Technological Controls (A.8)

Technological controls are where information security gets technical. Annex A.8 contains 34 controls covering everything from endpoint protection to secure coding to network security. These are the technical safeguards that protect your systems and data.

Overview of Technological Controls

ISO 27001:2022 Annex A.8 is the largest control set with 34 controls:

Endpoint and Device Security (A.8.1-A.8.6) Access Management (A.8.2-A.8.5) Cryptography (A.8.24) Network Security (A.8.20-A.8.22) Development and Testing (A.8.25-A.8.33) Security Monitoring (A.8.15-A.8.16) Data Security (A.8.11-A.8.14) Configuration and Change (A.8.9, A.8.32)

Let's explore each category in depth.

Endpoint and Device Security

A.8.1 - User Endpoint Devices

Purpose: Protect information on user endpoint devices.

Control Statement: "Information stored on, processed by or accessible via user endpoint devices shall be protected."

User Endpoints Include:

Laptops
Desktop computers
Mobile phones
Tablets
Smartwatches
IoT devices

Protection Requirements:

1. Device Security Baseline

Operating System:

Approved OS versions only
Automatic updates enabled
Latest security patches
Security settings enforced
Unnecessary services disabled
Audit logging enabled

Endpoint Protection:

Antivirus/anti-malware
Host-based firewall
Intrusion prevention
Exploit protection
Behavioral analysis
Real-time scanning
Automatic updates
Centrally managed

Disk Encryption:

Full disk encryption mandatory
BitLocker (Windows)
FileVault (macOS)
LUKS (Linux)
Pre-boot authentication
Encryption keys managed
Recovery keys escrowed

2. Device Management

Configuration Management:

Standard build/image
Configuration baselines
Automated deployment
Compliance monitoring
Drift detection
Remediation automation

Mobile Device Management (MDM):

Enrollment required for BYOD
Policy enforcement
App management
Remote wipe capability
Location tracking
Compliance reporting
Container separation (work/personal)

3. Application Control

Whitelisting (Preferred):

Only approved apps can run
Centralized whitelist
Exceptions require approval
Automatic enforcement

Blacklisting (Minimum):

Known malicious software blocked
Regularly updated
PUA (Potentially Unwanted Apps) blocked

4. Data Protection on Endpoints

Sensitive data encrypted at rest
DLP (Data Loss Prevention) agent
Restrict copy to removable media
Restrict upload to personal cloud
Clipboard control
Screen capture prevention (for sensitive apps)

A.8.2 - Privileged Access Rights

Purpose: Allocate and manage privileged access rights.

Control Statement: "The allocation and use of privileged access rights shall be restricted and managed."

Privileged Access Includes:

Domain/directory administrator
Database administrator
System administrator
Network administrator
Security administrator
Application administrator
Cloud administrator

Privileged Access Management (PAM):

1. Separate Accounts

Regular account for normal work
Separate privileged account for admin tasks
Never use privileged account for email, browsing
Different passwords
Enhanced authentication

2. Just-in-Time (JIT) Access

Request privileged access when needed
Automatically expire after time limit
Approval workflow
Business justification required
Session recorded

3. Credential Vaulting

Store privileged credentials in vault
Check out when needed
Automatic password rotation
Session recording
Access logging
Break-glass procedures

4. Monitoring and Auditing

Log all privileged actions
Real-time alerting on suspicious activity
Session recording/playback
Privileged user behavior analytics
Regular access reviews
Anomaly detection

5. Least Privilege

Minimum rights for the task
No blanket admin rights
Role-based access
Regular recertification
Remove when no longer needed

A.8.3 - Information Access Restriction

Purpose: Restrict access to information and systems per access control policy.

Control Statement: "Access to information and other associated assets shall be restricted in accordance with the established topic-specific policy on access control."

