Cybersecurity Checklist: 8 4 4 - 4 4 - J M A R K

Download as pdf or txt
Download as pdf or txt
You are on page 1of 10

J M A R K .

C O M // 8 4 4 - 4 4 - J M A R K

YOUR
CYBERSECURITY
CHECKLIST
Technology has transformed the way we all do business for the better. However, to
keep your data and business from being at risk, you must ensure your tech is
secure and continuously monitored. We’re providing this detailed checklist as a
reference tool to help you verify that adequate cybersecurity and physical security
policies are in place throughout your organization.
CYBERSECURITY CHECKLIST 2 JMARK.COM

Cybersecurity is defined as a system of technologies, processes, and practices designed


to protect your computers, networks, applications, and data from attack, damage, or
unauthorized access.

IDENTIFICATION PROCEDURES YES NO


• Do all your staff members have Photo ID badges? = =
• Do they wear them at all time when in your facility? = =
• Do you provide temporary ID badges for visitors? = =
• Do you check the credentials of visitors? = =
• Is a policy in place for conducting background checks for employees and visitors? = =
• Can you cut off access to employees and visitors if necessary? = =
PERSONAL & PHYSICAL SECURITY YES NO
• Do you have procedures in place to prevent unauthorized physical access to computers and
other electronic information systems? = =
• Do you have solutions in place to prevent physical access to your secure areas, such as door
locks, access control systems, security offices, or video surveillance monitoring? = =
• Do you have security desks, and sign-in/sign-out logs for users accessing these areas? = =
• Do you physically escort visitors out of secure areas? = =
• Can you ensure users always log out of their computers when leaving them? = =
• Are all computers set to lock automatically after 10 minutes if left idle? = =
• Can you remotely wipe computers, laptops, and mobile devices that are lost or stolen? = =
• Are all modems in Auto-Answer OFF mode when not in use? = =
• Is there a policy in place to protect data during equipment repairs? = =
• Do you have security policies in place for all of your computers, laptops, tablets, and
smartphones? = =
• Do you have a “Bring Your Own Device” policy in place for employee mobile devices? = =
• Do you have emergency evacuation plans in place for employees? = =
• Do all employees have emergency shelter-in-place kits for emergencies where they can’t leave
your facility? (canned food and a can opener, bottled water, a blanket, prescription medicines,
sanitary wipes, a garbage bag with ties and toilet paper for personal sanitation) = =
• Do key employees know how to seal off designated areas in your facility if necessary? = =

J M A R K . C O M // 8 4 4 - 4 4 - J M A R K // M I S S O U R I // O K L A H O M A // A R K A N S A S

P E O P L E F I R S T. T E C H N O L O G Y S E C O N D .
CYBERSECURITY CHECKLIST 3 JMARK.COM

PASSWORD POLICIES YES NO


• Do you adhere to the NIST Digital Guidelines? = =
• Do only authorized personnel have password access to computer devices? = =
• Do you require users adopt secure password standards (NIST) and then enforce them? = =
• Are passwords updated every three months? = =
• Do administrators have separate accounts for network management? = =
DATA PRIVACY POLICIES YES NO
• Is your data stored in a secure offsite facility? = =
• Is all confidential data encrypted? = =
• Do you have procedures in place to identify and secure the location of confidential information
– whether as digital or hard copies? = =
• Do you have procedures in place to identify and secure the location of personal private
information? = =
• Do you continually create retrievable backup and archival copies of critical information? = =
• Do you have procedures in place for shredding and securely disposing of paper documents? = =
• Do you lock your shredding and recycling bins? = =
• Do you have policies in place for secure disposal of electronic/computer equipment? = =
• Do you have policies in place for secure disposal of electronic media such as thumb drives,
tapes, CDs and DVDs, etc.? = =
• Do you have procedures in place to regularly assess I.T. compliance with required regulations
(HIPAA, PCI, FINRA, etc.)? = =
• Do you conduct regular reviews of users with physical access to protected facilities or electronic
access to information technology systems? = =
• Do you employ systems in a hardened/secure state? = =
BUSINESS CONTINUITY & DISASTER RECOVERY YES NO
• Do you have an up-to-date business continuity and disaster recovery plan in place? = =
• Can you create retrievable backups of critical data? = =
• Are your backups stored offline in a secure cloud? = =
• Does your backup, continuity, and recovery plan include a method for accessing critical
passwords for equipment, systems, and servers when needed? = =
• Does your backup, continuity, and recovery plan include a method for accessing encryption keys
in an emergency? = =
• Do you have an up-to-date crisis communications plan? = =
• Does your crisis communications plan identify who should be contacted, how to contact them,
contact information, and who initiates the contacting? = =

