- Created by Benjy Meyer , last modified on Dec 13, 2022
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 46
Does your organisation keep an up-to-date inventory of all IT assets with assigned owners?
Does your organisation keep an up-to-date inventory of all data repositories (such as databases) with assigned owners?
Does your organisation have a formal process to ensure that employees, contractors and third party users return all IT assets when they leave the organisation?
Does your organisation have a process for editing or removing employee access to systems and information (whether digital or physical) when they are changing role or leaving the organisation?
Does your organisation have a documented process for provisioning user accounts for all of your IT services that includes appropriate authorisation and secure account creation with unique user IDs?
Does your organisation enforce multi-factor authentication (aka MFA and sometimes referred to two factor authentication, 2FA) on all remotely accessible services (both within your internal IT systems and on third party services)?
Are privileged access accounts, and accounts of a sensitive nature, subject to a higher level of authorisation than user accounts before being provisioned?
Does your organisation regularly audit employee access rights for all IT services (whether internal or third party based)?
Does your organisation use Privileged Access Management controls to securely manage the use of privileged accounts for system administration?
Do all of your organisations systems automatically lock after a short period of inactivity (requiring re-authentication)?
Does your organisation use/provision a password manager to ensure passwords are of the required complexity and only used once?
Has your organisation disabled auto-run on all of its Microsoft Windows based IT systems?
Has your organisation removed local administrator rights on all end point devices for all employees that do not require it?
Does your organisation operate a secure configuration process to reduce any unnecessary vulnerabilities in your IT systems including servers, endpoints, network devices and systems hosted in a cloud environment?
Do all systems (such as network devices) have their default credentials changed on installation or provision?
Does your organisation have a formal change management process that gives consideration to information security?
Does your organisation use anti-malware controls, such as an Endpoint Detection and Response (EDR) solution, to protect all of its endpoints and internal IT infrastructure?
Does your organisation have procedures in place to control the installation of software on IT production systems (such as servers)?
Does your organisation have procedures in place to control the installation of software on user endpoint systems?
Does your organisation use laptop devices?
Are all company owned laptop hard drives encrypted?
Can your organisation remotely wipe company data on laptop devices?
Does your organisation allow employees to access company data or services through mobile phones or tablets?
Can your organisation remotely wipe company data on employee / contractor personal mobile phones and tablets?
Does your organisation encrypt customer data on its IT systems?
Does your organisation ensure that all IT systems are regularly patched with security patches in line with vendor recommendations, including end point devices, servers, network devices, and applications?
Does your organisation run any applications or systems that are no longer supported and no longer receive security updates?
Does your organisation ensure that all used digital media (that may have stored data) is disposed of securely and are certificates of destruction obtained?
Does your organisation take regular backups of its digital production data in line with current best practise guidelines?
Has your organisation configured its email services to use enforced TLS?
Has your organisation implemented SPF, DMARC, and DKIM for all of its email services?
XXXXX
Does your organisation prevent unauthorised transfer of data via email, web browsers, or other data transfer mechanisms?
Are any components of the system (hardware, applications, software) outsourced or subcontracted to a third party?
Are any supporting services (for e.g. system support, service desk, remote administration etc.) outsourced or subcontracted to a third party?
What are your ‘patch deployment cycles’ and maintenance windows?
Does your organisation have an enforceable password policy?
- No labels