XClose

Information Security

Menu

Minimum Security Baseline

User Management, Authentication and Passwords

  • Only authenticated users have access to your application, and each user has a unique ID
  • User authentication is integrated with Azure Active Directory (SSO)
  • If your application is facing the Internet, it enforces Multi Factor Authentication (MFA, e.g. through Azure AD integration)
  • For any passwords used the solution enforces:
    • passwords of at least 12 characters length including lower and upper case letters, digits, and special characters
    • login throttling when wrong credentials are provided (e.g. blocks accounts or slows down subsequent logon attempts after 5 unsuccessful logins)
  • You have a plan for at least a bi-annual review of user accounts and you disable or delete unused accounts

Default Accounts and Credentials

  • You have changed all accounts default passwords (user, services, administrators/privileged accounts)
  • You have reviewed and disabled any unnecessary accounts

Hardening your Solution

You have hardened your service in line with supplier's guidance and made sure that the following are true:

  • Software minimisation: Only services and software required for the solution to work are installed
  • Supported software: All solution components are supported, appropriately licenced and not end-of-life for the lifetime of the solution

Vulnerablility Management and Patching

  • All solution components are patched
  • Your solution is registered and scanned by ISG vulnerability scanning solution (Rapid7/InsightVM)
  • You have verified that you can access Rapid7 reports
  • You review monthly Rapid7 reports and supplier publications for new updates for all solution components
  • You have a schedule for applying identified updates each month

Communications

  • Your solution uses only encrypted communications that as a minimum are based on TLS 1.2 and support strong ciphers only

Malware Prevention

  • Microsoft Defender is installed on your systems (please contact ISD Cloud Platforms for support)
  • Microsoft Defender AV has been confirmed to be operational

Protective Monitoring

  • Your solution keeps track of user and administrator activities (event logging and auditing of successful/unsuccessful logons)
  • Event/audit logs are retained for 1 calendar year