CyStack.,JSC

CyStack is a leading Vietnam-based cybersecurity firm recognized for its research, innovation, and award-winning products and services in security testing and assessment, managed security services, data protection, and security compliance.

Dedicated to inclusivity, CyStack delivers intuitive and scalable solutions that ensure robust protection for businesses of all sizes, regardless of budget or technical expertise.

Controls

People and Access

STATUS

CONTROL

Clear Access Permission Policy

Changes to personnel access permissions must be created and approved by a manager or the security department. Access must be revoked when no longer needed.

Device Usage Policy

Devices provided to employees must be configured according to the company's security standards, including disk encryption, firewall activation, antivirus software, etc.

Multi-Factor Authentication (MFA) Usage

The organization must enable MFA for critical systems or for SSO.

Password Management

The organization has a password management policy for employees, including length, complexity, password lifespan; or uses password management software within the organization.

Restricted Access to Critical Systems

Access to critical systems and/or data must be requested, reviewed, and approved on a case-by-case basis. Access is granted temporarily, usually for no more than 24 hours.

Secret Key Management

Keys and confidential data for the software development process must be securely stored and protected; or use secret management software during development.

Restricted Access to Production Data

Access to production data must be restricted and should only be reviewed and approved on a case-by-case basis.

Role-Based Access Control (RBAC) Usage

Access to systems and applications is granted based on the user's role.

Centralized Login (SSO) Usage

The organization establishes SSO for internal systems to centrally manage accounts and identity access for each employee.

VPN Usage for Remote Access

Remote access from outside the office to internal systems must be via a VPN channel.

Office Network and Wi-Fi Access

The office network, including wireless access, is protected for internal business purposes only. Guest Wi-Fi access is provided on a separate network segment.

Security Role Assignment

Roles and responsibilities for security matters must be clearly defined in writing within the organization.

Security Awareness Training

Employees and partners must receive regular security awareness training, at least once a year.

Security Policy Training

Employees, partners, and contractors must be trained on the organization's security policies and procedures.