The organization should implement an internal audit Program. The internal audit program should cover the nature of the audit, the scope of the audit, the responsibilities level of the auditor, independent review of outsourced activities, IT audit plan defining the auditable IT areas for the upcoming year. The internal Audit process should include the independent review of the identified risks. Internal auditors should consider the following when evaluating an organization's privacy framework: the laws and regulations for all jurisdictions where business is conducted.

The organization should audit in scope audit system, process and procedures. The auditor should collect the objective evidence with different means like interviews, sampling, testing etc. The auditor shall evaluate the compliance of each control.

The auditor shall generate the audit report that includes audit team members, auditees, in scope system overview, in scope records used to obtain the objective evidence against each control, deficiencies/non-conformities, review of non-compliance from last audit etc. An audit report should be reported to the organization's management. Auditors should include recommendations in the audit report for management to enhance the organization's security.

The audit report must be reliable and understandable. The organization/external auditor must submit the audit report and related audit evidence to the compliance authority. The compliance authority employees will review the audit reports and provide their recommendations to the certification committee. The certification committee will take the certification decision.

The objective of this control is to ensure that organization has a rigorous risk management procedure that is efficient to identify the security threats to the information, assess the risk involved and determine the controls to remove or reduce them.

The organization shall perform the risk assessment periodically for the targeted environment. The organization shall closely monitor the emerging cyber-attacks and vulnerabilities reported in the markets and perform the risk assessment if needed. The risk assessment shall include the risk scoring based on the probabilities and the potential impact of the risk. The organization must conduct security risk assessments on gateways and their configuration before they are implemented.

The organization shall record all the identified risks, risk score calculations, and risk controls in a centralized document named risk register. The organization shall assign the responsibility to update and review the risk registers regularly.

The results of the risk assessments shall be signed off by the relevant risk owner and shall include approval from a senior individual with authority. The risk assessment shall include but may not limit to the risks, risk score calculations, risk treatment plan, risk control, residual risk). Management is responsible to ensure the adequacy of the risk control actions and takes responsibility for accepting the business consequences that may occur due to the risk.

The organization shall have well-defined roles and responsibilities for each position. The organization should provide guidance to users on their security responsibilities and the consequences for not complying with the requirements. The operational roles and responsibilities shall review frequently. The organization shall have the defined roles and responsibilities for the contractor as well.

The Organization shall have clearly defined roles and responsibilities for the key information technology roles like an information security officer, system administrators, Network administrators, standard uses etc. The security office shall update the responsibilities according to the job duties assigned to the individual.

The organization shall have well-defined onboarding procedure for a new hire. The procedure can consider to include but is not limited to; signing Non-disclosure agreements, acceptable use policy, corporate ethics; orientation on roles and responsibilities, Security training etc.

The objective of this control is to ensure that the organization performs an employment and security check before hiring anyone to minimize the risks from the internal sources. The background check shall be performed for all roles (including but not limited to remote employees, contractors, and third parties). The failure in the personal screening shall leads to disqualification of applicants and employees.

The organization shall establish a security awareness program for all staff. The security program can include but is not limited to the frequency of the training, email usage, internet usage and malware protection; awareness of common attack techniques targeted at personnel and facilities etc. The responsible person shall keep a record of security training attendance.

The organization shall develop a procedure for the action required when even an employee changes his role or job termination. Information security responsibilities and duties that remain valid after termination or change of employment shall be defined, communicated to the employee or contractor and enforced. This procedure may include but is not limited to procedures for the exit interview; procedures for notifying security management of all terminations and for promptly revoking userIDs and passwords; procedures for returning keys, property, passes, and identification cards etc.

The organization must properly define the boundaries of its systems and how it interfaces with other systems. A though review of boundaries avoids unnecessary work and improves the quality of the risk analysis. If not properly identified and categorized, this could cause a risk that further required control actions. The agreed system boundaries shall be communicated within the organization so that appropriate security controls can be implemented to safeguard the information processed through the system.

The organization shall develop and maintain an up-to-date inventory of hardware and software assets that at a minimum shall includes network equipment, software, hardware and storage media inventory. The organization shall define the responsibility to conduct physical asset inventory checks regularly to ensure all the assets are recorded. The organization shall develop a procedure for asset management. The asset registers should specify important information about each asset, including versions of hardware/software in use.