J M A R K . C O M // 8 4 4 - 4 4 - J M A R K // M I S S O U R I // O K L A H O M A // A R K A N S A S

P E O P L E F I R S T. T E C H N O L O G Y S E C O N D .
CYBERSECURITY CHECKLIST 4 JMARK.COM

BUSINESS CONTINUITY & DISASTER RECOVERY YES NO


• Do you have a PR representative who will communicate to the press and community in an
emergency? = =
• Does your crisis communications plan detail how employees can contact their family members? = =
• Have you identified recovery time objectives for each system, and tested for achievability? = =
• Do you regularly test your business continuity, disaster, and crisis communications plans? = =
CYBERSECURITY TRAINING YES NO
• Do you provide staff training from an I.T. expert on cybersecurity? = =
• Do you provide this training on a regular basis? = =
• Does your staff know how to recognize phishing attempts in emails? = =
• Does your staff know how to recognize phishing attempts that arrive via text, social media, or
phone calls? = =
• Are your employees trained on reporting phishing emails to the security team? = =
• Are your employees being taught about using secure passwords? = =
• Are your employees trained to identify and protect classified data, as we as hard copies of
documents and removable media? = =
• Is your staff trained on secure management of credit card data (PCI standards) and private
personal information? = =
COMPLIANCE REVIEW YES NO
• Do you regularly review and update your cybersecurity requirements, strategies, plans, and
practices? = =
• Do you conduct regular audits of your security requirements, strategies, plans, and practices? = =
• Are you testing your backup and disaster recovery plans regularly? = =
• Do you conduct regular reviews of who in your organization has access to sensitive information
and data? = =
• Do you have an inventory of your authorized devices and software? = =
• Do you regularly test all your systems for vulnerabilities? = =
• Are you following the best practices established by the Center for Internet Security (CIS) in their
CIS Top 20 list? = =
For each question where you answered “No,” you should implement activities to correct the deficits or vulnerabilities to the
security of your data, facility, or personnel. Unless you take action, the ability for your business to thrive/survive will be
negatively impacted. Be sure to also follow up and reassess by completing this survey again in six months’ time. After that, we
advise that you continue to review these questions on an annual basis.

J M A R K . C O M // 8 4 4 - 4 4 - J M A R K // M I S S O U R I // O K L A H O M A // A R K A N S A S

P E O P L E F I R S T. T E C H N O L O G Y S E C O N D .
CYBERSECURITY CHECKLIST 5 JMARK.COM

CYBERSECURITY THREAT/RISK ASSESSMENT


A cybersecurity threat is a person or a thing that accidentally triggers or intentionally exploits a vulnerability or weakness within
your organization. A number of threats may be present within you network or operating environment. Threats can come from
natural and environmental elements as well as from people.

Natural Threats: Human Threats:


• Storm/Flood Damage • Computer Abuse
• Fire • Terrorism
• Lightning Strikes • Sabotage
• Hurricanes/Tornadoes • Vandalism
Environmental Threats: • Fraud
• Power Outages • Errors/Negligence
• Chemical Spills • Falsified Data
• Pollution • Unauthorized Access
• System Tampering

CALCULATE YOUR RISK


“Risk is a combination of the likelihood of an occurrence of a hazardous event or exposure(s) and the severity of injury of ill
health that can be caused by the event or exposure(s).” (OHSAS 18001:2017) Risk is part of every business environment, but
unless you can keep risk in check, it can grow. Losses can be avoided by assessing the potential for these threats and
vulnerabilities and determining the specific risks your organization faces.

Risk = Impact x Likelihood


Use this numeric rating scale to determine your potential risk.
Impact (0-6) Likelihood (0-5)

When assessing the impact, consider the value of the assets that are at risk, what it will cost to replace them, and their
importance. The things that affect likelihood include threat capability, frequency of occurrence, and the effectiveness of the
countermeasures available to you.

J M A R K . C O M // 8 4 4 - 4 4 - J M A R K // M I S S O U R I // O K L A H O M A // A R K A N S A S

P E O P L E F I R S T. T E C H N O L O G Y S E C O N D .
CYBERSECURITY CHECKLIST 6 JMARK.COM

IMPACT SCALE LIKELIHOOD SCALE


• The impact is negligible. • Not likely to occur.

• The effect is minor. Most operations are not affected. • Not likely to occur more than once a year.

• Your operations shut down for a period of time, resulting in • This is likely to occur once a year.
financial loss. Customer confidence is slightly affected.

