CYBER RISK SELF ASSESSMENT CHECKLIST
Revised By: Bachir El Nakib (CAMS), Senioe Consultant Compliance Alert (LLC)
You don’t prepare for a hurricane after it hits, right? You shouldn’t think about Cyber-Security threats after you’ve been hacked.
While there is no way to completely eliminate cyber risk, there are steps every business – from the smallest Main Street shops to the international joint ventures – can take to drastically reduce not only the likelihood of a breach, but also the overall impact should one occur. Some few data breaches:
Consider using this Check-list to help establish a basic understanding of the current level of cyber risk your organization is facing. It will also identify specific areas where improvements can be made, thus reducing risk.
SECURITY POLICIES
-Does your organization maintain information security policies?
-Is there a mechanism for information security policy enforcement?
-Does your organization maintain configuration management policies and tracking of all software and hardware?
-Is sensitive data (HR, financial, intellectual capital, etc.) labeled as such?
-Is access to sensitive data controlled and logged?
INCIDENT RESPONSE
-Do you have an incident response plan?
-Has your incident response plan been tested?
-Do you have an incident response team/Cyber-Security firm/general counsel/crisis communication firm identified?
CONTINUITY OF OPERATIONS
-Have you systematically evaluated all of the potential sources of disruption to your business?
-Do you have an active program to reduce the likelihood of a disruption?
-If you could not re-enter the workplace because of an emergency, do you have a pre-determined location to meet?
-Do you maintain a list of employees, customers and suppliers at an off-site location?
-If you lost a critical system, do you have a pre-determined plan to restore the system?
-Is your business resumption plan securely stored in a remote location?
-Do you periodically test your business resumption plan along with your site emergency response plan?
BUSINESS PROCESSES
-Do you have proven anti-virus software loaded and active on your computer?
-Do you delete, without opening, emails from unknown sources?
-Do you back up data on a regular basis?
-Do you utilize strong, difficult to guess passwords?
-Do you use security hardware and software such as firewalls and intrusion detection/prevention systems?
-Are you maintaining configuration management through security policy implementation and systems hardening?
-Are you maintaining software patch management on all systems by following a regular schedule for updates?
-Do you subscribe to security mailing lists?
-Are you performing security testing through security audits and penetration scanning?
-Are you ensuring physical security of systems and facilities?
-Do you ensure users have anti-virus software loaded and active on their systems?
-Are you maintaining operational management through the review of all log files, ensuring systems backups with periodic data restores and reporting any known issues or risks?