XOAP automation #
| BSI Module | Control ID | DetailedTechnical Requirement | XOAP Automation Method |
| SYS.1.1 | A1, A7, A12 | General Client/Server Hardening | Automated removal of pre-installed bloatware; Disabling unencrypted services (Telnet, HTTP). |
| SYS.1.1 | A14, A22 | Registry & Policy Lockdown | Enforcement of “No-Run” policies for unauthorized paths; Disabling LLMNR, NetBIOS over TCP/IP. |
| SYS.1.2.2 | A8, A11 | Windows 10/11 Security | Automated configuration of BitLocker (TPM); SmartScreen enforcement; Disabling Cortana/Telemetry. |
| SYS.1.3 | A1, A5 | Server Configuration | Deployment of secure baseline templates; Automated removal of SMBv1 and outdated PowerShell versions. |
| OPS.1.1.4 | A1, A3, A6 | Vulnerability & Patching | Scheduled scanning and silent deployment of MS Security Updates and 120+ 3rd-party apps (e.g., Citrix, Java). |
| ORP.4 | A2, A7, A14 | Identity Management (IAM) | Forced MFA configuration for local/admin accounts; Automated screen lock (15 min) and login retry limits. |
| APP.1.1 | A2, A4 | ApplicationLifecycle | Automated installation and self-healing of core hospital software (HIS, PACS) to ensure version consistency. |
| NET.1.1 | A10, A11 | Local Firewall (Micro-segmentation) | Scripted rules for Windows Firewall to isolate VDI/Endpoints from direct Server subnet access. |
| DER.1 | A1, A2, A4 | Event Logging(SzA) | Automated setup of Event Forwarding (WEF) and configuration of advanced audit policies (Process Creation, File Access). |
| CON.1 | A3 | CryptographicProtection | System-wide enforcement of TLS 1.3 and disabling of weak ciphers (RC4, 3DES, MD5). |
| INF.2 | A1 | Device Control | Policy-based disabling of USB Mass Storage, FireWire, and Thunderbolt ports on public terminals. |
| APP.1.4 | A2, A5 | Browser Security | Hardening of MS Edge/Chrome (disabling sync, forcing safe browsing, extension allowlisting). |