Revised By: Bachir El Nakib (CAMS), Senioe Consultant Compliance Alert (LLC)

You don’t prepare for a hurricane after it hits, right? You shouldn’t think about Cyber-Security threats after you’ve been hacked.

While there is no way to completely eliminate cyber risk, there are steps every business – from the smallest Main Street shops to the international joint ventures – can take to drastically reduce not only the likelihood of a breach, but also the overall impact should one occur. Some few data breaches:

Consider using this Check-list to help establish a basic understanding of the current level of cyber risk your organization is facing. It will also identify specific areas where improvements can be made, thus reducing risk.


-Does your organization maintain information security policies?

-Is there a mechanism for information security policy enforcement?

-Does your organization maintain configuration management policies and tracking of all software and hardware?

-Is sensitive data (HR, financial, intellectual capital, etc.) labeled as such?

-Is access to sensitive data controlled and logged?


-Do you have an incident response plan?

-Has your incident response plan been tested?

-Do you have an incident response team/Cyber-Security firm/general counsel/crisis communication firm identified?


-Have you systematically evaluated all of the potential sources of disruption to your business?

-Do you have an active program to reduce the likelihood of a disruption?

-If you could not re-enter the workplace because of an emergency, do you have a pre-determined location to meet?

-Do you maintain a list of employees, customers and suppliers at an off-site location?

-If you lost a critical system, do you have a pre-determined plan to restore the system?

-Is your business resumption plan securely stored in a remote location?

-Do you periodically test your business resumption plan along with your site emergency response plan?


-Do you have proven anti-virus software loaded and active on your computer?

-Do you delete, without opening, emails from unknown sources?

-Do you back up data on a regular basis?

-Do you utilize strong, difficult to guess passwords?

-Do you use security hardware and software such as firewalls and intrusion detection/prevention systems?

-Are you maintaining configuration management through security policy implementation and systems hardening?

-Are you maintaining software patch management on all systems by following a regular schedule for updates?

-Do you subscribe to security mailing lists?

-Are you performing security testing through security audits and penetration scanning?

-Are you ensuring physical security of systems and facilities?

-Do you ensure users have anti-virus software loaded and active on their systems?

-Are you maintaining operational management through the review of all log files, ensuring systems backups with periodic data restores and reporting any known issues or risks?




Download File