Access Control Mechanisms:

1. Network Access Control (NAC)

Device authentication before network access
Posture assessment (patched, AV updated)
Role-based network segments
Guest network isolation
Quarantine for non-compliant devices

2. Application Access Control

Authentication required
Role-based access control (RBAC)
Attribute-based access control (ABAC)
Session management
Timeout after inactivity
Force re-authentication for sensitive actions

3. Database Access Control

User-specific database accounts
No shared accounts
Least privilege principle
Row-level security (if needed)
Column-level encryption
Query logging
Prevent SQL injection

4. File System Access

NTFS/file system permissions
Least privilege
Inheritance carefully managed
Regular access reviews
Remove default shares
Disable unnecessary services

A.8.4 - Access to Source Code

Purpose: Manage read and write access to source code.

Control Statement: "Read and write access to source code, development tools and software libraries shall be appropriately managed."

Source Code Protection:

1. Version Control

All code in version control (Git, SVN)
No local-only copies
Branching strategy enforced
Commit messages required
Code history maintained
No force-push to protected branches

2. Access Control

Role-based access
Developers: read/write to working branches
All: read to main/production branches
Limited: write to main (via PR/MR only)
Separate: production deployment access
Audit logging enabled

3. Code Review

Pull/merge request required
At least one reviewer approval
Automated checks (linting, tests)
Security review for sensitive changes
No self-approval
Review checklist

4. Development Tools

IDE access controlled
Compiler/build tools managed
Debugger access restricted in production
Tool licensing compliant
Plugins/extensions approved

5. Software Libraries

Approved library repository
Vulnerability scanning
License compliance
Version pinning
Update process
No unverified third-party libraries

A.8.5 - Secure Authentication

Purpose: Implement secure authentication technologies and procedures.

Control Statement: "Secure authentication technologies and procedures shall be implemented based on information access restrictions and the topic-specific policy on access control."

Authentication Methods:

1. Multi-Factor Authentication (MFA)

When MFA Required:

Remote access (mandatory)
Privileged access (mandatory)
Sensitive systems (mandatory)
Financial transactions
Data export/download
Configuration changes

MFA Factors:

Something you know (password, PIN)
Something you have (token, phone, smart card)
Something you are (biometric)
Somewhere you are (location-based)

MFA Technologies:

Authenticator apps (TOTP/HOTP)
SMS codes (least secure, avoid if possible)
Hardware tokens (YubiKey, etc.)
Push notifications
Biometrics
Smart cards

2. Password Requirements

Complexity:

Minimum 12 characters (14+ for privileged)
Mix of uppercase, lowercase, numbers, symbols
No dictionary words
No personal information
No common patterns

Management:

Change if compromised
No periodic forced changes (unless breach)
Password history (prevent reuse of last 24)
Account lockout after failed attempts
Password strength meter at creation
Breach password detection

3. Password Storage

Hashed (never plaintext)
Salted
Modern algorithm (Argon2, bcrypt, PBKDF2)
Stored securely
Admin cannot view passwords
Audit access to password hashes

4. Single Sign-On (SSO)

Reduce password fatigue
Centralized authentication
SAML, OAuth, OpenID Connect
Compatible applications use SSO
Strong authentication at SSO
Session management

5. Passwordless Authentication

Biometric authentication
FIDO2/WebAuthn
Certificate-based
Hardware tokens
More convenient and secure

A.8.6 - Capacity Management

Purpose: Ensure adequate capacity to meet performance requirements.

Control Statement: "The use of resources shall be monitored and adjusted in line with current and expected capacity requirements."

Capacity Planning:

1. Monitor Resource Usage

CPU utilization
Memory usage
Disk space and I/O
Network bandwidth
Application response time
Database performance
User load

2. Trending and Forecasting

Analyze historical data
Identify growth patterns
Forecast future needs
Plan for peaks (seasonal, events)
Model what-if scenarios

3. Alerting and Thresholds

Warning threshold (80% capacity)
Critical threshold (90% capacity)
Automated alerts
Escalation procedures
Proactive response

4. Capacity Expansion

Add resources before limits reached
Scale vertically (bigger servers)
Scale horizontally (more servers)
Cloud auto-scaling
Load balancing

5. Optimization

Identify inefficient code
Database query optimization
Caching strategies
Content delivery networks (CDN)
Archive old data
Decommission unused services

Network Security Controls

A.8.20 - Networks Security

Purpose: Ensure security of networks and protection of information in networks.

