CYBER RISK SELF-ASSESSMENT CHECKLIST

You don’t prepare for a hurricane after it hits, right? You shouldn’t think about Cyber-Security threats after you’ve been hacked. While there is no way to completely eliminate cyber risk, there are steps every business – from the smallest Main Street shops to the international joint ventures – can take to drastically reduce not only the likelihood of a breach, but also the overall impact should one occur. Consider using this Check-list to help establish a basic understanding of the current level of cyber risk your organization is facing. It will also identify specific areas where improvements can be made, thus reducing risk.

SECURITY POLICIES  -Does your organization maintain information security policies? 

• -Is there a mechanism for information security policy enforcement?
• -Does your organization maintain configuration management policies and tracking of all software and hardware?
• -Is sensitive data (HR, financial, intellectual capital, etc.) labeled as such?
• -Is access to sensitive data controlled and logged?

INCIDENT RESPONSE   -Do you have an incident response plan?

• -Has your incident response plan been tested?
• -Do you have an incident response team/Cyber-Security firm/general counsel/crisis communication firm identified?
• CONTINUITY OF OPERATIONS     -Have you systematically evaluated all of the potential sources of disruption to your business?
• -Do you have an active program to reduce the likelihood of a disruption?
• -If you could not re-enter the workplace because of an emergency, do you have a pre-determined location to meet?
• -Do you maintain a list of employees, customers and suppliers at an off-site location?
• -If you lost a critical system, do you have a pre-determined plan to restore the system?
• -Is your business resumption plan securely stored in a remote location?
• -Do you periodically test your business resumption plan along with your site emergency response plan?

BUSINESS PROCESSES

• -Do you have proven anti-virus software loaded and active on your computer?
• -Do you delete, without opening, emails from unknown sources?
• -Do you back up data on a regular basis?
• -Do you utilize strong, difficult to guess passwords?
• -Do you use security hardware and software such as firewalls and intrusion detection/prevention systems?
• -Are you maintaining configuration management through security policy implementation and systems hardening?
• -Are you maintaining software patch management on all systems by following a regular schedule for updates?
• -Do you subscribe to security mailing lists?
• -Are you performing security testing through security audits and penetration scanning?
• -Are you ensuring physical security of systems and facilities?
• -Do you ensure users have anti-virus software loaded and active on their systems?
• -Are you maintaining operational management through the review of all log files, ensuring systems backups with periodic data restores and reporting any known issues or risks?