The ICO exists to empower you through information.

System and network security

Share Download options

Pages

Format

Establish and apply a secure baseline across your organisations information technology (IT) infrastructure. 

Options to consider: 

  • Establish and define baseline configurations for all endpoints, systems, network devices, cloud services and applications. 
  • Keep all baseline configurations under periodic review.
  • Implement processes and utilising tools that assist in enforcing baseline configurations. 
  • Implement procedures to ensure you control any modification to baseline configurations. 
  • Document roles and responsibilities for applying and modifying baseline configurations.

 

Use appropriate anti-virus and anti-malware software and keep it up-to-date.

Options to consider: 

  • Conduct risk assessments to determine which anti-virus and anti-malware software is most suitable to your organisation.
  • Keep records to demonstrate you’ve installed anti-virus and anti-malware software. 
  • Schedule regular anti-virus and anti-malware software scans and checks of systems.
  • Keep anti-virus and anti-malware software up-to-date and install patches as soon as possible. 
  • Training staff who are responsible for deciding which anti-virus and anti-malware software to use. 
  • Keep a record of all updates you’ve installed.

 

Implement appropriate measures to minimise your processing of personal information, such as using data masking, pseudonymisation and anonymisation. 

Options to consider: 

  • Use various techniques for pseudonymising or anonymising personal information (eg encryption, substitution, tokenisation, hashing and the nulling of characters).
  • Test the use of various techniques on synthetic data prior to official use.
  • Review our guidance on privacy enhancing technologies (PETs) to assist you in minimising personal information processing.

 

Implement measures to prevent the loss of data from systems, networks and any other devices that process, store or transmit sensitive information.

Options to consider: 

  • Identify potential channels of data loss (eg email, file transfers, mobile devices and portable storage devices) and implement safeguards to prevent data leakage.
  • Use automated monitoring tools to detect and block disclosures of sensitive information or unauthorised network transmissions (eg information being uploaded to untrusted third-party cloud services).
  • Prevent the copying or extracting of database entries.
  • Use warning pop ups to alert users and remind them about transfer protocols.

 

Back up key software assets that process personal information to protect against the loss of data. 

Options to consider: 

  • Document the process for creating back up copies in policies. 
  • Test back up and recovery processes to ensure they remain fit for purpose.
  • Use a variety of back up types and methods depending on the criticality of the personal information you’re processing.
  • Limit access to back ups to authorised personnel only.

 

Monitor networks, systems and applications to identify any unusual activity or potential information security incidents. Use logs to record the activity of users and to identify unauthorised access and misuse of personal information. 

Options to consider: 

  • Establish a baseline for normal activity and monitor activity against this baseline. 
  • Use continuous monitoring tools (eg intrusion detection software). 
  • Assess whether to monitor in real time or at periodic intervals, based on needs and capabilities.
  • Communicate abnormal events to relevant parties and investigate them. 
  • Enable alerts, such as emails or push notifications, to notify unusual activity.
  • Train staff on how to recognise unusual activity.
  • Produce a documented policy that sets out logging requirements. 
  • Ensure logs are sufficiently detailed to assess whether the use of systems and applications is permitted. 
  • Regularly review and analyse logs to identify any unusual activity that may indicate unauthorised access and misuse of systems and applications. 
  • Protect logs by making sure staff with privileged access rights do not have permission to delete or de-activate their own activities. 
  • Assess the amount of information recorded on the logs to ensure it complies with the data minimisation principle.

 

Collect detailed threat intelligence and implement corrective measures swiftly to ensure personal information is protected. 

Options to consider: 

  • Adopt a layered approach to collecting intelligence, such as strategic, tactical and operational threat intelligence. 
  • Ensure threat intelligence is relevant, insightful, contextual and actionable. 
  • Review threat intelligence on a regular basis. 
  • Keep a record of all the actions you’ve taken as a result of threat intelligence, such as applying vendor updates to software. 
  • Communicate the analysis of threat intelligence with relevant staff members. 
  • Share threat intelligence with other organisations that may benefit.
  • Factor new risks into security risk assessments on a regular basis.

 

Implement network security management to protect the IT infrastructure from being compromised. 

Options to consider: 

  • Complete a mapping exercise of the whole network. 
  • Document processes for the management of network security in a policy. 
  • Assign responsibilities for the management of network security to relevant staff. 
  • Implement internal and external firewalls and intrusion detection systems. 
  • Document firewall rules. 
  • Ensure open connections on firewalls are subject to approval by an authorised staff member. 
  • Monitor incoming and outgoing network traffic for potential security threats. 
  • Use air gapped equipment for high-risk processing activities. 
  • Apply technologies to the network, such as authentication and encryption.

 

Divide larger networks into separate network domains to improve the security of network boundaries and control network traffic. 

Options to consider: 

  • Keep network domains separate to the public network. 
  • Ensure each network boundary is clearly defined. 
  • Keep sensitive or critical information secured in a separate network with higher network traffic controls.
  • Use separate networks for connections with external organisations.
  • Have independent authentication and encryption controls for each network.
  • Manage access controls at a user-level.

 

Monitor the lifespan of current software assets and take measures to mitigate any risks.

Options to consider: 

  • Keep a log of all operating systems and software in use.
  • Assess the risk of using unsupported operating systems (eg Windows XP, Windows Server 2008).
  • Keep a documented list of all software and applications running on operating systems which are approaching the end of life. 
  • Apply appropriate mitigating controls for continuing to use unsupported software.
  • Consult software vendors or developers directly, or subscribe to service updates, to get advanced notice of end of life.
  • Separate devices with unsupported software or operating systems on a separate network or air-gap them?

 

Identify vulnerabilities in your network and conduct regular vulnerability scanning.

Options to consider: 

  • Assign responsibility for applying fixes. 
  • Implement a process for following up on any risks identified during vulnerability scans. 
  • Have a schedule of penetration (pen) tests that are carried out by independent external providers. 
  • Periodically change the external provider of pen testing. 
  • Report the findings of vulnerability scans and pen testing to an appropriate level of management.

 

Establish effective patch management practices so that the risk that vulnerabilities are exploited are mitigated.

Options to consider: 

  • Implement a patch management policy. 
  • Assign responsibilities for installing the latest patches to software assets to fix any vulnerabilities. 
  • Test patches prior to their implementation. 
  • If you are reliant on third parties, gain assurances that they have applied patches, including critical or urgent security patches, or they have provided them in an appropriate timeframe?

 

Strictly control or prohibit staff use of internet sites, social media, messaging platforms and apps to minimise risk. 

Options to consider: 

  • Maintain a record of approved internet sites and apps.
  • Use URL or web content filtering to block specific websites or categories of websites. 
  • Restrict staff from downloading unauthorised apps onto organisation owned mobile devices. 
  • Train staff on the professional use of internet sites, social media and messaging platforms.
  • Have an acceptable use policy for organisation-owned devices that staff are required to read and sign periodically.