Control Statement: "Networks and network devices shall be secured, managed and controlled to protect information in systems and applications."

Network Security Measures:

1. Network Segmentation

Separate networks by trust level
DMZ for public-facing services
Internal network segments
Management network isolated
Guest network isolated
VLAN segmentation
Micro-segmentation (zero trust)

2. Firewall Protection

Perimeter firewall (Internet boundary)
Internal firewalls (between segments)
Host-based firewalls
Default deny policy
Regular rule review
Change control for rules
Logging enabled

3. Network Access Control (NAC)

Device authentication
Posture assessment
Role-based access
Quarantine non-compliant
RADIUS/802.1X
Guest registration

4. Intrusion Detection/Prevention (IDS/IPS)

Monitor network traffic
Detect malicious activity
Alert on suspicious patterns
Block attacks (IPS)
Signature and anomaly-based
Tuned to reduce false positives

5. Network Device Security

Change default passwords
Disable unnecessary services
Secure management interfaces
Encrypted management (SSH, HTTPS)
SNMP security (v3)
Regular firmware updates
Configuration backup

A.8.21 - Security of Network Services

Purpose: Ensure security of network services.

Control Statement: "Security mechanisms, service levels and service requirements of network services shall be identified, implemented and monitored."

Network Service Security:

1. Service Level Agreements (SLA)

Define availability requirements
Response time guarantees
Security requirements
Support response times
Penalties for non-compliance
Regular review and reporting

2. Network Services to Secure

DNS (DNSSEC, monitoring)
DHCP (rogue DHCP detection)
NTP (authenticated time)
Email (SPF, DKIM, DMARC)
Web services (TLS, WAF)
VPN (strong encryption, MFA)
Wireless (WPA3, 802.1X)

3. ISP and Connectivity

Redundant providers
SLA for uptime and response
Security requirements in contract
DDoS mitigation
Bandwidth monitoring
Incident notification requirements

A.8.22 - Segregation of Networks

Purpose: Segregate networks based on information classification and access requirements.

Control Statement: "Groups of information services, users and information systems shall be segregated in the organization's networks."

Network Segregation Examples:

By Function:

Production network
Development/test network
Management network
Guest/visitor network
IoT network
Voice/VoIP network

By Security Level:

Public DMZ
Semi-trusted (partners)
Internal trusted
Highly restricted (sensitive data)

By Compliance:

PCI cardholder data environment
HIPAA protected health information
FedRAMP systems

Implementation:

VLANs (with ACLs)
Physical separation
Firewalls between segments
Routing controls
Zero trust architecture

Data Security Controls

A.8.11 - Data Masking

Purpose: Limit exposure of sensitive data.

Control Statement: "Data masking shall be used in accordance with the organization's topic-specific policy on access control and other related topic-specific policies, and business requirements, taking applicable legislation into consideration."

Data Masking Techniques:

1. Static Masking

Permanent replacement of sensitive data
For non-production environments
Preserves data format and relationships
Irreversible

Example: Credit card 4532-1234-5678-9010 → 4532-XXXX-XXXX-9010

2. Dynamic Masking

Real-time masking based on user
Authorized users see real data
Others see masked version
Database-level enforcement

3. Tokenization

Replace sensitive data with token
Store mapping securely
Detokenize when authorized
Used in payment processing

4. Redaction

Remove sensitive portions
For documents and displays
Permanent or temporary

A.8.12 - Data Leakage Prevention

Purpose: Detect and prevent unauthorized disclosure of information.

Control Statement: "Data leakage prevention measures shall be applied to systems, networks and any other devices that process, store or transmit sensitive information."

DLP Implementation:

1. DLP Deployment Points

Network DLP:

Monitor network traffic
Email gateway
Web gateway
Cloud access security broker (CASB)
Block or quarantine violations

Endpoint DLP:

Monitor endpoint activities
Block copy to USB
Block upload to personal cloud
Block print/screenshot
Clipboard control

Storage DLP:

Scan files at rest
Classify data
Enforce retention
Discover sensitive data locations

2. DLP Policies

Content-Based:

Credit card numbers (regex)
Social security numbers
Protected health information
Proprietary keywords
Document fingerprinting

Context-Based:

Source application
Destination (external email, USB)
User role
Data classification
Time of day

3. DLP Actions

Alert/log only (monitor mode)
User notification/justification
Manager approval required
Block action
Encrypt automatically
Quarantine for review

A.8.13 - Information Backup

Purpose: Maintain availability and integrity via backups.

