1. Access Control:
This covers the processes for granting and managing access to systems, networks, and data, such as users' authentication credentials and passwords, as well as physical access control measures like locks on doors and cabinets.
2. Awareness & Training:
Organizations must provide periodic training to its personnel to ensure they stay up-to-date with cybersecurity best practices and can identify potential threats or malicious software.
3. Configuration Management:
Organizations should establish documented configuration management procedures that specify how system hardware and software are installed, updated, maintained, managed, or monitored to protect their information assets from unauthorized changes or tampering.
4. Identification & Authentication:
Organizations need to implement a process to ensure that users are authenticated and identified securely. This includes processes for user registration, authentication via passwords or other methods (biometrics), and access privileges.
5. Incident Response:
Organizations should have an incident response plan in place that outlines the steps to take when a security incident occurs. It should include procedures for detecting and responding to incidents, as well as how to restore systems and data if needed.
Organizations need to establish processes to maintain their security controls and measures on an ongoing basis to protect their information assets from unauthorized use or attacks. This includes regular patching of software, updating of antivirus signatures, etc.
7. Media Protection:
Procedures must be in place to protect removable media, such as USB devices, and CDs/DVDs, from unauthorized access or misuse.
8. Physical Protection:
Measures must be taken to protect systems and data from physical threats, such as theft or vandalism. This includes measures like locks on doors and cabinets, restricted access areas for sensitive information assets, etc.
9. Risk Assessment:
Organizations should conduct periodic risk assessments to identify potential threats and vulnerabilities which could affect their information systems and data. This will help them determine the appropriate security controls and measures that need to be implemented to adequately protect their assets.
10. System & Services Acquisition:
When acquiring new IT systems or services organizations need to analyze the security risks associated with them and ensure they meet their security requirements.