Skip to main content

Featured

Inadequate Password Complexity Policies

Some online services have lenient password complexity policies, allowing users to create weak passwords easily. This poses a security risk: Reduced Security: Weak password complexity policies make it easier for attackers to guess passwords or use dictionary attacks. False Sense of Security: Users may perceive their accounts as more secure than they actually are when allowed to create weak passwords. To overcome this challenge, organizations should enforce strong password complexity policies that require users to create passwords with a blend of upper and lower case cultivations, numbers, and special characters. Additionally, they can encourage the use of multi-factor validation (MFA) for an added layer of security. Lack of User Education Many users lack awareness of password security best practices, leading to suboptimal password choices: Weak Password Creation: Users may not understand the importance of strong passwords or how to create them. Limited Awareness of Risks: ...

List of security controls

Structure of security areas

Information security cannot be addressed solely from a technical approach, various aspects must be considered in at least the following 14 areas:

1.            Annex A5. Security policy:

5.            1 Information security policy: Provide guidance and support from the Directorate for information security in relation to business requirements and relevant laws and regulations.

2.            Annex A6. Organizational aspects:

6.            1 Internal organization: Establish a management framework to initiate and control the implementation and operation of information security within the organization.

7.            2 Mobile teleworking devices: To ensure the safety of teleworking and the use of mobile devices.

3.            Annex A7. HR related security:

7.            1 Before employment: Ensure that employees, contractors and third party users understand their responsibilities and are fit for the functions they perform. Reduce the risk of theft, fraud and misuse of facilities and media.

8.            2 During employment: Ensure that employees, contractors and third parties are aware of security threats, of their responsibilities and obligations and that they are equipped to comply with the organization's security policy in the performance of their daily tasks, to reduce the risk associated with human error.

9.            3 At the termination of the employment relationship: Protect the interests of the organization when employees, contractors and third parties leave the organization.

4.            Annex A8. Asset Management:

8.            1 Asset Responsibility: Identify the organization's assets and define appropriate protection responsibilities.

9.            2 Classification of information: Ensure that information receives an adequate level of protection according to its importance to the organization.

10.         3 Manipulation of the supports: Avoid the disclosure, modification, withdrawal or destruction of unauthorized assets and interruptions in the activities of the organization.

5.            Annex A9. Access control:

9.            1 Business requirements versus access control: Limit access to information and information processing facilities.

10.         2 User access management: Guarantee access to authorized users and prevent unauthorized access to information systems.

11.         3 Responsibilities of the users: Prevent the access of unauthorized users and the compromise or theft of information and resources for the treatment of the information.

12.         4 System and application access control: Prevent unauthorized access to systems and applications

6.            Annex A10. Cryptography:

10.         1 Cryptography: Ensuring proper and efficient use of cryptography to protect the confidentiality, authenticity and / or integrity of the information.

7.            Annex A11. Physical and environmental security:

11.         1 Safe areas: Avoid unauthorized physical access, damage or intrusion into the facilities and the organization's information.

12.         2 Equipment security: Prevent the loss, damage, theft or endangerment of assets and interruption of the organization's activities.

 

Popular Posts