Control Statement: "Backup copies of information, software and systems shall be maintained and regularly tested in accordance with the agreed topic-specific policy on backup."

Backup Strategy:

1. Backup Scope

Critical business data
System configurations
Application data
Databases
User files
Email
Virtual machine images
Documentation

2. Backup Types

Full Backup:

Complete copy of all data
Weekly recommended
Longest duration
Fastest restore

Incremental Backup:

Only changes since last backup
Daily recommended
Fastest backup
Slower restore (need all incrementals)

Differential Backup:

Changes since last full backup
Grows over time
Moderate backup time
Moderate restore time

3. Backup Schedule

Critical Systems:

Full backup: Weekly
Incremental: Daily
Transaction logs: Continuously or hourly
Retention: 30-90 days

Standard Systems:

Full backup: Monthly
Incremental: Weekly
Retention: 30 days

4. Backup Security

Encrypt backup data
Encrypt transmission
Secure backup media
Access control to backups
Separate backup credentials
Offline/immutable backups (ransomware protection)

5. Backup Testing

Regular restore tests (monthly)
Full recovery test (annually)
Document restore procedures
Test restore time (RTO)
Verify backup integrity
Test different failure scenarios

6. Backup Storage

On-site backups (quick restore)
Off-site backups (disaster recovery)
Cloud backups
Geographic separation
3-2-1 rule: 3 copies, 2 different media, 1 off-site

A.8.14 - Redundancy of Information Processing Facilities

Purpose: Ensure availability through redundancy.

Control Statement: "Information processing facilities shall be implemented with redundancy sufficient to meet availability requirements."

Redundancy Strategies:

1. Server Redundancy

Clustered servers
Active-active or active-passive
Automatic failover
Load balancing
Shared storage
Geographic diversity

2. Storage Redundancy

RAID configurations
SAN/NAS replication
Snapshot technology
Continuous data protection
Cloud storage replication

3. Network Redundancy

Redundant ISPs
Redundant routers/switches
Multiple paths
Automatic failover
Load balancing
Geographic diversity

4. Power Redundancy

Multiple power feeds
UPS systems
Generators
Automatic transfer switch
Redundant PDUs

5. Site Redundancy

Secondary data center
Hot site (fully equipped, ready)
Warm site (equipment available, data restore needed)
Cold site (space only)
Cloud DR
Geographic separation

Application Security Controls

A.8.25 - Secure Development Lifecycle

Purpose: Establish and apply rules for development of systems and software.

Control Statement: "Rules for the development of software and systems shall be established and applied."

Secure SDLC Phases:

1. Requirements

Security requirements gathering
Threat modeling
Privacy requirements
Compliance requirements
Abuse cases
Security user stories

2. Design

Security architecture review
Threat modeling (STRIDE, PASTA)
Security design patterns
Principle of least privilege
Defense in depth
Fail securely

3. Implementation

Secure coding standards (OWASP)
Code reviews (peer, security)
Static application security testing (SAST)
Software composition analysis (SCA)
Secrets management (no hardcoded credentials)
Input validation
Output encoding
Parameterized queries

4. Testing

Security testing
Dynamic application security testing (DAST)
Interactive application security testing (IAST)
Penetration testing
Fuzz testing
Manual testing

5. Deployment

Security configuration
Secure defaults
Change management
Deployment automation
Security sign-off required

6. Maintenance

Vulnerability management
Patch management
Security monitoring
Incident response
Regular security assessments

A.8.26 - Application Security Requirements

Purpose: Define and apply security requirements for applications.

Control Statement: "Information security requirements shall be identified, specified and approved when developing or acquiring applications."

