Friday, September 2, 2016

CYBER RISK SELF-ASSESSMENT CHECKLIST

You don’t prepare for a hurricane after it hits, right? You shouldn’t think about Cyber-Security threats after you’ve been hacked. While there is no way to completely eliminate cyber risk, there are steps every business – from the smallest Main Street shops to the international joint ventures – can take to drastically reduce not only the likelihood of a breach, but also the overall impact should one occur. Consider using this Check-list to help establish a basic understanding of the current level of cyber risk your organization is facing. It will also identify specific areas where improvements can be made, thus reducing risk.
SECURITY POLICIES  -Does your organization maintain information security policies? 
  • -Is there a mechanism for information security policy enforcement?
  • -Does your organization maintain configuration management policies and tracking of all software and hardware?
  • -Is sensitive data (HR, financial, intellectual capital, etc.) labeled as such?
  • -Is access to sensitive data controlled and logged?

INCIDENT RESPONSE   -Do you have an incident response plan?
  • -Has your incident response plan been tested?
  • -Do you have an incident response team/Cyber-Security firm/general counsel/crisis communication firm identified?
  • CONTINUITY OF OPERATIONS     -Have you systematically evaluated all of the potential sources of disruption to your business?
  • -Do you have an active program to reduce the likelihood of a disruption?
  • -If you could not re-enter the workplace because of an emergency, do you have a pre-determined location to meet?
  • -Do you maintain a list of employees, customers and suppliers at an off-site location?
  • -If you lost a critical system, do you have a pre-determined plan to restore the system?
  • -Is your business resumption plan securely stored in a remote location?
  • -Do you periodically test your business resumption plan along with your site emergency response plan?

BUSINESS PROCESSES
  • -Do you have proven anti-virus software loaded and active on your computer?
  • -Do you delete, without opening, emails from unknown sources?
  • -Do you back up data on a regular basis?
  • -Do you utilize strong, difficult to guess passwords?
  • -Do you use security hardware and software such as firewalls and intrusion detection/prevention systems?
  • -Are you maintaining configuration management through security policy implementation and systems hardening?
  • -Are you maintaining software patch management on all systems by following a regular schedule for updates?
  • -Do you subscribe to security mailing lists?
  • -Are you performing security testing through security audits and penetration scanning?
  • -Are you ensuring physical security of systems and facilities?
  • -Do you ensure users have anti-virus software loaded and active on their systems?
  • -Are you maintaining operational management through the review of all log files, ensuring systems backups with periodic data restores and reporting any known issues or risks?


No comments:

Post a Comment