S/N | Security measures | Descriptions | Information states | Security goals(CIA) | |||||
Capturing | Processing | Storage | Transmission | Confidentiality | Integrity | Availability | |||
i a. | Access control mechanisms | Implement selective restriction of access to a place or information resources such as audit logs and systems logs. | √ | √ | √ | √ | √ | √ | |
ii b. | Configuration management | Ensure correct configuration implementation for the information systems and ICT devices. | √ | √ | √ | √ | √ | √ | √ |
iii c. | Disabling/blocking insecure services, protocols/ports. | Disable or block insecure services, protocols, ports. | √ | √ | √ | √ | √ | ||
iv 4 | Encryption of information/data | Encrypt sensitive information/data. | √ | √ | √ | √ | √ | ||
v 5 | Identification and authentication | Use a unique user account and password (something you know); security token such as smartcard (something you have); biometric (something your). | √ | √ | √ | √ | √ | ||
vi 6 | Logging, monitoring of logs and alerting | Implement automatically logging, monitoring and alerting of security related activities regularly. | √ | √ | √ | √ | √ | √ | |
vii 7 | Media sanitization | Clearing, purging & destruction of data remanence prior disposal. | √ | √ | √ | √ | √ | ||
viii 8 | Network segmentation | Split network into subnets, VLANs; physical separation of LANs | √ | √ | √ | √ | √ | ||
ix 9 | Patch management | Regularly patch the applications, operating systems, and ICT devices | √ | √ | √ | √ | √ | √ | √ |
x 10 | Security awareness and training | Conduct security awareness and training for non-disclosure of sensitive information. | √ | √ | √ | √ | √ | ||
xi 11 | Audit trail | Implement and monitor audit trail (audit log) for a given sensitive information system. | √ | √ | √ | √ |
| √ | |
xii 12 | Change management for ISs | Implement change management and those changes should be documented, communicated, authorized, tested, implemented, monitored and audited to ensure the integrity of information. | √ | √ | √ | √ |
| √ | √ |
xiii 13 | Checksum (or hash sum) | Implement checksum such as MD5/SHA3 to verify the integrity of data. | √ | √ | √ | √ |
| √ | |
xiv 14 | Digital signature | Implement digital signature to validate the authenticity and integrity of a message, software or digital document. | √ | √ | √ | √ |
| √ | |
xv 15 | Integrity monitoring tools | Implement integrity monitoring tools for alerting of any unauthorized modification. | √ | √ | √ | √ |
| √ | |
xvi 16 | Least privilege principle/Need to know principle | Implement procedures for reviewing users' access regularly, and only needed privileges should be applied and documented. | √ | √ | √ | √ |
| √ | |
xvii 17 | Rotation of duties principle | Practice job rotation to breaks up opportunities for collusion and fraudulent activities. | √ | √ | √ | √ |
| √ | |
xviii 18 | Segregation of duties principle | Duties should be sufficiently segregated in a given organization to ensure the detection of unintentional or unauthorized modification of information. | √ | √ | √ | √ |
| √ | |
xix 19 | Backup strategies | Implement backup strategies’ based on required point objective (RPO): loss acceptable; and required time objective (RTO): time required to restore ISs to operation after disaster or emergency. | √ | √ | √ | √ |
| √ |