OpenCASE Implementation Guidance

  • Home /
  • OpenCASE implementation guidance

Note

OpenCASE is intended to be a technology-agnostic framework. OpenCASE does not endorse any particular vendor, product, or service to address its Priorities.

HOWEVER…

From a practical standpoint, it must be acknowledged that people who aren’t IT professionals generally think of their IT environments in terms of the products they use, not the abstract services they provide or the concepts behind them. The objective of this GUIDANCE is to clarify how the SPECIFICATION can be implemented, and for the target audience that means speaking in terms of the products they use.

For this reason, the GUIDANCE often refers to certain vendors or their platforms directly. Any such references are purely to contextualise the requirements of the SPECIFICATION in terms of these platforms, and should not be construed as an endorsement or recommendation.

TermMeaning
ILvOpenCASE Implementation Level
MFAMulti-factor authentication
SSOSingle Sign on
SaaSSoftware as a Service
PaaSPlatform as a Service
IaaSInfrastructure as a Service
LAPSLocal Administrator Password Solution
MDMMobile Device Management
RMMRemote Management and Monitoring

Priority 1 - Protect your user accounts.

  • “Primary user account” means the user account which staff use to access your organisation’s online workspace, which typically includes all the common tools which enable day-to-day work: email, calendar, file storage, chat, meetings, etc. Most likely it will be one of:
    • Microsoft 365 (Entra ID).
    • Google Workspace.
    • Zoho Workplace.
  • The primary user account is not necessarily the same as the account staff use to log into their work computer - though it likely will be if your organisation uses Microsoft 365 and Windows devices.
  • Enforcement of MFA can lock out users who have not set up an appropriate MFA method yet. Be sure that all users have enrolled in MFA before turning on enforcement, end embed MFA enrolment into new staff on-boarding.

  • The ability to configure and disable certain MFA methods is platform dependant. If your primary online workspace solution does not have this feature, a documented policy which instructs staff not to use them should be implemented.

  • “Cloud applications” means any website or online platform your organisation uses to perform a business function which requires users to sign in.
  • The ability for administrators to enforce MFA for all users or to configure single sign on is platform dependent, and may be restricted to to higher priced plans. Setting and clearly communicating a policy to your users that they are required to setup MFA may be considered an acceptable work around solution if the feature isn’t available to your organisation.

Priority 2 - Protect your people.

  • Your organisation should have a formal document which outlines expectations and obligations for staff in regards to cybersecurity. New staff should be provided this document and have it explained to them to ensure they understand it.
  • OpenCASE is not prescriptive about the specific format or content of this document, choose an approach which works for your organisation. Some possibilities include:
    • A section on cybersecurity in your staff handbook.
    • A section in your “IT acceptable use policy”
    • A dedicated cybersecurity policy or guide.
  • Search online for examples or templates to give you a head start. AI tools can also create reasonable samples with appropriate prompting, which can then be customised to your needs.
  • Formal acknowledgements of responsibility should be recorded in some manner in a staff member’s personnel record. This could be:
    • signing written statement - on paper or digitally.
    • submission of an electronic form in the HR management system.
  • Departed staff should have their accounts disabled within 24 hours of finishing work, but ideally as soon as they walk out the door.
  • When a staff member departs, be sure to disable their access in every system and application they had an account for. Disabling only their primary user account will not be sufficient unless all other systems they had access to are configured for single sign on.

  • A cybersecurity champion does not necessarily have to be someone with cybersecurity skills, or even someone from an IT background - but ideally it should be someone who is at least interested in the topic. Ask for volunteers before assigning the role to someone who is not necessarily willing.
  • The champion’s role is not to train others, but to keep cybersecurity front of mind for your team, and encourage them continuously develop their own awareness about current cybersecurity trends and topics.
  • Some possible activities a champion could try:
    • Staying abreast of cybersecurity news and circulating interesting or relevant articles to the rest of the team.
    • Participating in cybersecurity events and communities, then sharing learnings with the team.
    • Promoting discussion of cybersecurity considerations in meetings.
    • Finding and sharing learning resources with the rest of the team.

