Skip to main content
  • NL
  • FR
  • EN
Other official information and services: www.belgium.be Logo of the federal government
Home

Cyberguide - Centre for Cyber security Belgium

Basic level
Advanced Level
  • Plan your cyber securityOpen Plan your cyber security Submenu
    • Involve top management
      • Appoint an information security officer
      • Identify your ICT risks and safeguard your business for the future
      • Strive to comply with privacy, data handling and security legal and regulatory requirements
      • Be aware of cyber threats and vulnerabilities in your networks
      • Make sure the information security officer is operating independently and not part of ICT
      • Clearly define the system and network monitoring objectives
      • Identify the business and legal consequences of data leakage, network failure...
      • Periodically carry out risk and security audits, with the results and the action plan being briefed at C-level
    • Raise staff awareness of cyber risks
      • Inform your employees of the occurrence of 'CEO fraud', install sufficient control on the execution of payments
      • Inform users how to recognize phishing (e-mail fraud) and how to respond
      • Get users to subscribe to your code of conduct
      • Periodically remind users of the importance of their secure behaviour
      • Periodically remind users that information should be treated as sensitive and with respect for privacy
      • Periodically evaluate users’ awareness and responsiveness
      • Make knowledge of and respect for the code of conduct part of the personnel evaluation process
    • Publish a corporate security policy and a code of conduct
      • Create and apply procedures for the arrival and departure of users (personnel, interns, etc.)
      • Describe security roles and responsibilities (for physical, personnel & ICT security)
      • Develop and distribute a code of conduct for using ICT
      • Plan and execute security audits
      • Create a classification and marking scheme for sensitive information
      • Introduce concepts of need to know, least privilege and segregation of duties into your policies and business processes
      • Publish a Responsible Disclosure policy
      • Have sensitive documents stored in locked closets
      • Have sensitive documents destroyed using a shredder
      • Enforce the locked print option when available
      • At the end of the working day have any documents left on the printer shredded
      • Develop a cyber security training concept and plan
    • Security by Design and Security by Default
  • Manage risks for your most important assets
  • Take security measuresOpen Take security measures Submenu
    • Have a business continuity and an incident handling plan
      • All employees must know the contact point for reporting incidents
      • Distribute and update contact point information (internal and external contacts, management and technical contacts…)
      • Report all incidents to senior management (C-level)
      • Create an incident handling plan to respond to an incident
      • Create a business continuity plan to preserve business
      • Install fall-back capabilities for utilities (electricity, phone, internet…)
      • Evaluate and test these plans every year
      • Evaluate the opportunity for cyber security incident insurance coverage
    • Manage access to your computers and networks
      • Implement a user life cycle
      • Login management
      • Passwords management
      • Use multi-factor authentication
      • Change all default passwords
      • Enforce authentication and password rules
      • Use only individual accounts and never share passwords
      • Frequently audit the central directory (Active Directory or LDAP directory)
      • Prevent any direct access to the internet, but force traffic through a proxy and IDS
      • Search for abnormal access to information and systems (timeframes, applications, data…)
      • Keep a limited and updated list of system administrator accounts
      • No one works with administrator privileges for daily office tasks
      • Block access to the Internet from accounts with administrator rights
      • Register all visits
      • Limit employee access with a badge system and create multiple security zones
      • Ensure office cleaning is carried out during working hours or under permanent surveillance
    • Manage your key ICT assets
      • Create an accurate and up-to-date map of all your networks, servers, data and interconnections
      • Maintain an inventory of all ICT equipment and software licenses
      • Contracts and SLAs (Service Level Agreements) include a security clause
      • Audit all configurations regularly (including servers, firewalls and network components)
      • Divide your network into different security zones
      • Define a baseline security configuration
      • Identify the key competencies and the people who have them
      • Implement a uniform level of security across your networks
      • Implement a change control process
      • Use configuration management tools (or at the very least a tool such as Microsoft MMC)
    • Manage antivirus protection
      • Antivirus software is installed, active and up to date on all workstations and servers
      • Antivirus software is installed on all mobile devices
      • Automate updates of antivirus products
      • Make users familiar with the antivirus software’s infection warning procedure
      • The antivirus software is regularly tested with fingerprint solutions
