IT Usage
Implementation and audit guidance for appropriate use of IT systems and resources.
Guidance to Implement
Provide training on what constitutes a strong password (length, complexity, uniqueness). Enforce via technical controls (e.g., policy-based rules, password vaults)
Guidance to Audit
Password policy document, screenshots from IAM platform, LMS records of password training
Guidance to Implement
Implement MFA for all accounts using a centralized IAM solution and continuously monitor compliance. Train employees to apply MFA on non SSO solutions
Guidance to Audit
MFA enrollment logs and compliance reports. Training records
Guidance to Implement
Deploy a corporate password manager and deliver mandatory training on its use.
Guidance to Audit
Password manager usage statistics and training records.
Guidance to Implement
Implement technical controls to enforce unique passwords and provide regular password hygiene training.
Guidance to Audit
Password policy enforcement logs and training attendance records.
Guidance to Implement
Enforce restrictions on password sharing through processes controls and schedule periodic training.
Guidance to Audit
Training records
Guidance to Implement
Provide user education on best practices. Enforce automatic screen lock settings via MDM.
Guidance to Audit
Training records. MDM compliance reports and screenshots of lock settings.
Guidance to Implement
Provide advance update notifications through IT portals and allow users to schedule update times.
Guidance to Audit
Notification logs and user feedback surveys.
Guidance to Implement
Deploy application whitelisting solutions, maintain an updated approved software list, and train users on the exception process.
Guidance to Audit
Whitelisting configuration records and change logs.
Guidance to Implement
Establish a formal software request process with tracking and approval via an ITSM tool.
Guidance to Audit
Software request and approval logs from IT service support.
Guidance to Implement
Enforce MDM policies to restrict work to company-managed devices and provide training on mobile threats.
Guidance to Audit
MDM enrollment logs and mobile security training records.
Guidance to Implement
A process such as a button on the email software or via an ITSM tool should allow employees to report suspicious emails
Guidance to Audit
Notification logs
Guidance to Implement
Run regular phishing simulations and provide detailed training on recognizing suspicious emails.
Guidance to Audit
Phishing simulation reports and training assessment scores.
Guidance to Implement
Encourage regular breaks and adopt scheduling practices that prevent back-to-back long meetings.
Guidance to Audit
Employee survey results and meeting schedule reviews.
Guidance to Implement
Deploy web filtering solutions and include clear notification messages with explanations for access blocks.
Guidance to Audit
Filtering logs and incident reports.
Guidance to Implement
Provide training on consent. Implement policies restricting recording of sensitive content and monitor via IT tools.
Guidance to Audit
Recording logs and compliance audit reports.