  • Staff should be encouraged to research and select a personal cybersecurity learning objectives which is relevant to their own job role.
  • Objectives do not have to be mammoth undertakings, but the expectation should be that each person will acquire a new skill or understanding of a previously unknown topic.
  • Completion of standardised security awareness training delivered by online learning platforms does not satisfy this requirement. While such training is valuable, and should ideally form part of your organisation’s overall security culture building program, the generic content and passive consumption model does not encourage the sort of engagement from individuals that this requirement aims to address.

Priority 3 - Protect your passwords.

  • Centralised management is a key requirement, use of individual or personal password managers by staff to store work related credentials is not sufficient.
  • Generally speaking, the built in password manager included in most web browsers is not sufficient to satisfy this requirement as the credentials are either only stored on the device, and/or not accessible or recoverable by administrators if necessary (e.g. if the user forgets their password).

  • OpenCASE is not prescriptive about password policy settings or strength, the important thing is to have a policy and ensure it communicated to staff.
  • As a general guide, higher length is recommended over traditional complexity rules such as requiring inclusion of mixed case, numbers, and punctuation.

  • Password auditing and breach detection features may be an advanced/enterprise tier feature in some password managers. If the functionality is not available, consider adding an annual task to the shared cybersecurity calendar for staff to manually to update their passwords.

Priority 4 - Protect against malware.

  • The built-in Windows Defender anti-virus solution is sufficient to satisfy this requirement for Windows computers.
  • MacOS does not have a native anti-malware solution and will need to acquire a third party product to satisfy this requirement.
  • Linux computers are considered out of scope for this requirement due to the limited availability of and benefits of Linux anti-malware solutions.

  • Free / publicly available DNS servers which filter malicious domains by default are considered sufficient to satisfy this requirement. Some examples are:
    • Quad9 - 9.9.9.9 / 149.112.112.112
    • Cloudflare for families - 1.1.1.2 / 1.0.0.2 (but not 1.1.1.1 / 1.0.0.1)
    • DNS0.eu ZERO - 193.110.81.9 / 185.253.5.9
    • AdGuard family protection - 94.140.14.15 / 94.140.15.16
  • NOTE: Google public DNS (8.8.8.8 / 8.8.4.4) does NOT include malicious domain filtering.

  • The built-in Windows Defender does NOT satisfy this requirement on it’s own, however it can if combined with a properly configured Windows Defender for Business / Defender for Endpoint.
  • Other third party EDR / XDR / MDR solutions are also acceptable to satisfy this requirement, providing they are configured to behave in accordance with the completion criteria.

Priority 5 - Protect your data.

  • The cloud storage service integrated with your organisation’s online workplace solution will be sufficient to satisfy this requirement. Practically speaking this will probably be:
    • OneDrive/SharePoint in Microsoft 365 environments.
    • Google Drive in Google Workplace environments.
    • Zoho WorkDrive in Zoho environments.
  • Third party solutions such as Dropbox for Business, Tresorit, Sync, etc, are also acceptable providing they are approved and centrally administered by your organisation.
  • Personal cloud storage accounts and services do not satisfy this requirement

  • Don’t issue staff users accounts for systems and applications which aren’t relevant to their jobs.
  • Create a data inventory for your organisation. Include fields to clearly define which individuals or groups should have access to each dataset in the inventory.
  • Apply access controls to entire data sets rather than individual items where possible to simplify administration, e.g. folders / databases, as opposed to files / tables.
  • Assign permissions to groups or roles rather than individual users.

  • Relying solely on built-in versioning or backup and restore capabilities of the cloud service where data primarily resides is not sufficient to meet this requirement.
  • Copying data to a different location within the same service is also not sufficient to meet this requirement.

Priority 6 - Protect privileged accounts.

  • For Windows devices: in many scenarios the user account created or signed in when the device is setup is automatically added to the Local Administrators group.
    • The minimum steps to rectify this would be to create new local user account which is assigned to the Local Administrators group, and remove the original user from the group.
    • More advanced solutions such as Windows LAPS are also acceptable.
  • For MacOS or Linux devices: Users do not have administrator access by default and are generally required to elevate their privileges using “sudo” or a similar method when performing administrative tasks. As long as elevation requires the user to re-authenticate (e.g. by typing their password) then this requirement is satisfied.