Security Requirements Categories:

1. Authentication and Authorization

MFA support
Password complexity enforcement
Session management
Role-based access control
Privileged function protection

2. Input Validation

Validate all input
Whitelist approach
Reject invalid input
Encode output
Prevent injection attacks

3. Cryptography

Encrypt sensitive data in transit (TLS 1.2+)
Encrypt sensitive data at rest
Strong algorithms only
Key management
No hardcoded keys

4. Error Handling

Generic error messages to users
Detailed logging for support
No sensitive data in errors
Fail securely
Prevent information leakage

5. Logging and Monitoring

Log security events
Log authentication attempts
Log privileged actions
Log data access
Protect log integrity
Monitor logs for security events

6. Session Management

Secure session IDs
Session timeout
Re-authenticate for sensitive actions
Logout functionality
Prevent session fixation

A.8.27 - Secure System Architecture and Engineering Principles

Purpose: Apply security principles to system architecture and engineering.

Control Statement: "Principles for engineering secure systems shall be established, documented and maintained and applied to information system development activities."

Security Principles:

1. Defense in Depth

Multiple layers of security
Redundant controls
No single point of failure

2. Least Privilege

Minimum access needed
Default deny
Explicit grants only

3. Separation of Duties

No single person end-to-end control
Checks and balances
Prevent fraud

4. Fail Securely

Errors don't expose security
Maintain security during failures
Graceful degradation

5. Complete Mediation

Check every access
Don't cache authorization decisions
No bypass mechanisms

6. Open Design

Security not through obscurity
Assume attacker knows design
Cryptographic algorithms public

7. Least Common Mechanism

Minimize shared resources
Isolation between tenants/users
Prevent information leakage

8. Psychological Acceptability

Security usable
Not too burdensome
User-friendly

A.8.28 - Secure Coding

Purpose: Apply secure coding principles.

Control Statement: "Secure coding principles shall be applied to software development."

Secure Coding Practices:

OWASP Top 10 Mitigations:

1. Injection Prevention

Parameterized queries
Stored procedures
Input validation
Escape special characters
Use ORMs carefully

2. Authentication Failures

Strong password requirements
MFA implementation
Credential storage (hashed, salted)
Session management
Rate limiting

3. Sensitive Data Exposure

Encrypt data in transit
Encrypt data at rest
TLS for all sensitive transmissions
Minimize data collection
Secure key management

4. XML External Entities (XXE)

Disable XML external entity processing
Use less complex data formats (JSON)
Input validation
Patch XML processors

5. Broken Access Control

Deny by default
Check authorization server-side
Don't rely on client-side checks
Log access control failures

6. Security Misconfiguration

Secure defaults
Minimal features enabled
Security hardening
Regular updates
Configuration management

7. Cross-Site Scripting (XSS)

Output encoding
Content Security Policy
Input validation
HTTPOnly cookies
Use security frameworks

8. Insecure Deserialization

Avoid deserialization of untrusted data
Integrity checks
Type constraints
Isolate deserialization

9. Using Components with Known Vulnerabilities

Inventory components
Monitor for vulnerabilities
Patch promptly
Remove unused dependencies
Use only maintained components

10. Insufficient Logging & Monitoring

Log security events
Protect log integrity
Monitor logs
Alert on suspicious activity
Incident response integration

A.8.29 - Security Testing in Development and Acceptance

Purpose: Define and implement security testing processes.

Control Statement: "Security testing processes shall be defined and implemented in the development lifecycle."

Testing Types:

1. Static Analysis (SAST)

Analyze source code
No execution needed
Find coding errors
Early in development
Automated

2. Dynamic Analysis (DAST)

Test running application
Black-box testing
Find runtime vulnerabilities
Later in development
Automated

3. Interactive Analysis (IAST)

Combines SAST and DAST
Instrument running application
Real-time feedback
Accurate results

4. Software Composition Analysis (SCA)

Identify third-party components
Known vulnerabilities
License compliance
Outdated versions

5. Penetration Testing

Manual testing by experts
Simulated attacks
Pre-production
Annual or before major releases
Report findings

6. Security Code Review

Manual review by security expert
Focus on critical components
Verify automated findings
Architecture review

A.8.30 - Outsourced Development

Purpose: Direct, monitor, and review outsourced development.

