Personnel guidelines for avoiding phishing

Critical
High
Normal
Low

The organization has developed guidelines for staff that define the acceptable use of various communication services and aim to prevent the disclosure of confidential information to, for example, a phisher or other third parties.

Connected other frameworks and requirements:
13.2.1: Information transfer policies and procedures
ISO 27001
13.2.3: Electronic messaging
ISO 27001
PR.AT-1: Awareness
NIST CSF
5.14: Information transfer
ISO 27001

Data processing partner listing and owner assignment

Critical
High
Normal
Low

The organization must maintain a list of partners who have access to confidential information. System vendors and processors of personal data are listed separately from other stakeholders because they play an active role in the processing of data.

Connected other frameworks and requirements:
28. Processor
GDPR
44. General principle for transfers
GDPR
26. Joint controllers
GDPR
15.1.1: Information security policy for supplier relationships
ISO 27001
8.1.1: Inventory of assets
ISO 27001

Using a selected web browser and checking for updates

Critical
High
Normal
Low

The selection and up-to-dateness of web browser greatly affects e.g. experience, operation and browsing security of online services. When the entire organization uses the same web browser, instructing is easier and security is improved.

IT has chosen the browser to be used, monitors the staff in using the correct and up-to-date browser and supports the staff in the use.

Connected other frameworks and requirements:
12.6.1: Management of technical vulnerabilities
ISO 27001
13.2.1: Information transfer policies and procedures
ISO 27001
PR.AC-3: Remote access management
NIST CSF
5.14: Information transfer
ISO 27001

Maintaining confidentiality agreements

Critical
High
Normal
Low

All employees handling confidential information should sign a confidentiality or non-disclosure agreement before processing confidential information.

The agreement should include e.g.:

  • clear definition of confidential information
  • the expected duration of the commitment
  • the measures required when the agreement is terminated
  • the responsibilities and measures of the parties to prevent unauthorized disclosure of information
  • ownership of information, trade secrets and intangible assets and how this relates to the protection of confidential information
  • the permitted use of confidential information and the parties rights to use the information
  • the right to inspect and supervise activities involving confidential information
Connected other frameworks and requirements:
T10: Salassapito- ja vaitiolositoumukset
7.1.2: Terms and conditions of employment
7.3: Termination and change of employment
ISO 27001
7.3.1: Termination or change of employment responsibilities
ISO 27001
13.2.4: Confidentiality or non-disclosure agreements
ISO 27001

Inventory and documentation of data processing agreements

Critical
High
Normal
Low

The processors of personal data (e.g. providers of data systems, other partners using our employee or customer data) and the agreements related to the processing of personal data have been documented. The documentation includes e.g.:

  • Processor name and location
  • Purpose of processing data
  • Status of agreement
Connected other frameworks and requirements:
28. Processor
GDPR
15.1.2: Addressing security within supplier agreements
ISO 27001
13.2.2: Agreements on information transfer
ISO 27001
A.8.2.4: Infringing instruction
ISO 27701
5.14: Information transfer
ISO 27001

Email authentication: DMARC

Critical
High
Normal
Low

SPF, DKIM and DMARC are technologies that prevent the sending of fake emails and phishing.

DMARC works together with SPF and DKIM. It tells the receiving e-mail server how to deal with a message that do not pass SPF or DKIM checks.

Connected other frameworks and requirements:
13.2.3: Electronic messaging
ISO 27001
5.14: Information transfer
ISO 27001

Email authentication: DKIM

Critical
High
Normal
Low

SPF, DKIM, and DMARC are technologies that prevent the sending of fake emails and phishing.

DKIM adds a digital signature to the header of outgoing e-mail. The outgoing e-mail header is encrypted with a private key, and the public key is added to the domain's DNS information so that the receiving server can decrypt the information. The key therefore ensures that the messages actually come from your own domain and not from the sender impersonating you.

Connected other frameworks and requirements:
13.2.3: Electronic messaging
ISO 27001
5.14: Information transfer
ISO 27001

Email authentication: SPF

Critical
High
Normal
Low

SPF, DKIM, and DMARC are technologies that prevent the sending of fake emails and phishing.

Using SPF will help verify the authenticity of emails sent from your domain. The SPF is added as a TXT entry to your domain's DNS information to tell you which email servers are allowed to send email on behalf of your domain. The receiving email server refers to this entry when deciding whether the email is coming from the right party.

Connected other frameworks and requirements:
13.2.3: Electronic messaging
ISO 27001
5.14: Information transfer
ISO 27001

Enabling and configuring mailbox audit logs

Critical
High
Normal
Low

With the mailbox audit logs, it is possible to track, for example, logins and other actions within inbox.

Usually, this feature is not turned on by default, and for employee privacy, it is important to choose the actions to be monitored carefully.

Connected other frameworks and requirements:
13.2.3: Electronic messaging
ISO 27001
5.14: Information transfer
ISO 27001

Use of anti-phishing policies

Critical
High
Normal
Low

Anti-phishing policies can help an organization prevent impersonation-based phishing. Targeted “spear phishing” attacks in particular are often so skillfully executed that even a conscious employee finds it difficult to identify a scam.

For example, the ATP extension for Microsoft 365 can quarantine e-mail messages that impersonate our CEO or that present our own domain as the sender's domain, while forwarding them to the person in charge of security.

Connected other frameworks and requirements:
13.2.1: Information transfer policies and procedures
ISO 27001
13.2.3: Electronic messaging
ISO 27001
5.14: Information transfer
ISO 27001

Mailbox audit log monitoring

Critical
High
Normal
Low

Once the mailbox audit log is enabled, the events should be saved to a selected location for a desired time. This can be, for example, "Audit log search" in a Microsoft 365 environment or a separate SIEM system. In addition, it is necessary to decide on the control measures to be taken.

Connected other frameworks and requirements:
13.2.3: Electronic messaging
ISO 27001
5.14: Information transfer
ISO 27001
No items found.