  • In a cloud application context, a user’s primary account is the one they perform their day to task tasks with, which will be separate to the primary user account discussed in Priority 1, unless your organisation has implemented SSO.
  • In most cases, the user account which establishes a cloud service is considered the owner of the service and has administrator rights be default.
  • If the owner/administrator account has been used as a primary user account it must be decoupled to satisfy this requirement.
    • If supported by the application, administrator permissions can be removed from the original owner and transferred to a new separate administrator account.
    • If administrator permissions cannot be removed from the original account, a new account must be established for day to day use. This may additionally require migration of data from the original account to the new user.

  • It is recommended to establish a shared calendar for scheduling cybersecurity tasks such as permission audits. This way the whole team can see when they are due, and there is a record of them being scheduled.
  • A record of the audit should be kept as evidence of having being performed, even if no changes were made. A help desk / service desk ticket would be an acceptable method.

Priority 7 - Protect your applications.

  • A basic spreadsheet is suitable for keeping a software inventory. All team members should have access to, and be familiar with this document.
  • Due to the complexity and potentially disruptive behaviour of tools which enforce restrictions on the software that can be run on a computer, it is recommended that they only be implemented in organisations where professional IT support is available.
  • Smaller organisations without professional IT support may rely on a documented policy in place of technological enforcement, provided it is clearly communicated to all staff.

  • Most modern operating systems support the ability to automatically apply updates, but they are not always turned on. Ensure that they are to satisfy this control.
  • Automatic updates should not require any user intervention, i.e. no manual initiation or approvals by users.
  • Software updates typically require the device or application to be restarted to be applied. Ensure that staff are educated to perform such restarts in a timely manner and not unduly delay them.
  • In some cases, automated updates will fail to apply if the user has the application open when the update it attempted. Ensure any such applications are identified and staff are educated to close these programs periodically so updates can be applied.

  • Add a recurring task to your shared cybersecurity calendar to schedule application reviews.
  • Identifying software which is no longer supported will likely require proactive investigation of the vendor/developer’s website.
  • OpenCASE does not define a fixed time period after which software is considered unsupported. However any software which has not received an update from the developer for more than 12 months should be given careful scrutiny and consideration.
  • Software which is still under active development, but which your organisation is not entitled to updates or support for (e.g. due to not having a support contract) is considered unsupported for the purposes of this requirement.
  • Decommissioning of cloud applications means closing down the account or service entirely. Consider whether data in the application needs to be backed up /exported somehow first.
  • Ensure that appropriate records of the review and its findings are kept.

Priority 8 - Protect your email.

  • Microsoft 365 includes this capability in it’s Business Premium subscription tier, but not Standard or Basic.
  • Google Workspace includes this capability in all business plans including Business Starter.
  • Zoho Mail includes this capability in all of it’s PAID business plans, the Free plan does not.
  • In all of the above services, the default out of box configuration for built-in scanning and filtering capabilities offers only limited protection, and it is recommended to adjust the email filtering policies and settings to be more strict.
  • Older email services (POP/IMAP based) are unlikely to include or support the required capabilities. Such email services were historically sold along side domain registration and/or website hosting.
  • If your organisation still uses an older/legacy email service, it is recommended to migrating to a more modern email alternative which supports the required capabilities, rather than try to “bolt-on” the functionality with a third party product.

  • Blocking of automated external forwarding should be configured on service/organisation wide level, if possible, rather than applying to individually to users or groups.
  • Email notifications to an appropriate person are acceptable as an alerting method.

  • This requirement applies to ALL domains operated by your organisation, regardless of whether they are used to send mail.
  • SPF should be configured for all domains. If the domain does not send mail, the SPF policy should be “v=spf1 -all”.
  • DKIM is only required for domains which send mail. DNS Records are configured according to the settings provided by the mail sending service.
  • DMARC should be configured for all domains. If the domain does not send mail, the DMARC policy should be “v=DMARC1;p=reject”
  • DMARC for domains which send mail must be carefully configured to avoid impacting delivery of legitimate email. It is recommended to engage professional IT support to facilitate its implementation.

Priority 9 - Protect your devices.

  • OpenCASE is not prescriptive about the length of inactivity timeout. As a guide, 15 minutes is generally considered appropriate for computers, and 2-5 minutes for mobile devices.
  • OpenCASE is not prescriptive about the length or complexity of unlock credentials. Some guidelines:
    • Numeric PINs should be at least 4 non-consecutive digits long.
    • Passwords should follow the same conditions as your password policy.

