CRA-5.8.11

Entire section

Custom print

Link

Text Only

Rich Text

Print

Location:

Versions

Apr 01 2019 - Mar 31 2023
Apr 01 2023

Preventive measures referred to in Paragraph CRA-5.8.10 above must include, at a minimum, the following:

(a) Deployment of End Point Protection (EPP) and End Point Detection and Response (EDR) including anti-virus software and malware programs to detect, prevent and isolate malicious code;

(b) Layering systems and systems components;

(c) Use of firewalls for network segmentation including use of Web Application Firewalls (WAF), where relevant, for filtering and monitoring HTTP traffic between a web application and the Internet, and access control lists to limit unauthorized system access between network segments;

(d) Rigorous testing at software development stage as well as after deployment to limit the number of vulnerabilities;

(e) Penetration testing of existing systems and networks;

(f) Use of authority matrix to limit privileged internal or external access rights to systems and data;

(g) Use of a secure email gateway to limit email based cyber attacks such as malware attachments, malicious links, and phishing scams (for example use of Microsoft Office 365 Advanced Threat Protection tools for emails);

(h) Use of a Secure Web Gateway to limit browser based cyber-attacks, malicious websites and enforce organization policies;

(i) Creating a list of whitelisted applications and application components (libraries, configuration files, etc.) that are authorized to be present or active on the organization’s systems; and

(j) Implementing Bring Your Own Device “BYOD” security policies to secure all mobile devices with any access to licensee systems, applications, and networks through security measures such as encryption, remote wipe capabilities, and password enforcement.

Amended: April 2023
Added: April 2019