The organization employs automated mechanisms to detect the presence of unauthorized hardware, software, and firmware components within the information system. The frequency of the automated scan is preferred to be real-time but if not possible then on defined interval approved by the management. The organization shall conduct aperiodic security penetration testing to assess the effectiveness of implemented cyber and internal ICT security measures and processes.

The organization shall perform the vulnerability scanning at a regular interval. The vulnerability assessment report shall be safeguarded as well because it contains the sensitive information of the organization's systems. The responsible person should be notified of the identified vulnerabilities. The scanning frequency shall be set based on the organization operations and the changes performed within the defined system boundaries.

The responsible individual shall review the scan results and perform a prompt remediation action. All the identified vulnerabilities, risk/impact assessment against them and the corrective actions taken against them shall be documented. The organization shall define some process to protect information and systems if no patch is available for an identified vulnerability.

The organization shall firstly identify the critical IT assets to support the business functions, and monitor the usage and capacity of those critical IT assets. This can be achieved by identifying the capacity and usage of all resources and implementing measures to avoid degradation in and failure of computer systems throughput. The organization shall ensure that its system has enough capacity to support the business even in case of any cyber security attacks.

The organization shall establish the process and procedure for organization logging requirements. The process shall include but is not limited to the collection, review and retention of the logs for the assets. The individual responsible shall ensure that all the users (even the privileged user IDs) shall have read-only access to the logging infrastructure. The management should define the organization wide logs retention period. The logs shall be reviewed annually (at a minimum) to identify any abnormal behavior.

The organization must implement, and maintain an intrusion detection and prevention system. An intrusion detection system must monitor at a minimum all the servers, workstations, network devices, firewalls, virtualization layers, VOIP devices etc. Intrusion prevention systems have the prevention capabilities that should be fully used during an incident to limit any further impact on the organization.

If you are a shared hosting provider then your organization must protect the hosted environment and the data processed within that environment. The organization shall enforce the segregation of networks and accesses should be restricted only either to the tenants or the employees assigned for that tenant

The organization shall have a mutually signed service agreement that defines the data security measures, responsibilities of each side, service levels, business continuity of cloud provider, confidentiality agreements etc. The service agreements with cloud providers shall be reviewed annually and records for this shall be maintained. The organization shall review the cloud service providers de-provisioning service costs before signing the service agreements.

An information security policy shall be established and approved by the senior management of the organization. The information security policy has the organizational security objectives and strategic parameters for achieving these objectives. The information security policy addresses information security for all personnel and shall be readily available for review by all impacted personnel and external business relationships. The security policy shall be reviewed at a minimum annually or whenever there are changes in the organization’s security requirements.

The organization shall establish, implement and maintain the IT operational procedures includes but not limited to Incident Management and response, Change management, Problem management. The management shall be responsible to ensure that the IT team is trained on the steps defined in the relevant procedure. The organization shall have an incident management and response procedure documented and available at all times for the employees to follow if any security incident occurs. 
The change management procedure ensures that no unauthorized changes are performed in the environment. 

The organization shall establish, implement and maintain an asset management program for proper handling of the IT assets. The purpose of the IT asset management practice is to plan and manage the full lifecycle of all IT assets, to help the organization. The asset management program shall cover; the protection of the asset register, the accuracy of assets detailed in the asset register, security requirements at each stage of the asset life cycle. The asset management program shall be reviewed annually.

The organization shall develop a patch management process that addresses the technical system and software vulnerabilities quickly and effectively in order to reduce the likelihood of a serious business impact arising. The patch management process shall describe, but not limited to, assessment of the business impact of the patches to be implemented, method of patch deployment, testing requirements for the patches, patch prioritization, patch approval process, etc. The patch management process shall be reviewed at a regular interval.

The organization shall define an acceptable use policy that describes the rules for the use of the company-provided assets (including internet, email, laptops, printers etc.). The policy framework should include the acceptable uses of Information Technology assets and who is authorized to use the assets. The policy shall be communicated to and signed by each individual every year. The acceptable usage of information assets that define the information security responsibilities of end-users including staff, third parties, related parties and customers.

The organization shall have a well-defined business continuity management to maximize the abilities to provide services on regular basis with any impact to the end customers. The organization shall test the business continuity plan annually and record the testing results. The organization shall review and update the policies and procedures at least annually. The business continuity plan shall clearly define the roles and responsibilities of each employee, contractor and third-party service provider.

