ALCiT

Cybersecurity Self-Assessment

Written by Loïc Calvez | Sep 22, 2023 9:23:36 PM

The first step in our process is "Assess" which aligns closely with the Five Functions of NIST. The main two reasons we start here are simple: 1: you can't protect what you don't know you have, 2: you don't have unlimited resources, so you need to apply them where you will get the best results.

 

We have developed the below self-assessment to get you started. It is split in two parts:

  • What you should be doing today (aka "the minimum" according to current best practices)
  • What you need to start doing (aka tomorrow's minimum, things we see make positive impacts on your posture)

You can also download it as a pdf here that includes more details on what the questions mean and why they are important. If you would prefer for us to perform an assessment of your current posture (including internal and external vulnerability scans), please book a meeting here so that we can understand your requirements.

Lastly, if you want to make sure the people your are working with (suppliers and IT providers for example) we also have a blog on third party assessment here.

What you should be doing today (aka, the "minimum")  
Do you know what data is critical to operate your organization? Yes/No
Do you know what systems are critical to operate your organization? Yes/No
Do you know where your organization stores regulated data (personally identifiable information (PII), credit card information (PCI), financial data, health care data…) Yes/No
Do you have a policy to delete data when it is no longer required? Yes/No
Have you identified someone in a leadership role at your organization who is specifically responsible for your cybersecurity? Yes/No
Do you have an Acceptable Use Policy (AUP) in place so that your employees know what is expected from them? Yes/No
Can you deploy all critical system patches within 7 days of their release? Yes/No
Could you do it faster if needed? Yes/No
Can you report on if patches are deployed or not? Yes/No
Are all you systems, software and hardware running supported version? (or have been isolated) Yes/No
Are all your cloud services setup with Multi Factor Authentication (MFA) for all users? Yes/No
Are all your remote access services setup with Multi Factor Authentication (MFA) for all users? Yes/No
Are your critical systems in a locked room with limited access? Yes/No
Is your network segmented to separate services with different risk/requirements? (users, guests, servers, automation …) Yes/No
Have you started to use a Zero Trust approach? Yes/No
Do you provide regular cybersecurity training to all your employees? Yes/No
Do you perform regular phishing simulations for all your employees? Yes/No
Do you forbid regular user account to be used to perform "administrator" level actions? (account segregation) Yes/No
Do you limit Internet access for users (website categories, dns filtering, unknown ports…) Yes/No
Is your email domain setup with at least SPF and DKIM? Yes/No
Can you wipe smartphones that contain your data if they are lost? Yes/No
Are your desktop/laptops protected with an Endpoint Detection and Response (EDR) agent? Yes/No
Are your servers protected with an Endpoint Detection and Response (EDR) agent? Yes/No
Are your Endpoint Detection and Response (EDR) agent configured for automated remediation? Yes/No
Do you scan all inbound emails for known and unknown malware? (links and attachments) Yes/No
Do you have Cybersecurity Incident Response Plan? Yes/No
Do you have a Disaster Recovery / Business Continuity Plan for your critical systems? Yes/No
Is all your data backed up at least daily? (including clouds like Microsoft 365 or Google Workspace) Yes/No
Do you perform at least quarterly test restores of those backups? Yes/No
Are the backups encrypted in transit and at rest with at least AES128? Yes/No
Is one copy of the backup offsite (not in the same location of the original copy)? Yes/No
Is one copy of the backup immutable (cannot be erased, even by an administrator)? Yes/No
   
   
What you need to start doing (aka tomorrow's minimum)  
Do you collect and analyze all security logs from all devices? Yes/No
Can you respond to security alerts 24/7? Yes/No
Do you archive all security logs for at least one year? Yes/No
Do you limit Internet access for your servers? Yes/No
Do you inspect encrypted web network traffic (DPI SSL)? Yes/No
Do you turn off all insecure protocols (telnet, SSL 3.0, TLS 1.0)? Yes/No
Do you perform regular vulnerabilities scans to discover vulnerable services and misconfiguration? Yes/No
Do you resolve all discovered high severity security vulnerabilities within 7 days. Yes/No
Do you scan all outbound emails for known and unknown malware? (links and attachments) Yes/No
Do you practice your Cybersecurity Incident Response Plan at least yearly? Yes/No
Do you practice your Disaster Recovery / Business Continuity Plan at least yearly? Yes/No
Are you smartphones protected with an Endpoint Detection and Response (EDR) agent? Yes/No
Do you use a business grade password manager to generate and store passwords? Yes/No
Are all your privileged accesses protected with Multi Factor Authentication (MFA)? Yes/No
Do you use a Privileged Access Management (PAM) solution to protect your privileged accounts? Yes/No
Do you have a Network Access Control (NAC) solution to block access to your network to unknown devices? Yes/No
Do you evaluate your [critical] suppliers for their cybersecurity maturity? Yes/No
Do you get a third party to perform penetration testing at least yearly? Yes/No
Is your email domain setup with DMARC? Yes/No
Do you mandate yearly reviews of your policies to ensure that all the above will be "Yes" in the future? Yes/No

 

You can also download it as a pdf here that includes more details on what the questions mean and why they are important.