• You experience a loss of operations resulting in a significant • This is likely to occur once a month.
impact on public/customer confidence.

• The effects are devastating. Systems shut down for • This is likely to occur each week.
extended periods of time. Systems must be rebuilt and data
must be replaced.

• The effect is ruinous. Critical systems go offline for • This is likely to occur on a daily basis.
extended periods of time. Data gets lost or is corrupted
beyond repair. The health and safety of employees is
affected.

People can significantly impair the ability of your


organization to operate effectively.

PEOPLE DESCRIPTION
Stakeholders Employees, owners, stock holders, etc.

Contractors Cleaning company, maintenance contractors, technical


support, computer repair services, etc.

Former Employees Retired, resigned, or were fired

Unauthorized Users Cybercriminals, terrorists, and intruders

J M A R K . C O M // 8 4 4 - 4 4 - J M A R K // M I S S O U R I // O K L A H O M A // A R K A N S A S

P E O P L E F I R S T. T E C H N O L O G Y S E C O N D .
CYBERSECURITY CHECKLIST 7 JMARK.COM

Use the following to assess your risk level for each threat/vulnerability.
SCORE RISK LEVEL RISK RESULT
21-30 High Risk • Major loss of assets, data, or information resources.
• Completely disrupts operations for a week or more.
• Destroys your reputation.
11-20 Medium Risk • Substantial loss of assets, data, or information resources.
• Disrupts operations for a few days. Damages your reputation.
1-10 Low Risk • There is a minor loss of assets or information resources.
• Slightly affects the organization’s operation (for less than one day).
Minor loss to reputation.

ASSESS THREATS AND VULNERABILITIES


Enter your Impact and Likelihood numbers to assess your threat level.

HUMAN THREATS Impact Probability Score


(0-6) (0-5) (Impact x Likelihood)
Human Error
• Accidental deletion, modification, disclosure, or wrong classification
of information.
• Negligence: lack of security awareness or conduct, inadequate
documentation, uninformed.
• Workload: lack of adequate staff, and employees feel stressed.
• Users knowingly reveal security weaknesses to criminals.
• Improper system configuration.
• Inadequate security policies.
• Security policies are not enforced.
• Security analysis incorrect or inadequate.

Corruption
• Fraud, theft, sellling of conficential information.

Social Engineering Attacks


• Criminals use email or phone calls and impersonate an employee
to gain confidential information.
• Criminals execute Trojan Horse and malware programs due to
employees inadvertently letting them into your network.

Abuse of Trust
• Long-term or high-level employees take advantage of relaxed
security policies.

J M A R K . C O M // 8 4 4 - 4 4 - J M A R K // M I S S O U R I // O K L A H O M A // A R K A N S A S

P E O P L E F I R S T. T E C H N O L O G Y S E C O N D .
CYBERSECURITY CHECKLIST 8 JMARK.COM

GENERAL THREATS Impact Probability Score


(0-6) (0-5) (Impact x Likelihood)

• Unauthorized use of computers.


• Mistakenly combining test and production data or environments.
• Use of unauthorized software or hardware.
• Design errors in operating system (using a system not designed to be
highly secure).
• Protocol design errors: certain protocols were not designed to be
highly secure. Protocol weaknesses in TCP/IP can result in:
• Source routing, DNS spoofing, TCP sequence guessing, unauthorized
access.
• Time bombs: software programmed to damage a system on a certain
date.
• Hijacked sessions and authentication session/transaction replay, data
is changed or copied during transmission.
• Denial of service due to ICMP bombing, TCP-SYN flooding, large PING
packets, etc.
• Logic bomb: software programmed to damage a system under certain
conditions.
• Viruses in programs, documents, email attachments.

ACCESS CONTROL THREATS Impact Probability Score


(0-6) (0-5) (Impact x Likelihood)

• Password hacking.
• External access to password files, and packet sniffers to access data.
• Extenal attack programs gain unauthorized access to the network
(backdoors).
• Internal attack programs gain unauthorized access to the network.
• The existence of unsecured maintenance modes via developer
backdoors.
• Modems that open an uncontrollable extension of the internal
network.
• Bugs in network software that leave security holes.
• Unauthorized physical access to your system.

REFUSAL THREATS Impact Probability Score


(0-6) (0-5) (Impact x Likelihood)

• Those receiving confidential information refuse to acknowledge receipt.


• Those sending confidentinal information refuse to acknowledge the
source.

