Control 8.23 : Web Filtering

Summary

Access to external websites should be managed to reduce exposure to malicious content and ensure that the use of the internet remains within the organization's acceptable use policy.

Applicability

In-Scope: Mandatory for all organizations. It is a primary defense against phishing, drive-by malware downloads, and the unauthorized use of high-risk web services.

Out-of-Scope: Never out-of-scope.

Implementation Guidance

Microsoft 365 / Entra ID

• Content Filtering: Utilize Microsoft Defender for Endpoint web content filtering to block access to high-risk categories (e.g., Phishing, Malware, Gambling) directly at the browser level.

• Cloud App Security: Use Microsoft Defender for Cloud Apps to identify and block the use of unauthorized shadow IT SaaS applications.

• Secure Links: Enable Safe Links in Microsoft Defender for Office 365 to scan and wrap URLs in emails and Teams messages, protecting users from malicious sites in real-time.

Evidence Checklist

• Web Filtering Policy: Rules defining which categories of websites are blocked or monitored.

• Block Logs: Reports from Microsoft Defender showing the volume and types of malicious or unauthorized websites blocked by the system.

• Exception Records: Documentation of any approved business exceptions to the standard web filtering rules.

Practical Audit Advice

Here are some questions the auditor might ask:

• How often is the malicious site database updated to ensure protection against newly identified threats?

• What process is in place to notify the security team if a user repeatedly attempts to access blocked or high-risk websites?

• Can you demonstrate that web filtering remains active even when the employee is working from home or a public Wi-Fi network?

• How does the organization handle requests from employees to unblock a site that has been categorized as a security risk?