6. a)Do you centrally manage and monitor all user accounts and login events on your network? b)Can you monitor and manage all file permissions on your network to ensure that data sets are only accessed by active and authorized users?
7. a)Do you prohibit account sharing across all services and users as part of your information security policy? b) Do you control and monitor what applications your users are allowed to install and use? Do you have an up—to—date inventory of all third—party applications running on your system, including their patch level? 28. Have you properly documented and regulated which users require access to which systems, data and other services (following the principle of least privilege)? 40. Are you aware of any systems or devices in your environment that cannot be patched or updated?
8. a) Do you enforce best security practices, such as unique complex passwords, multi-factor authentication, and where advisable, single sign— on to users? b) Have you renamed or disabled default accounts and passwords for all devices, services and software, including IoT devices (e.g. smart white goods, wearables, digital assistants, etc.)? c) Do you employ a defence— in—depth approach to cybersecurity, e.g. multiple layers of security controls throughout your network and services?
9. a)Do you allow IoT devices such as digital assistants, smart white goods etc. to connect to your network? b)Do you prevent users from connecting non— authorized devices to your network (physically or wirelessly)?
10. a)Do you allow "Bring Your Own Device" (BYOD) at your organization and if so, do you have an up—to—date policy to manage and control their access to your services and data? b) Do you allow users to access your network remotely (e.g. from home or while travelling), and are you confident the connection is properly authenticated, encrypted, and tracked? c) Are all users given regular cybersecurity awareness information and training, covering how to avoid the latest threats (e.g. malvertising, cryptomining, phishing, social engineering, and ransomware techniques)? d) Do you perform regular staff testing to identify poor security practices (e.g. simulated phishing attacks)? e) Do you ensure regular penetration tests, including vulnerability scans, are performed across all your systems, networks, and services (including third—party and cloud—based services)?
11. a)Can you remotely access, configure, audit, track and securely wipe any devices you allow on your network, even when they are outside of your network? b) If you provide guest access to your networks, do you provide segregation from your critical systems and sensitive data?
12. a)Do you track all systems, services, users, and contact lists to ensure anything unwanted or expired is deactivated or disabled? b) Do you have a reliable and regularly— tested backup and restore strategy for all important data and systems, with appropriate duplication and diversity of storage? c)Do you monitor all data leaving your devices and networks to prevent unwanted leaks (e.g. being copied to USB sticks)? d) Do you track that all Operating System, device firmware, software and security patches are up-to-date and automatically updated where appropriate?
13. a)Do you encrypt all sensitive traffic? b)Do you encrypt all sensitive data? Are all devices and storage media properly encrypted and secured against unwanted access or theft? c)If you are storing any data in the cloud (e.g. AWS, Google, Office 365, etc.), have you used all available tools and best practices to harden its security? d) Are you regularly scanning all the data on your network, including backups and archives, to ensure it is not harboring malware and has not been tampered with? 36. Do you have systems in place to ensure that all external services you provide (including websites, web applications and databases, remote login systems, etc.) are resilient to traffic spikes and distributed denial—of— service (DDoS) attacks? 37. Do you monitor for insider threats, such as analyzing user activity to spot any anomalous behavior (e.g. logging in from an unusual location, accessing unauthorized files, etc.)?
14. a) Have you properly documented and regulated which users require access to which systems, data and other services (following the principle of least privilege)? b) Have you accurately documented your security procedures and policies and involved all the appropriate parties, including external business partners and the supply chain?
15. a)Is your email traffic being scanned to remove any malware, spam, phishing attacks, and other unwanted content? b). Is your web traffic being scanned to detect and block malicious, fraudulent, distracting or unwanted traffic? c). Do you have fully operational, correctly configured, patched and updated firewalls on your endpoint devices and at your network perimeter? d). Do you have up-to-date, good quality malware protection installed, active and updated on all devices that access your network?