J M A R K . C O M // 8 4 4 - 4 4 - J M A R K // M I S S O U R I // O K L A H O M A // A R K A N S A S

P E O P L E F I R S T. T E C H N O L O G Y S E C O N D .
CYBERSECURITY CHECKLIST 9 JMARK.COM

LEGAL/REGULATORY THREATS Impact Probability Score


(0-6) (0-5) (Impact x Likelihood)
• There’s a failure to comply with legal/regulatory requirements, such
as protecting confidentiality of employee or customer data.
• Your organization is liable for actions by employees or internal users
who use your network to conduct unlawful activities (such as money
laundering, pornography, gambling, etc.)
• Your organization is liable for damages because employees or other
internal users hack other sites.

LEGAL/REGULATORY THREATS Impact Probability Score


(0-6) (0-5) (Impact x Likelihood)
• Your productivty and services are halted due to disasters: fire,
smoke, water, earthquake, storms (hurricanes, tornadoes), power
outages, etc.
• Your productivity and services are interrupted due to minor disasters
of short duration.
• Major human-caused disasters such as war, terrorism, bombs, civil
disturbances, chemical spills, radiological accidents, etc. halt or
interrupt your productivity and services.
• Defective hardware, cabling, communications systems, or other
equipment cause interruptions in productivity or services.

LEGAL/REGULATORY THREATS Impact Probability Score


(0-6) (0-5) (Impact x Likelihood)

• Misuse of routing protocols that confuse and mislead systems.


• Server overloading that shuts down systems.
• Email bombing by bad actors.
• Downloading or receipt of malware.
• Sabotage with deliberate damage to data or information processing
functions.
• Destruction of physical network interface devices, cables, etc.
• Destruction of computing devices, media, etc.
• Destruction of devices and meida with electromagnetic radiation
weapons.
• Deliberately overloading electricity or shutting it off.
• Deploying viruses and/or worms to delete critical systems files.
• Overloading data circuits with a large volume of frivolous requests.

J M A R K . C O M // 8 4 4 - 4 4 - J M A R K // M I S S O U R I // O K L A H O M A // A R K A N S A S

P E O P L E F I R S T. T E C H N O L O G Y S E C O N D .
CYBERSECURITY CHECKLIST 10 JMARK.COM

REMEDIATION ACTIVITIES
After assessing, reviewing, and rating potential threats and vulnerabilities, you should determine what actions you can take to
reduce your risk. This means employing security controls, and/or increasing the strength of existing controls. Always balance
the cost of doing this against the expected security benefit and risk reduction. Most remediation efforts and actions focus on
the high-risk threats and vulnerabilites first.
The following table lists remediation activities you can take. They are prioritized based on their effectiveness.

RANK REMEDIATION ACTIVITY COST BENEFIT RISK


1 Establish security policies, practices, and procedures. This is very
important during times of change. Low High High
2 Develop and enforce a globally-accepted password strategy. Low High High
3 List vulnerabilities in order of high to low risk. Low High High
4 Facilitate discussions to improve processes and communications. Low High High
5 Set up and follow router configuration security standards and
best practices. Low High High
6 Harden servers on the network. Low High High
7 Incorporate worker termination activities with H.R. and I.T. policies. Low to Moderate High High
8 Conduct new-hire orientation, security awareness training, and
annual “refresher” courses for all employees. Low to Moderate High High
9 Utilize N-Tier architecture and Defense of Depth in the design of
your internet perimiter and enterprise architecture. Low to Moderate High High
10 Cpovert to a centralized and integrated model of operations
management that incorporates centralized logging, event
correlation, and alerting. Low to Moderate High High
11 Install an intrustion detection system. Moderate High High
12 Deploy encryption on mobile devices to protect the
confidentiality and integrity of data. Moderate to Expensive High High
13 Employ data classification to define security levels. Moderate to Expensive High High
14 Conduct vulnerability assesments on a regular basis. Moderate to Expensive High High
15. Designate email as mission-critical. Low Moderate Medium
16 Ensure adequate security staffing for the ISO Security Group. Expensive High High
17 Implement Computer Security Incident Response Team
(CSIRT) capabilities. Moderate to Expensive High High

As you can see, securing your organization’s technology is a complex task. Yet with the help
of an expert I.T. partner, you can rest assured your company is safe. For more information,
contact JMARK Business Solutions at 844-44-JMARK or email [email protected]. Our team
has the knowledge and skill to secure your business and keep your company safe.

J M A R K . C O M // 8 4 4 - 4 4 - J M A R K // M I S S O U R I // O K L A H O M A // A R K A N S A S

P E O P L E F I R S T. T E C H N O L O G Y S E C O N D .

You might also like