Control Statement: "The organization shall direct, monitor and review the activities related to outsourced system development."

Outsourced Development Security:

1. Vendor Selection

Security capabilities assessment
Secure development practices
Security certifications
References and track record
Financial stability

2. Contractual Security Requirements

Security requirements defined
Secure coding standards
Testing requirements
Intellectual property ownership
Confidentiality obligations
Right to audit
Escrow arrangements
Liability and insurance

3. Development Oversight

Regular status reviews
Security checkpoint reviews
Access to code repository
Vulnerability scan results
Test results review
Security acceptance criteria

4. Code Review and Testing

Independent security review
Penetration testing
Code scan results
Dependency analysis
Acceptance testing

A.8.31 - Separation of Development, Test and Production

Purpose: Separate development, test and production environments.

Control Statement: "Development, testing and production environments shall be separated and secured."

Environment Separation:

Development:

Developer workstations
Shared dev servers
No production data
Relaxed security (for productivity)
Test accounts
Latest code versions

Testing/QA:

Mirrors production
Realistic test data (masked/synthetic)
Stable code versions
Controlled access
Formal testing process

Staging/Pre-Production:

Exact production replica
Final validation
Production-like security
Limited access
No untested code

Production:

Live environment
Real data
Strictest security
Change control
No direct developer access
Monitored 24/7

Controls:

Different credentials for each
Network separation
No copying production data to dev/test
Promote code through environments
No production debugging
Separate administrative access

A.8.32 - Change Management

Purpose: Manage changes to information processing facilities and systems.

Control Statement: "Changes to information processing facilities and systems shall be subject to change management procedures."

Change Management Process:

1. Change Request

Description of change
Justification/business need
Systems affected
Implementation plan
Rollback plan
Testing plan
Risk assessment

2. Change Review

Technical review
Security review
Business impact
Dependencies
Schedule review

3. Change Approval

Change advisory board (CAB)
Risk-based approval authority
Standard changes (pre-approved)
Emergency changes (post-approval)

4. Change Implementation

Follow approved plan
Testing in non-production
Scheduled maintenance window
Communication to stakeholders
Rollback plan ready
Monitor during/after change

5. Post-Implementation Review

Verify success
Document completion
Update documentation
Lessons learned
Close change ticket

Change Categories:

Standard Change:

Low risk
Well understood
Pre-approved
Documented procedure
Example: Password reset

Normal Change:

Medium risk
CAB approval required
Tested in non-production
Example: Application update

Emergency Change:

High urgency
Security patches
Business-critical fixes
Expedited approval
Post-implementation review

A.8.33 - Test Information

Purpose: Protect test information.

Control Statement: "Test information shall be appropriately selected, protected and managed."

Test Data Protection:

1. No Production Data in Test

Risk of exposure
Compliance violations (GDPR, HIPAA)
Difficult to secure test environments
Exception process if absolutely necessary

2. Test Data Alternatives

Synthetic Data:

Generated to mimic real data
No real personal information
Maintains statistical properties
Realistic scenarios

Data Masking:

Production data with sensitive fields masked
Maintains referential integrity
Format-preserving
Irreversible

Data Subsetting:

Small subset of production data
Masked sensitive fields
Sufficient for testing
Reduced risk

Anonymization:

Remove personally identifiable information
Aggregate data
Generalization
Careful to prevent re-identification

3. Test Data Management

Classify test data
Apply appropriate controls
Refresh regularly
Delete when no longer needed
Track usage
Audit access

Security Monitoring Controls

A.8.15 - Logging

Purpose: Produce, store, protect, analyze event logs.

Control Statement: "Logs recording activities, exceptions, faults and other relevant events shall be produced, stored, protected and analyzed."

