college/Fall-2024/CS-3113/Assignments/2-Audit-Checklist/Checklist.typ

#show link: set text(blue)
#set page(margin: (y: .5in))
#set text(font: "Calibri", size: 12pt)


#let solve(solution) = [
  #let solution = align(
    center,
    block(
      inset: 5pt,
      stroke: blue + .3pt,
      fill: rgb(0, 149, 255, 15%),
      radius: 4pt,
    )[#align(left)[#solution]],
  )
  #solution
]
#align(
  center,
  block(
    inset: 10pt,
    width: 100%,
    stroke: blue + 1pt,
    fill: rgb(0, 149, 255, 15%),
    radius: 4pt,
    text(rgb(0, 149, 255), size: 1.5em, [= Orion Technologies\ Cybersecurity Compliance Checklist]),
  ),
)

#align(center)[#box(
    inset: 5pt,
    radius: 4pt,
    width: 60%,
    stroke: green + .5pt,
    fill: rgb(0, 200, 100, 15%),
    text(green, [== Identify (9 Questions)]),
  )]
#align(center, line(length: 80%, stroke: green))
#table(
  inset: (
    x: 15pt,
  ),
  columns: (auto, auto),
  table.header(
    [*Questions*],
    [*Response (Yes, No, Short Answer)*],
  ),

  [Do you utilize session locks when a user is away from a computer and if so, is the lock triggered by a timer or proximity?],
  [],

  [Do you conduct background checks on new employees?], [],
  [Do you require employees to sign an acceptable use policy for computer systems?],
  [],

  [Do you have a bring your own device policy?], [],
  [Do you have a badge in system to enter any physical office?], [],
  [Are there any shared accounts used by multiple employees?], [],
  [Do you require individual accounts for each employee?], [],
  [Do any non-IT of your users to have admin on their computers?], [],
  [Do you have centralized control over all your computers? (If you don't know, answer no.)],
  [],
)
#align(center)[#box(
    inset: 5pt,
    radius: 4pt,
    width: 60%,
    stroke: green + .5pt,
    fill: rgb(0, 200, 100, 15%),
    text(green, [== Protect (16 Questions)]),
  )]
#align(center, line(length: 80%, stroke: green))
#table(
  inset: (
    x: 15pt,
  ),
  columns: (auto, auto),
  table.header(
    [*Questions*],
    [*Response (Yes, No, Short Answer)*],
  ),

  [Do you conduct any computer system or cybersecurity awareness training for employees?],
  [],

  [Can a single employee both initiate and approve a transaction?], [],
  [Do you enforce a minimum password complexity for accounts?], [],
  [Are you using a password manager to manage logins for websites and services?],
  [],

  [Do you use two factor authentication (2FA/MFA) for all logins?], [],
  [If a password change occurs, do you allow users to reuse old password?], [],
  [When a user updates their password, do you check it against commonly known vulnerable passwords? (e.g. against https://haveibeenpwned.com/)],
  [],

  [Do you use surge protectors and uninterruptible power supplies (UPS)?], [],
  [Do you regularly update your software and operating systems?], [],
  [Do you use full disk encryption on computer systems?], [],
  [Do you change the default passwords for WiFi or other networks?], [],
  [Do you enable guest networks?], [],
  [Do you use a virtual private network (VPN) for out of office connections?],
  [],

  [Have you set up any email filtering (e.g. checking for spam)?], [],
  [Do you block any websites?], [],
  [When you dispose of a system, do you ensure the data is securely wiped?], [],
)

#align(center)[#box(
    inset: 5pt,
    radius: 4pt,
    width: 60%,
    stroke: green + .5pt,
    fill: rgb(0, 200, 100, 15%),
    text(green, [== Detect (8 Questions)]),
  )]
#align(center, line(length: 80%, stroke: green))
#table(
  inset: (
    x: 15pt,
  ),
  columns: (auto, auto),
  table.header(
    [*Questions*],
    [*Response (Yes, No, Short Answer)*],
  ),

  [Do you utilize anti-virus programs?], [],
  [Do you use a firewall with an Intrusion Detection System (IDS)?], [],
  [How often do you audit existing user accounts? (Never, Daily, Weekly, Monthly, Other)],
  [],

  [Are running regular vulnerability scans? (e.g. using #link("https://www.tenable.com/products/nessus", "Nessus"))],
  [],

  [Do you collect any logs?], [],
  [If you do collect logs, do you monitor them?], [],
  [If you do collect logs, how long do you retain them?], [],
  [Do you conduct any audits for unusual employee behaviors? (e.g. regularly logging in outside of business hours)],
)
#align(center)[#box(
    inset: 5pt,
    radius: 4pt,
    width: 60%,
    stroke: green + .5pt,
    fill: rgb(0, 200, 100, 15%),
    text(green, [== Respond & Recover (7 Questions)]),
  )]
#align(center, line(length: 80%, stroke: green))
#table(
  inset: (
    x: 15pt,
  ),
  columns: (auto, auto),
  table.header(
    [*Questions*],
    [*Response (Yes, No, Short Answer)*],
  ),

  [Do you have a plan in the case of a Cybersecurity incident?], [],
  [Do you create complete backups?], [],
  [Do you currently have any type of cyber insurance?], [],
  [If you do create backups, do you encrypt them?], [],
  [If you do create backups, how often? (Daily, Weekly Monthly)], [],
  [If you do create backups, do you keep at least *3* copies, on at least *2* different media types (e.g. a hard drive and a tape drive), and at least *1* copy offsite (outside your office)?],
  [],

  [If you do create backups, do you test restoring from those backups?], [],
)