The organization should implement Configuration Management controls to define, register, assess, and maintain the configuration and ensure vulnerabilities are minimized. The configuration management process objective is to maintain the key information about the configuration of the hardware and software of the environment. The system configuration standards must be reviewed on a frequent basis to ensure they are up-to-date. The organization shall maintain the configuration management database with an appropriate level of security and integrity.

The objective of this control is t ensure that the organization has well-defined industry-accepted system hardening standards and all the new devices are configured using it. The organization shall establish and maintain initial installation procedures for the hardening of the system to prevent or reduce potential vulnerabilities to the system. The system hardening standards may include but are not limited to, disabling unnecessary services, such as web, mail, and FTP, changing default administration passwords, removing unnecessary scripts, drivers, features and sub-systems, disabling the unused port etc. The System hardening standards shall be reviewed and refreshed at a minimum on annual basis. 

The organization must establish, implement and maintain a password policy for the secure management of passwords. The password policy shall document the complexity requirements for the passwords to safeguard against common password attacks. The password policy must include but is not limited to, use a unique password for each user, not groups users (where possible), password masking, password length shall be a minimum of 14 characters including at least one upper- and lower-case letter, one number, and one special character, password of privilege users shall be secure and changed more frequently etc. The password policy shall be reviewed at a regular interval.

The organization shall establish, implement and maintain a network configuration standard to improve security. There shall be documented procedure to configure the network devices (e.g., routers, hubs, bridges, concentrators, switches, and firewalls) that covers, but is not limited to, vulnerability and patch management, routing tables and network devices setting, changes to the network configurations etc.

The organization shall establish, implement and maintain an access control policy to prevent unauthorized access to the systems. The access control policy shall define the access procedure and requirements for the systems access by vendors, contractors, and other outsourced personnel. The access control policy shall cover the access control for all the devices, computers, services, network devices, portable media devices, software’s, third-party applications etc. Access to any system shall be restricted and only granted upon the request approved by the manager. The access control policy shall include the access termination requirements and process as well.

The organization shall configure individual user account for each user. The organizations shall avoid provisioning the group user accounts. The administrative privilege shall only be restricted to only certain administrators (e.g. network admin, datacenter admin). The password of the privileged account shall be more complex and should change frequently.

The organization may use automated auditing and logging tools to ensure log management and review of logs. If an auto mechanism is not available then the organization shall manually review the logs on a periodic basis.

The organizations shall implement internationally accepted encryption algorithms to protect customer confidentiality within the environment and over the network (internal or external).  The organization must implement cryptographic tools for protecting the confidentiality and integrity of critical and sensitive data and software programs. The organization shall implement a strong policy to firstly identify the sensitive data and then implement the encryption.

The organization shall ensure that security and protection software has the current configuration and is configured to scan files and web pages automatically. The software shall have the capability to generate the audit logs which can be utilized for forensic purposes.

The organization shall establish, implement and maintain a physical security policy that should include at a minimum, security gates descriptions, employee responsibilities, security equipment lists, a process to deal with failure, natural hazards, misconduct. The physical access shall be restricted by default and only granted after proper approvals. The objective of these controls is to safeguard the organization personnel, third-party employees, the system against damage, theft, and sabotage; reduce denial of service and unauthorized data modification exposure. The organization shall consider implementing security mechanisms like cameras, security guards etc. for 24X7 monitoring of the physical premises.

The objective of this control is to ensure that the organization has security embedded on all levels of the system development life cycle to minimize the system vulnerabilities. The organization shall ensure that the application used by the employees are developed using secure development practices and meet the predefined level of security. The security offices shall define the security controls requirements for all the systems being deployed within the environment. The security offices shall identify the security bugs for operational systems and implement proper solutions. The security measures shall be defined that must be followed at the system end-of-life.

The organization shall prepare a coding manual for secure coding and better error handling. The coding manual shall include standards on but are not limited to, secure code development, secure code review, secure code testing, identity management, encryption, developer training, vulnerability management, security of third-party code etc. The organization may use the security testing tools to perform the code review.

The organization shall establish, implement and maintain a fault-tolerant architecture with segregation of duties for the staff. The organization shall limit zone transfers to trusted servers & register domain names associated with the organization to the organization and not an individual. The organization shall ensure that Domain name server is capable to defend against cache poisoning, DoS attacks. The deployed structure should ensure that query logging is enabled.

