IDENTITY & ACCESS MANAGEMENT
Unique user accounts only, tied to a named individual
Audited account activity with access logs available for at least 30 days
Robust joiners, movers and leavers process to resolve access when no longer required
Least privilege principles, only access and permissions necessary to fulfil role
Strong password requirements, minimum length and complexity enforced
Multi-factor authentication enabled
Segregation of duties: different accounts for standard users and admin users
Monitor for suspicious and unusual login activity
VULNERABILITY MANAGEMENT & MAINTENANCE
Run the site or application behind a firewall to provide an initial layer of web protection
Deploy anti-virus / malware solutions to scan for and block malware
Deploy updates and patches in a timely manner when made available from vendors
Only use supported software and components with a defined security lifecycle
Scan the application or site for vulnerabilities at least monthly
Prioritise vulnerability remediation based upon severity and risk
Backup your system and data securely
The National Cyber Security Centre (NCSC) provides comprehensive guidance for organisations in the UK to assist with the protection of IT systems and assets. www.ncsc.gov.uk