      • All virus warnings are analyzed by an ICT expert
    • Update all programs
      • Apply security related updates to all software as soon as possible
      • Update all third-party software such as browsers and plugins
      • Automate the update process and audit its effectiveness
      • For servers: make a full back-up before, and create emergency repair disks after, each update
      • Create an in-house patch culture (workstations, mobile devices, servers, network components…)
      • Develop a reference and test environment for new patches
    • Back up all information
      • Make daily back-ups of your important data
      • Store back-ups offline and in a separate place (at a distance from their source if possible)
      • Back-ups are stored in a safe or in a secure data centre
      • Select own or cloud backup solutions
      • Encrypt data stored in the cloud
      • Periodic restoration tests are carried out in order to check the quality of the back-ups
    • Secure remote access
      • All connections to the corporate network must be secured and encrypted
      • Allow only Virtual Private Network (VPN) connections for end points
      • Limit remote access to what is strictly necessary
      • Remote access must be disconnected automatically when inactive for a certain amount of time
      • Strong authentication is required when connecting from external public networks
    • Secure workstations and mobile devices
      • Disable autorun functions from external media
      • Add a screenlock with short lock period
      • Prohibit the connection of personal devices to the organization’s information system
      • Technical measures are applied to prevent the connection of unregistered portable media
      • Maintain a 'whitelist' of allowed programs
      • Laptops, smartphones or tablets are never left unattended
      • External media such as USB drives are checked for viruses before they are connected to a computer
      • Encrypt hard disks and external media
      • Store or copy all data on a storage solution
      • Sensitive or confidential data must be encrypted for transmission
      • The data stored in the cloud is encrypted (e.g. BoxCryptor)
      • The guarantees offered by the cloud provider correspond to the stored information’s level of criticality
      • Decommissioned hard drives, media and printer storage are physically destroyed
      • Allow programs to run only in certain folders
    • Secure servers and network components
      • Use secure applications and protocols
      • Avoid direct remote connections to servers
      • The Wi-Fi network is protected by WPA2 encryption
      • Change all default passwords and disable unused accounts
      • Shut down unused services and ports
      • For the administration of servers, use a network that is (logically) separated from the user network
      • Limit physical access to servers and network components to a minimum number of people
      • Any physical access to servers and network components is registered
      • Security logs on servers and firewalls are kept for a period of at least 6 months
      • Perform penetration tests and vulnerability scans
      • Security logs are kept for a period of at least 6 months
      • Strengthen all systems according to vendor recommendations
      • The guest Wi-Fi network is separated from the corporate network
      • The corporate Wi-Fi network is protected by WPA2 Enterprise with device registration
      • An IDS/IPS (Intrusion Detection/Prevention System) monitors all communications
      • An analysis and warning system (SIEM) uses the logs in order to detect any malicious behaviour
      • Evaluate all server, firewall and network component events/alerts
      • Protect your domain from spoofing
    • Secure your Cloud
      • Data Breaches are real
      • Data Loss
      • Hijacking of Accounts is still a possibility
      • Abuse of Cloud Services
      • Shared Vulnerabilities
      • Insufficient Due Diligence
    • Secure your new technologies
    • Secure your website
      • Secure your website using HTTPS
      • Most Critical Web Application Security Risks
  • Evaluate your actions
Basic level
Advanced Level
  1. Plan your cyber security
  2. Publish a corporate security policy and a code of conduct

Publish a corporate security policy and a code of conduct

The security policy consists of defining the rules that must be followed by all if the organization is to reach the level of security of the information defined in the security strategy.

Create and apply procedures for the arrival and departure of users (personnel, interns etc.)
Describe security roles and responsibilities (for physical, personnel & ICT security)
Develop and distribute a code of conduct for using ICT
Plan and execute security audits
Create a classification and marking scheme for sensitive information
Introduce concepts of need to know, least privilege and segregation of duties into your policies and business processes
Publish a Responsible Disclosure policy
Have sensitive documents stored in locked closets
Have sensitive documents destroyed using a shredder
Enforce the locked print option when available
At the end of the working day, have any documents left on the printer shredded
Develop a cyber security training concept and plan
  1. Plan your cyber security
  2. Publish a corporate security policy and a code of conduct

Contact

Contact us if you have suggestions.

Partners

© 2018 - FPS Chancellery of the Prime Minister - Privacy