The objective of this control is to establish, implement & maintain a remote access and teleworking program. The organization should ensure that remote access controls are in place through network access control & multifactor techniques are implemented. The organization should ensure that security functions are implemented in a layered structure minimizing interactions between layers of design and avoiding any dependence by lower layers on the functionality. The procedures implemented to reduce risk of theft, fraud, error and unauthorized changes to information through measures like supervision of activities and segregation of duties.

The objective of this control is that organization shall have two factor authentication processes for remote access. Organization shall ensure that multi-factor authentication is required for privileged access, remote access & other high-risk activities at minimum. The organization shall include additional authentication information or credentials when accessing the system from outside its network boundaries.

The organization shall establish, implement and maintain a control for restricting downloading and protect systems against replay and malicious code attacks. The organization shall have a malicious code outbreak recovery plan along with logging mechanism to protect and react against malicious code activity. The organizations should ensure that endpoint protection, not limited to behavioural-based and signature-based solutions, should be implemented to protect from malware infection and address common delivery channel of malware, such as malicious links, websites, email attachments or infected removable storage. The organization must develop, maintain, and implement tools and procedures that incorporate countermeasures against malicious code for detecting potential cyber security incidents. The organization must block all suspicious data, malicious content, and active content from entering the security domain of classified systems. 

The organization shall develop control to notify affected parties prior to initiate high risk funds transfer transactions. Organization should establish, implement, and maintain a mobile payment acceptance security program. All commerce transactions and messages should be encrypted. GISAT highly recommends that organization access themselves against PCI-DSS requirements.

The organization should ensure that resource isolation mechanisms are in place. Organization shall ensure that a cloud service customer's virtual environment running on a cloud service should be protected from other cloud service customers and unauthorized persons including Isolating the host from the virtual machine wherein users cannot access host files, firmware, etc

The objective of this control is to ensure that organization shall protect the customer's personal data from theft, loss, misuse or unauthorized assess. The organization shall develop a privacy policy that incorporates the local regulatory requirements for the secure handling of customer personal information.

The organization's website represents the brand of the organization and provides the most information about the organization in the digital world. The organization shall implement extra security controls to safeguard the information available on the website by following the Level 1 guidelines of the Open Web Application Security Project (OWASP) Application Security Verification Standard (ASVS).

The organization shall establish, implement and maintain a procedure for secure handling of portable media within the environment. Staff shall only use organization-assigned portable media. The procedure may include but is not limited to, information on portable media ownership, sanitation process before assigning it to a user, records, physical security of portable media etc. The procedure shall be reviewed annually.

The objective of this control is to ensure that a register of information for all the vendors is maintained. The register may contain the vendor information, description of the services provided by the vendor, contract duration, service levels, service level reporting etc.

The organization shall perform appropriate due diligence. A third-party security review checklist should be developed to review the security risks that arises with the proposed outsourcing. The organization shall evaluate the vendor on different factors like financial stability, reputation, technical skills, governance and compliance, intrusion risks, confidential information handling, business continuity etc. The risks and potential impact shall be resolved or minimized before engaging or awarding a contract to the vendor.

The organization shall develop a formal agreement and non-disclosure agreement that would be used as a formal contract to outsource any service to a vendor. A formal contract not only helps to improve the vendor management but also ensures the reporting of the KPI’s for the services accumulated. This ensures that the vendor will maintain the confidentiality of the customer data.

The organization shall establish, implement and maintain the service levels agreements with the vendor for service availability, service performance, service capability, and level support. The organization shall develop a procedure to monitor the SLA’s for the services and responsibilities shall be assigned to one of the IT functions. The responsible IT function shall ensure that the proper corrective actions are implemented by the vendors if the SLA’s does not meet the agreed targets.

The business continuity of the third-party vendor is an important aspect of organization due diligence as organization business continuity is also dependent on the vendor's business continuity capabilities. The organization shall enquire about the vendor's capability to recover the outsourced services without impacting the operations before assigning the contract to the vendor.

The organization shall establish a procedure to monitor the service delivery of the vendor and ensure that it is meeting the business requirement. If a vendor fails to deliver the services as per the agreement then the organization shall have the authority to come out of the contract without any charge to the organization.

The organization shall develop a code of conduct that defines the rules of conduct expected from the employees. The adverse impact of not behaving as per the code of conduct shall be documented and communicated. A new hire shall read and sign the code of conduct. A record of the signed copy shall be maintained.