Critical Controls
CERT NZ's Critical Controls
Each year, we review our critical controls against the incidents we have seen over the past 12 months. When correctly im
Critical controls
For each control we provide a page summarising the intent and success measures for decision makers. We have a separate page providing implementation advice for practitioners.
Critical Controls
Password manager
Providing a password manager for your staff to store their passwords, or other secrets like alarm codes, is a great way
Critical Controls
Asset Lifecycle Management
Limiting and securing your internet-exposed services will help you prevent unauthorised access.
Critical Controls
Secure defaults for macros
While macros have a valid business function, they are often used by attackers too. Using secure default configurations w
Critical Controls
Network segmentation and separation
When paired together, segmentation and separation can add an additional level of access control and security to your net
Critical Controls
Centralised logging
Storing and securing your logs in a central place makes log analysis and alerting easier.
Critical Controls
Implement and test backups
After an incident, restoring your data from backups is often the best way to return to business as usual. Performing and
Critical Controls
Principle of least privilege
The principle of least privilege means only having the access you need to do your job. Restricting the level access to o
Critical Controls
Multi-factor authentication and verification
You can authenticate with something you know, something you have, or something you are. Multi-factor authentication (MFA
Critical Controls
Implement application control
Application allowlisting (otherwise known as whitelisting) is a method of strictly controlling what programs can be run
Critical Controls
Patching
Keeping your software up-to-date is one of the most simple and effective steps to take, to ensure your environment stays