1) A.5.7 - Threat intelligence
Gather information about threats and analyze them, to take appropriate mitigation actions. This information could be about particular attacks, methods, and technologies the attackers are using, and/or about attack trends. An organization should gather this information internally, as well as from external sources like vendor reports, government agency announcements, etc.
2) A.5.23 - Information Security for use of cloud services
Description
Set security requirements for cloud services to have better protection of your information in the cloud. This includes purchasing, using, managing, and terminating the use of cloud services. In most cases, new solutions might not be required, because most cloud services already have security features. In some cases, the organization might need to upgrade its service with additional features concerning security. Furthermore, in some rare cases, there may be a need to change the cloud provider if it does not cover the required security features. For the most part, the only change required will be using existing cloud security features in a more thorough way.
3) A.5.30 - ICT readiness for business continuity
Description
Information and Communication Technology are required to be ready for potential disruptions so that required information and assets are available when needed. This includes readiness planning, implementation, maintenance, and testing. The expectation is the readiness of the organization’s information and communication technology for potential disruptions so that required information and assets are available when needed. This includes readiness planning, implementation, maintenance, and testing.
4) A.7.4 - Physical security monitoring
Monitor sensitive areas to enable only authorized people to access them. This might include offices, production facilities, warehouses, and other premises. Depending on the risks, organizations might need to implement alarm systems or video monitoring and might also decide to implement a manual solution like a person observing the area (e.g., a guard).
5) A.8.9 - Configuration management
Manage the whole cycle of the security configuration for your technology to ensure a proper level of security and to avoid any unauthorized changes. This includes configuration definition, implementation, monitoring, and review. The technology for which the configuration needs to be managed could include software, hardware, services, or networks. Smaller organizations might be able to handle configuration management without any additional tools, whereas larger organizations would need to deploy a solution that enforces defined configurations.
6) A.8.10 - Information deletion
Deleting data when no longer required, in order to avoid leakage of sensitive information and to enable compliance with privacy and related requirements. This could include deletion in IT systems, removable media, or cloud services. Organizations should be using tools for secure deletion, according to regulatory and/or contractual requirements, and/or in line with the organization’s Information Security Risk Assessment.
7) A.8.11 - Data masking
Use data masking together with access control in order to limit the exposure of sensitive information. This primarily means personal data, because they are heavily regulated through privacy regulations, but it could also include other categories of sensitive data. Pseudonymization or anonymization can be implemented to mask data if this is required by privacy or other regulations. Other methods like encryption and/or obfuscation can also be implemented.
8) A.8.12 - Data leakage prevention
Apply various data leakage measures to prevent unauthorized disclosure of sensitive information, and if such incidents happen, to detect them in a timely manner. This includes information in IT systems, networks, or any devices. Use systems to monitor potential leakage channels, including emails, removable storage devices, mobile devices, etc., and systems that prevent information from leaking. A few ways this can be achieved is by disabling download to removable storage, email quarantine, restricting copy and paste of data, restricting upload of data to external systems, encryption, etc.
9) A.8.16 - Monitoring activities
Monitoring systems that assist in recognizing unusual activities and, if needed, activating the appropriate incident response. This includes monitoring IT systems, networks, and applications. With regards to networks, systems, and applications, an organization could monitor the security tool logs, event logs, who is accessing what, activities of your main administrators, inbound and outbound traffic, proper execution of the code, and how the system resources are performing.
10) A.8.23 - Web filtering
Manage which websites the users are accessing, this can assist in protecting an organization’s information systems from being compromised by malicious code and prevent users from accessing prohibited content from the Internet. Deploy systems that block access to particular IP addresses, which could include the usage of anti-malware software.
11) A.8.28 - Secure coding
Establish secure coding principles and apply them to your software development to reduce security vulnerabilities in the software. This could include activities before, during, and after the coding. Deploy tools for maintaining an inventory of libraries, protecting the source code from tampering, logging errors and attacks, and testing. An organization can also use essential security components like authentication, encryption, etc.