Logging Requirements:

What to Log:

User authentication (success/failure)
Privileged actions
Access to sensitive data
Configuration changes
Security events (malware, IPS alerts)
Administrative actions
Application errors
System events

Log Content:

Timestamp (synchronized time)
User ID
Action performed
Source (IP, hostname)
Destination
Result (success/failure)
Additional context

Log Protection:

Write-only access for systems
Read access controlled
Tamper-evident
Integrity checking
Encryption in transit/at rest
Backup logs
Retention per policy

Log Analysis:

SIEM (Security Information and Event Management)
Correlation across systems
Real-time alerting
Threat detection
Compliance reporting
Regular review
Long-term trending

A.8.16 - Monitoring Activities

Purpose: Monitor networks, systems and applications for anomalies and security events.

Control Statement: "Networks, systems and applications shall be monitored for anomalous behavior and appropriate actions taken to evaluate potential information security incidents."

Monitoring Capabilities:

1. Network Monitoring

Traffic analysis
Anomaly detection
IDS/IPS alerts
Bandwidth usage
Connection attempts
DNS queries
Protocol anomalies

2. System Monitoring

Resource utilization
Process activity
Service status
Failed login attempts
Privileged escalation
File integrity
Configuration changes

3. Application Monitoring

Application errors
Authentication failures
Authorization violations
Input validation failures
Unusual usage patterns
API abuse

4. User Behavior Analytics (UBA)

Baseline normal behavior
Detect deviations
Insider threats
Compromised accounts
Data exfiltration
Privilege abuse

5. Threat Intelligence Integration

IOC (Indicators of Compromise)
Known malicious IPs
Malware signatures
Attack patterns
Emerging threats

Cryptography Controls

A.8.24 - Use of Cryptography

Purpose: Ensure proper and effective use of cryptography.

Control Statement: "Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented."

Cryptography Policy:

1. When to Use Cryptography

Encryption in Transit:

All sensitive data
Authentication credentials
Personal information
Financial data
Proprietary information
TLS 1.2 or higher

Encryption at Rest:

Sensitive data storage
Databases with PII/PHI
Backups
Mobile devices
Removable media
Cloud storage

2. Approved Algorithms

Symmetric Encryption:

AES-256 (preferred)
AES-128 (acceptable)
Avoid: DES, 3DES, RC4

Asymmetric Encryption:

RSA 2048-bit minimum (4096 preferred)
ECC 256-bit
Avoid: RSA < 2048

Hashing:

SHA-256 or SHA-3
Avoid: MD5, SHA-1

Password Hashing:

Argon2 (preferred)
bcrypt
PBKDF2
Scrypt

3. Key Management

Key Generation:

Cryptographically secure random
Sufficient entropy
Generated in secure environment
Not generated by users

Key Storage:

Hardware Security Module (HSM) for critical keys
Key management system
Encrypted key files
Access controlled
Audit key access

Key Distribution:

Secure channels only
Out-of-band verification
Certificate authorities
Public key infrastructure (PKI)

Key Rotation:

Regular rotation schedule
Rotate if compromised
Archive old keys (for decryption of old data)
Destroy when no longer needed

Key Recovery:

Escrow for business continuity
Split knowledge/dual control
Secure escrow procedures
Limited recovery access
Audit all recovery

4. Certificate Management

Internal PKI or trusted CA
Certificate lifecycle
Renewal before expiration
Revocation process
Certificate pinning (where appropriate)
Monitor certificate expiration

Technology Controls Implementation Roadmap

Month 1-2: Foundation

Endpoint protection deployed
Disk encryption enforced
MFA implemented
Password policy enforced
Backup system operational

Month 3-4: Network Security

Network segmentation
Firewall rules optimized
IDS/IPS deployed
Network monitoring
NAC implemented

Month 5-6: Access and Identity

PAM solution deployed
Access governance
SSO implementation
Regular access reviews
Authentication logging

Month 7-8: Application Security

Secure SDLC defined
Developer training
SAST/DAST tools
Code review process
Security testing

Month 9-10: Monitoring and Response

SIEM deployed
Log aggregation
Alert tuning
Playbooks defined
SOC operations

Month 11-12: Advanced Controls

DLP deployment
Data classification
Encryption at rest
Advanced threat detection
Continuous improvement

Next Lesson: Security Configuration Baseline - Learn how to create standardized, secure configuration baselines for Windows, Linux, network devices, and cloud platforms to ensure consistent security across your infrastructure.