OpenCASE Specification

  • Home /
  • OpenCASE Specification

Note

The Specification is deliberately terse to try keep it as clear and concise as possible. However, questions and ambiguity invariably arise when it comes to implementation. Refer to GUIDANCE for more detailed explanations about how priorities should be implemented, clarifications on terminology, and expectations on how specific completion criteria should be met or addressed.

Priority 1 : Protect your user accounts.

Objective: To protect user accounts from unauthorised access using stolen, guessed, or otherwise compromised login details.

Completion Criteria:

  • All human users are required to complete multi-factor authentication when signing in to their primary user account.

Completion Criteria:

  • Email, SMS, and voice calls are disabled, or disallowed by policy as acceptable multi-factor authentication methods.

Completion Criteria:

  • All cloud applications are configured to authenticate human users via single sign on with their primary user account, or to require multi-factor authentication if single sign on is not feasible.

Priority 2 : Protect your people.

Objective: To ensure all staff understand their responsibilities for cybersecurity and are provided the appropriate training and support to fulfil them.

Completion Criteria:

  • New staff are provided clear documentation and explanations about their cybersecurity responsibilities when they start.
  • Staff must formally acknowledge their acceptance of cybersecurity responsibilities as part of onboarding.
  • User accounts are disabled or deleted, and all IT assets recovered, whenever a staff member leaves.

Completion Criteria:

  • At least one staff member is formally assigned responsibility for building a strong cybersecurity culture within your organisation.

Completion Criteria:

  • All staff are required to choose a personal cybersecurity learning objective as part of their annual continuous professional development obligations.
  • Completion of personal cybersecurity learning objectives is assesses as a key performance metric in staff performance reviews.

Priority 3 : Protect your passwords.

Objective: To promote and enable the use of strong passwords and good password hygiene by staff, reducing the risk of compromised user credentials.

Completion Criteria:

  • A secure password manager which is centrally managed by your organisation’s IT administrator is deployed for all users.
  • Users are required to record all their work-related login details in this tool.

Completion Criteria:

  • The password manager is configured to generate strong passwords which adhere to your organisation’s password policy.
  • Staff are required to use the generator whenever they create a new password.

Completion Criteria:

  • The password manager is used to audit stored passwords and identify any which are not unique for the user, or which have been found in publicly released data breaches.
  • Users are required to change passwords which are identified as being compromised or not unique.

Priority 4 : Protect against malware.

Objective: To detect, disrupt, and block the execution or installation of malicious software, preventing it from causing damage to IT systems.

Completion Criteria:

  • Security software which detects and blocks execution of malicious programs is installed on all computers used to access your organisation’s IT systems and data.

Completion Criteria:

  • A secure DNS service is used by all computers in your organisation to filter and block DNS requests to malicious domains.

Completion Criteria:

  • Security software which monitors for, and reacts to unusual or potentially malicious activity is installed on all computers used to access your organisation’s IT systems and data.

Priority 5 : Protect your data.

Objective: To ensure that organisational data is accessible to only the right people, available when needed, and can be recovered if something bad happens to it.

Completion Criteria:

  • Important organisational files are kept in an approved, centrally administered cloud storage service.
  • User devices are configured to synchronise local stored files to this service.

Completion Criteria:

  • Applications and cloud storage services are configured to prevent staff from accessing data which isn’t relevant to doing their job.

Completion Criteria:

  • Data in cloud applications, including the approved file storage service, is regularly exported or otherwise replicated to a separate, secure backup solution or location.

Priority 6 : Protect privileged accounts.

Objective: To limit the availability of administrative permissions to potential attackers, and prevent their abuse or misuse by internal users.

Completion Criteria:

  • Primary user accounts do not have local administrator rights.
  • Separate administrator accounts are issued for workers that need them.
  • Administrator accounts are not used for conducting day-to-day business.

Completion Criteria:

  • Primary user accounts do not have administrative access to cloud applications
  • All administrators of cloud applications have separate accounts for performing administrative tasks.
  • Administrator accounts are not used for conducting day-to-day business.

Completion Criteria:

  • Assignment of administrator and other privileged accounts is reviewed at least every 6 months.
  • Any assignments deemed no longer necessary or appropriate are revoked.

Priority 7 : Protect your applications.

Objective: To keep data contained within known boundaries, and minimise the opportunity for bugs in software to be exploited in a cyberattack.

Completion Criteria:

  • A list of approved software and cloud applications is created and maintained.
  • A policy and/or tool is in place which bans or blocks the installation or use of software and cloud applications not on this list.

Completion Criteria:

  • All computers, mobiles, and IoT devices are configured to automatically apply software, firmware, and operating system updates.
  • Where automatic updates are not possible, a process and/or tool is in place to ensure updates are applied within 1 month of release.

Completion Criteria:

  • Approved software and cloud applications are reviewed at least annually.
  • Any software which is no longer supported by the developer, or actively in use by your organisation, is removed from all computers.
  • Any cloud services which are no longer in use are decommissioned.

Priority 8 : Protect your email.

Objective: To prevent the abuse or misuse of email to attack your organisation.

Completion Criteria:

  • All incoming email is scanned to filter out unwanted or malicious content.
  • Filtered emails are tagged, diverted, or blocked according to organisational policy.

Completion Criteria:

  • Your organisation’s email system is configured to prevent users from automatically forwarding emails to external email accounts.
  • IT administrators are alerted when email forwarding rules are created.

Completion Criteria:

  • All Internet domains owned by your organisation have appropriate DNS records configured for SPF, DKIM, and DMARC.
  • DMARC policy is set to quarantine or reject.

Priority 9 : Protect your devices.

Objective: To prevent unauthorised access or use of devices used to access your organisation’s IT systems and data.

Completion Criteria:

  • All computers and mobile devices used to access your organisation’s IT systems and data are configured with a screen lock which automatically activates after an appropriate period of inactivity.
  • When a device’s screen lock is activated a PIN, password, or biometric is required to unlock it.

Completion Criteria:

  • Internal storage of all computers and mobile devices used to access your organisation’s IT systems and data is encrypted and requires a PIN, password, or biometric to decrypt.

Completion Criteria:

  • Your organisation centrally monitors and administers configuration of its computers and mobile devices using a centrally administered device management solution.

Priority 10 : Protect third party relationships.

Objective: To ensure third parties understand and can be held accountable for their responsibilities to protect your IT systems and data.

Completion Criteria:

  • All third parties that receive or have access to your organisation’s data are required to sign legally binding confidentiality agreements, or include mutual confidentiality clauses in their service agreements.

Completion Criteria:

  • Your organisation has a formal register of third parties which lists the data shared with or accessible to each.
  • The third party register is reviewed and updated at least every 6 months.

Completion Criteria:

  • Contracts with IT managed service providers, and other professional services providers such as accountants and legal firms have explicitly defined service levels for cybersecurity.

Priority 11 : Prepare for the worst.

Objective: To be ready for a cybersecurity incident if one happens.

Completion Criteria:

  • Data from backups is restored and checked for accuracy, completeness, and usability at least every 6 months.

Completion Criteria:

  • Cyber insurance has been discussed with a suitably qualified and licensed cyber insurance broker.
  • Unless explicitly advised otherwise, an appropriate cyber insurance policy is obtained.

Completion Criteria:

  • A cybersecurity incident response plan is documented.
  • The plan is tested and updated at least every 6 months .