  • Windows 11 Bitlocker / Device Encryption is sufficient to meet this requirement. Device Encryption is on by default in new installs of Windows 11. Older computers may have to manually enable it.
  • Windows 10 Home does not include Bitlocker at all. If your organisation has devices with this operating system, it is recommended to upgrade their OS to the Pro version, or to replace them with new devices running Windows Pro.
  • MacOS devices must enable FileVault to satisfy this requirement. Default disk encryption in modern Apple Mac computers (with an M series “Apple silicon” processor or a T2 security chip) is NOT sufficient to satisfy this requirement as the disk can be accessed without a password using Target Disk Mode.
  • iOS and Android devices include this capability by default as long as a device PIN is set.

  • All organisation owned devices must be centrally managed to meet the requirements of this control. This includes computers and mobile devices.
  • Microsoft 365 Business Premium includes this capability via Intune, lower pricing tiers do not. Note that support for MacOS devices is somewhat limited.
  • Google Workspace includes Endpoint Management in all Business plans, however Windows device management is only available in the Business Plus tier, and MacOS devices are not supported at all.
  • Other third party MDM or RMM solutions are also acceptable.
  • MacOS device support is limited or absent in the Microsoft and Google MDM solutions. MacOS specific solutions may be more appropriate if your organisation uses primarily Apple computers.

Priority 10 - Protect third party relationships.

  • Review all existing third party agreements to identify any which do not contain a suitable confidentiality clause. Any third parties without a suitable clause in their agreement should be approached to sign a separate Confidentiality Agreement.
  • It is recommended to speak to a qualified legal practitioner to obtain a standard Confidentiality Agreement template that can be used when engaging with third parties.
  • Third parties in this context includes individuals who are not direct employees, e.g. contractors, consultants, etc.

  • A spreadsheet will suffice as a third party register.
  • The simplest method for tracking third party access to data is to list which of your organisation’s applications and/or data repositories they interact with.
  • A higher level of detail may be appropriate where a third party’s access is further constrained within an application, e.g. they can only access data relating to their own services or people.
  • Add a recurring task to your shared cybersecurity calendar to schedule the review of the third party register. Ensure that records of each review are kept for historic reference.

  • The term “professional services” in this requirement is intended to capture only those third parties whose services inherently require access to your organisations IT systems and data, e.g. accountants, IT support, etc.
  • Third parties providing other services which do not directly involve your systems and data, such as cleaners, electricians, caterers, etc, are considered out of scope for this requirement.
  • This requirement only applies in situations where your organisation is afforded the opportunity to negotiate terms of service. Large scale Online service providers (e.g. Microsoft, Google, etc), whose terms of service are typically standardised and offered on a “take it or leave it” basis, may be considered out of scope.
  • OpenCASE is not prescriptive about what sort of requirements must be addressed in your agreements, but it is recommended to consider aspects such as how and where data is stored, whether it can be copied/removed from your own IT systems, ensuring only people with a need to know have access, whether it can be transferred overseas, etc.
  • As above, it is recommended to speak to a qualified legal practitioner in when negotiating and drafting commercial agreements.

Priority 11 - Prepare for the worst.

  • Add a recurring task to your shared cybersecurity calendar to schedule the testing of backups. Ensure that records are kept of each test for historical reference.
  • OpenCASE is not prescriptive about how backups are tested, but the data restored from backups should be usable to carry on regular business operations for the test to be considered successful.
  • It is not necessary to test and verify the restoration of every individual file or record in a system - a sampled approach is acceptable to verify the accuracy and usability. Completeness can be verified using file or record counts.

  • Depending on your jurisdiction, a financial services license may be required to sell or advise about insurance products, including cyber insurance. An IT service provider, or cybersecurity consultant, is unlikely to have the required license to provide such advice.

  • Your organisation’s incident response plan should be customised for your particular IT environment and organisational context. Avoid relying on generic templates as they will be less useful in an actual incident.
  • Add a recurring task to your shared cybersecurity calendar to schedule the testing of your incident response plan. Ensure that records are kept of each test for historical reference.
  • Testing of the incident response plan should be appropriate for your organisation’s size and maturity, it does not need to be complicated or costly.
  • A simple approach might involve role playing different “what if…” scenarios to step through the plan (e.g. “What if someone’s laptop was stolen?”, “What if the boss’s email account got hacked?”).