The organization must identify the types of websites that staff should and should not have access to.
The organization must consider blocking access to the following types of sites (either automatically or by other means):
- websites with a file upload function, unless this is permitted for a specific business need
- known or suspected malicious websites (e.g. distributing malware or containing phishing content)
- command and control servers
- websites distributing illegal content