authorisation is reviewed monthly.
-
Authentication: rules of critical systems are integrated with Active Directory which comply to the password standard.
-
Password Policy: The information password standard is reviewed annually as part of the continuous improvement process. The password policy in accordance with CIS controls.
-
Anomaly Monitoring: Used cases are used to configure rules in the SIEM system to detect anomalies on suspicious user account activities.
-
Authorisation (Physical Access): A list of users have access to the data centre and are approved by management.
-
Recertification (Physical Access): Physical access to the data centre is monitored and reviewed periodically.
-
Unauthorised Activity (Physical Access): Security camaras are monitored in the security room. Access is also controlled at all Media24 buildings.
-
Remote Access: External access to the network requires VPN capability and two factor authentication is currently being implemented.
-
Third Party Access: All third party providers that require access to systems have temporary user ID's and passwords. Access is granted with a distinct begin and end date.
-
Network Zoning: Zoning and segregation between internal and public facing systems are in place and documented in the relevant network diagrams.
Data Security
-
Third Party Hosting: The network and infrastructure third party service providers are subjected to annual independent audits to ensure preventative controls are in place to protect all information.
-
Secure File Transfer: Data in transit on email is protected by means of TLS. Where files are shared with external companies it is stored on the FTPS sever and deleted within set time frames. M24 files shared in MS O365 with external users are set to expire within a certain period.
-
Segregation of Environments: Separate environments for development, testing and production are in place for Media24 critical systems.
-
Source Code changes: Developers do have access to a deployment tool to deploy their code to production after peer review, quality checks and product sign-off have been given. There is a notification system to notify all relevant parties that a deployment is taking place. Developers do not have access any production or QA environments directly. Bi-annual audits are carried out in which evidence of access and documentation of the deployment process is reviewed.
-
Change Management: All changes to infrastructure and critical applications are logged and approved in the incident management system. These changes must be approved by the relevant managers/stakeholders before changes are implemented.
Information Protection Processes and Procedures
-
Minimum Security Configuration Baseline: Baseline standards for Windows and Linux systems are reviewed annually and adjusted to best practice as part of the continuous improvement process.
-
Backup Scheduling: Backups are performed in accordance with the backup requirements for systems. Backup material is stored at a remote location.
-
Backup Integrity: Backups are randomly tested to ensure the integrity of data.
-
Employee Background checks: Background checks are conducted on all new hires. An internal audit process provides assurance that these checks are carried out.
-
Confidentiality Agreements: All our contracts of employment include confidentiality clauses, as do our agreements with contractors.
-
Vulnerability Management: Vulnerability scans are performed monthly on the server estate. Any vulnerabilities identified are remediated.
-
Penetration Testing: Penetration tests are performed annually on critical systems, including all public facing systems. Remedial actions are recorded in an action tracker and completed according to agreed due dates.
Protective Technology
-
Patch Management: Patch management is applied on all systems and workstations.
-
Anti-Malware Protection: Anti-Malware protection is automatically deployed to all servers and workstations. Reports are available to indicate patch levels and devices that were not updated in the planned update cycle.
Anomalies and Events
-
Capacity Monitoring: Reports and monitoring are in place on all servers.
-
DDoS and IPS Protection: Intrusion protection devices are deployed at the network parameter and event logs ingested into the SIEM system.
-
Logging: Logs of perimeter systems are ingested by the SIEM in real-time with SLA's in place.
-
Threat Intelligence: Threat analysis feeds are included in the SIEM delivery and updated automatically.
-
SIEM Use Cases: Used cases are operational and events monitored. Used cases are implemented according to best practice and reviewed periodically.
-
Malware event monitoring: Endpoint logs are digested into the SIEM.
-
Security Incident Response Process: When a CIRT is established due to a cyber incident the evidence that the process was followed is recorded in the prescribed documentation. The cyber incident response process is defined and reviewed periodically.
-
Security Incident Response Plan: The cyber incident response process is defined and reviewed periodically as part of the continuous improvement process.
-
Incident Response Playbooks: Simulated cyber playbacks are performed periodically and recorded in the applicable documents. The process is reviewed to ensure the response process is optimised.
-
Root Cause Analysis: Root cause documentation is provided after each incident.
Recovery Planning
-
Business Impact Assessment: Business impact thresh holds (e.g. RTO, RPO's) are recorded in the BCP plans of each business unit.
-
Disaster Recovery: DR plans of all critical systems are reviewed and tested annually.
Sign-off from business is required to ensure testing was successfully completed.
Updated about 4 years ago