Identity & Access Management
Protective Technology
(top: 0.6pt)
Incident Response
[Do you maintain an updated inventory of IT assets?],
[Are guests properly identified when visiting a business location?],
[Do you conduct background checks for new staff and external contractors?],
[Do you require individual accounts for each employee?],
[Are employees familiar with company policies on information security?],
[Have you evaluated which users require access to an administrator account on their computer?],
[Do you utilize session locks when a user is away from their computer?],
[Do you use a badge-in system to restrict access to the physical business and other business locations?],
[Do you conduct cybersecurity awareness training for employees?],
[Do you regularly patch/update operating systems and software?],
[Do you require two factor or multi factor authentication (2FA/MFA) for all logins?],
[Do you employ full disk encryption on your systems?],
[When you dispose of a system, do you ensure the data is securely wiped?],
[Do you use a virtual private network (VPN) for out of office connections?],
[Do you have firewalls in place to secure business networks?],
[Do you change the default password for WiFI and/or other networks?],
[Do you utilize anti-virus/anti-malware on your systems?],
[Do you enforce a minimum password complexity?],
[Do you employ an Intrusion Detection System (IDS)?],
[Are all personal devices used for work protected with security software and encryption?],
[Are you running regular vulnerability scans? (E.g. using Nessus)],
[How often do you audit existing user accounts? (Never, Daily, Weekly, Monthly, Annually, Other) \ #box(fill: luma(220), height: 2em, width: 100%)[]],
[Do you collect any logs?],
[If you do collect logs, do you monitor them?],
[If you do collect logs, how long do you retain them?\ #box(fill: luma(220), height: 2em, width: 100%)[]],
[Are physical devices and sensitive physical areas monitored?],
[Do you conduct any audits for unusual employee behaviors? (e.g. checking for employees regularly logging in outside of business hours)],
[Do you have dedicated cyber security staff?],
[Do you have a internal process for raising concerns about potential cyber incidents?],
[Are you able to quickly lock down physical locations during a crisis?],
[Have you determined when it may be necessary to include law enforcement in your disaster response?],
[Are you able to alert users if you suspect their information may have been stolen?],
[Are you prepared to respond to an environmental crisis that may impact your ability to continue normal business operations?],
[Are you able to quickly quarantine any computer that is identified as compromised?],
[Are employees aware of their responsibilities in the event of a security incident],
[Do you create full backups?],
[If you do create backups, do you encrypt them?],
[If you do create backups, how often do you test restoring from them? (Never, Daily, Weekly, Monthly, Annually, Other)\ #box(fill: luma(220), height: 2em, width: 100%)[]],
[If you do create backups, do you keep at least 3 copies, on at least 2 different media types (e.g. a hard drive and a tape drive), and have at least 1 copy stored offsite (outside of your business)?],
[Do you have a formal method or process for improving cybersecurity regularly?],
[In the event of hardware failure, do you have a way to restore function? E.g. router failure.],
[Are you currently enrolled in a Cyber Insurance program?],
[Do you know how long it would take to carry out your recovery plan after an incident?],
