| What you should be doing today (aka, the "minimum") |
|
| Do you know what data is critical to operate your organization? |
Yes/No |
| Do you know what systems are critical to operate your organization? |
Yes/No |
| Do you know where your organization stores regulated data (personally identifiable information (PII), credit card information (PCI), financial data, health care data…) |
Yes/No |
| Do you have a policy to delete data when it is no longer required? |
Yes/No |
| Have you identified someone in a leadership role at your organization who is specifically responsible for your cybersecurity? |
Yes/No |
| Do you have an Acceptable Use Policy (AUP) in place so that your employees know what is expected from them? |
Yes/No |
| Can you deploy all critical system patches within 7 days of their release? |
Yes/No |
| Could you do it faster if needed? |
Yes/No |
| Can you report on if patches are deployed or not? |
Yes/No |
| Are all you systems, software and hardware running supported version? (or have been isolated) |
Yes/No |
| Are all your cloud services setup with Multi Factor Authentication (MFA) for all users? |
Yes/No |
| Are all your remote access services setup with Multi Factor Authentication (MFA) for all users? |
Yes/No |
| Are your critical systems in a locked room with limited access? |
Yes/No |
| Is your network segmented to separate services with different risk/requirements? (users, guests, servers, automation …) |
Yes/No |
| Have you started to use a Zero Trust approach? |
Yes/No |
| Do you provide regular cybersecurity training to all your employees? |
Yes/No |
| Do you perform regular phishing simulations for all your employees? |
Yes/No |
| Do you forbid regular user account to be used to perform "administrator" level actions? (account segregation) |
Yes/No |
| Do you limit Internet access for users (website categories, dns filtering, unknown ports…) |
Yes/No |
| Is your email domain setup with at least SPF and DKIM? |
Yes/No |
| Can you wipe smartphones that contain your data if they are lost? |
Yes/No |
| Are your desktop/laptops protected with an Endpoint Detection and Response (EDR) agent? |
Yes/No |
| Are your servers protected with an Endpoint Detection and Response (EDR) agent? |
Yes/No |
| Are your Endpoint Detection and Response (EDR) agent configured for automated remediation? |
Yes/No |
| Do you scan all inbound emails for known and unknown malware? (links and attachments) |
Yes/No |
| Do you have Cybersecurity Incident Response Plan? |
Yes/No |
| Do you have a Disaster Recovery / Business Continuity Plan for your critical systems? |
Yes/No |
| Is all your data backed up at least daily? (including clouds like Microsoft 365 or Google Workspace) |
Yes/No |
| Do you perform at least quarterly test restores of those backups? |
Yes/No |
| Are the backups encrypted in transit and at rest with at least AES128? |
Yes/No |
| Is one copy of the backup offsite (not in the same location of the original copy)? |
Yes/No |
| Is one copy of the backup immutable (cannot be erased, even by an administrator)? |
Yes/No |
| |
|
| |
|
| What you need to start doing (aka tomorrow's minimum) |
|
| Do you collect and analyze all security logs from all devices? |
Yes/No |
| Can you respond to security alerts 24/7? |
Yes/No |
| Do you archive all security logs for at least one year? |
Yes/No |
| Do you limit Internet access for your servers? |
Yes/No |
| Do you inspect encrypted web network traffic (DPI SSL)? |
Yes/No |
| Do you turn off all insecure protocols (telnet, SSL 3.0, TLS 1.0)? |
Yes/No |
| Do you perform regular vulnerabilities scans to discover vulnerable services and misconfiguration? |
Yes/No |
| Do you resolve all discovered high severity security vulnerabilities within 7 days. |
Yes/No |
| Do you scan all outbound emails for known and unknown malware? (links and attachments) |
Yes/No |
| Do you practice your Cybersecurity Incident Response Plan at least yearly? |
Yes/No |
| Do you practice your Disaster Recovery / Business Continuity Plan at least yearly? |
Yes/No |
| Are you smartphones protected with an Endpoint Detection and Response (EDR) agent? |
Yes/No |
| Do you use a business grade password manager to generate and store passwords? |
Yes/No |
| Are all your privileged accesses protected with Multi Factor Authentication (MFA)? |
Yes/No |
| Do you use a Privileged Access Management (PAM) solution to protect your privileged accounts? |
Yes/No |
| Do you have a Network Access Control (NAC) solution to block access to your network to unknown devices? |
Yes/No |
| Do you evaluate your [critical] suppliers for their cybersecurity maturity? |
Yes/No |
| Do you get a third party to perform penetration testing at least yearly? |
Yes/No |
| Is your email domain setup with DMARC? |
Yes/No |
| Do you mandate yearly reviews of your policies to ensure that all the above will be "Yes" in the future? |
Yes/No |
.png?width=142&height=42&name=a%20(1).png){kind=small}
.svg)
.png?width=142&height=42&name=a%20(2).png){kind=small}
By Loïc Calvez
.png?width=88&height=100&name=X_Logo_website_Icon%20(1).png){kind=logo}