Security measures


Information states

Security goals(CIA)








i a.

Access control mechanisms

Implement selective restriction of access to a place or information resources such as audit logs and systems logs.

ii b.

Configuration management

Ensure correct configuration implementation for the information systems and ICT devices.

iii c.

Disabling/blocking insecure services, protocols/ports.

Disable or block insecure services, protocols, ports.

iv 4

Encryption of information/data

Encrypt sensitive information/data.

v 5

Identification and authentication

Use a unique user account and password (something you know); security token such as smartcard (something you have); biometric (something your).

vi 6

Logging, monitoring of logs and alerting

Implement automatically logging, monitoring and alerting of security related activities regularly.

vii 7

Media sanitization

Clearing, purging & destruction of data remanence prior disposal.

viii 8

Network segmentation

Split network into subnets, VLANs; physical separation of LANs

ix 9

Patch management

Regularly patch the applications, operating systems, and ICT devices

x 10

Security awareness and training

Conduct security awareness and training for non-disclosure of sensitive information.

xi 11

Audit trail

Implement and monitor audit trail (audit log) for a given sensitive information system.

xii 12

Change management for ISs

Implement change management and those changes should be documented, communicated, authorized, tested, implemented, monitored and audited to ensure the integrity of information.

xiii 13

Checksum (or hash sum)

Implement checksum such as MD5/SHA3 to verify the integrity of data.

xiv 14

Digital signature

Implement digital signature to validate the authenticity and integrity of a message, software or digital document.

xv 15

Integrity monitoring tools

Implement integrity monitoring tools for alerting of any unauthorized modification.

xvi 16

Least privilege principle/Need to know principle

Implement procedures for reviewing users' access regularly, and only needed privileges should be applied and documented.

xvii 17

Rotation of duties principle

Practice job rotation to breaks up opportunities for collusion and fraudulent activities.

xviii 18

Segregation of duties principle

Duties should be sufficiently segregated in a given organization to ensure the detection of unintentional or unauthorized modification of information.

xix 19

Backup strategies

Implement backup strategies’ based on required point objective (RPO): loss acceptable; and required time objective (RTO): time required to restore ISs to operation after disaster or emergency.