SECURITY REQUIREMENTS

A. All requirements collected in this document must be extention with the especific controls described in each
B The basic controls will be implemented always similar to bastioned requirements
C. The advanced and mision critical controls will be apply when in line with the clasffication of information
D All requirements hightlighted in salmon are in line wit especial recommendation to compliance RGPD

1. The first document to manage this information is IT security Guideline Infrastructure and Application then
RITY REQUIREMENTS

specific controls described in each security document

he clasffication of information
ndation to compliance RGPD

frastructure and Application then we will link other recomnedations deeping en IaaS, SaaS, etc
 CONTROL DESCRIPTION for ICT
R (http://blog.enelint.global/blogs/globalict/files/2016/10/GICT- BA
SGL_10_v01_Infrastructural_Security.pdf)
System Security
1 Baseline Hardening configuration X
2 Central enforcement of Hardening X
3 Anti-malware software X
4 Standard and well-configured encryption software X
A.1 Advanced / Mission Critical Hardening configuration
IAA – Identification, Authentication, Authorization
5 Users identification X
6 Secure authentication methods at least pwd-based X
7 Authentication externally centralized X
8 Password & user lockout policy compliance X
9 Interactive accounts session limits X
10 Default accounts security X
11 No backdoors X
12 RBAC model of authorization X
13 Separated Administrative accounts X
14 Naming conventions X
15 Central management of accounts and roles X
16 X.509 PKI format for certificate-based strong authentication X
A.2 Strong/Multifactor authentication from insecure networks
Logging and Auditing
17 Comprehensive logging configuration X
18 External facilities documented (if any) X
19 Effectiveness X
20 Logged activities X
21 Log format X
22 UTC time stamping X
23 Logs protection X
24 Logs on-line and off-line availability X
A.3 Log management tools
A.4 Real-time alerting
A.5 Tighter logs configuration and availability on request
Availability
25 High availability architectures X
26 Monitoring procedure X
27 Backup/recovery procedure X
28 Standard default backup policy X
29 Protection of backups storage and transmission X
30 BC/DRP procedure against major sites disruption X
A.6 Tighter backup policies on request
System Management
31 Centralization of system management X
32 Scripting best practices X
33 Periodic Vulnerability Assessment for exposed systems X
34 Change process (including Remediation schedule) X
35 Security configuration review X
36 Secure disposal X
A.7 Periodic Vulnerability Assessment
C. Networking Security summary checklist
37 Three layers basic segregation for the company network: DMZ-FE, DMZ-BE, LAN X
38 Separate ADs for the three basic company (sub)networks X
39 Standard architecture of internal applications X
40 PCN-Process Control Networks (and their AD) segregated X
Perimeter security controls at the boundaries: stateful inspection firewalling, IDS/IPS X
41 and logging
42 Firewalling rules X
43 Traffic logging configuration, storage and protection X
44 Further segregation X
45 Secure connections between on premises and external networks X
46 IPSEC and TLS VPN technologies X
47 No direct connections between Cloud Providers’ networks X
Direct Internet access to company applications and services in Cloud through additional X
48 security components (e.g. WAF)
49 Internet access from company networks proxied X
50 Infrastructures management access segregation X
51 Network High Availability X
52 Routing security X
53 DNS security X
54 Wi-fi security in place according to the specific Guidelines X
55 802.1x Port-Based Network Access Control in place X
ADV MC YES NOT COMMENTS

X X

X
X
X