NAME *





    1.0 Do you document all your business vendors?

    CNS recommends having a comprehensive list of all company vendors listed with their contact information, point of contact, access, and SLA information. This is helpful as you will not need to hunt around for the proper contact information, saving valuable time during an incident. Additionally, this list can be referenced as vendors are dismissed to make sure any/all access they have can be removed.

    2.0 Do you currently have a full set of IT policies and procedures?

    Security policies are the guidelines that indicate managements intentions on securing their physical and information assets. They also provide guidance on acceptable use of these assets and the ramifications should be not be follow. CNS can provide IT security documents to your company should you request them.

    3.0 Do you have a written document describing each of your critical IT assets, the impact of their failure on the business, and how quickly you can recover them?

    Asset documentation helps a company to assign a value to their core assets. Should a core asset become unavailable due to an incident that can cause productivity and monetary impact to a company. CNS recommends the creation of a written asset management document detailing the function of the asset as well as the impact to the company should the asset become unavailable.

    4.0 Do you have a written Business Continuity strategy? In the event of a major facilities or hardware loss, how will you continue to conduct business?

    Please provide them

    Have they been tested within the last 2 years?

    If Yes, please provide evidence of test.

    Business Continuity Plans are pre-drafted, pre-determined protocols for how your organization will overcome a business disruption caused by an emergency. Containing a serialized checklist of risk-mitigating action to take, business continuity planning addresses both natural and human disasters that can strike, ultimately bringing operations to a halt. CNS can help by providing a generic BCP that your company can use and adapt to fit your organization.

    5.0 Do you have a written Backup Policy that details when the backups run, how often the backups are verified, and how long the backups should be retained?

    6.0 Does your company use encryption to receive, store, or send Protected Health Information (PHI) or Personally Identifiable Information (PII)?

    Do you utilize both encryption for data at rest, as well as for data in transit?

    Please detail what cloud service you use to store PHI/PII

    CNS recommends the implantation of encryption both at rest and in transit for any company that sends, receives, or stores PHI and PII. Encryption is a requirement as dictated in the Health Insurance Portability and Accountability Act (HIPAA) of 1996 for storing, sending, and receiving PHI and PII.

    7.0 Do you require Information Security training for your employees?

    It is essential to your business to ensure your employees are trained on the constantly changing security threats and how to avoid these threats. CNS provides both online training courses as well as Phishing simulations to help employees learn what to watch for and how to avoid phishing scams.

    8.0 Do you receive threat intelligence information from sharing sources such as the Information Sharing and Analysis Center (ISAC)?

    9.0 Do you have a listing of all user accounts?

    After user termination, do you disable accounts?

    How long after termination do you disable accounts?

    It is best practice to have a listing of all user accounts so you can make sure no account is left with access after employees leave. CNS maintains user lists through several different vectors including, Active Directory, Azure Active Directory, and N-Central. It is important to notify us when user status’ change so we can make the appropriate modifications to the user’s access.

    10.0 Do you limit the use of admin access for all users who do not need the permissions to perform their job duties?

    11.0 Are background checks performed?

    Background checks should be performed on an annual basis as many items that may impact your business through an employee’s behavior may not be visible to you. CNS recommends you update your background check policy, notify your employees, and perform background checks on an annual basis.

    12.0 Do you use a Mobile Device Management (MDM) solution to control and revoke access to company data and software on personal devices?

    What MDM solution do you utilize?

    CNS recommends that if employees have access to company data on mobile devices the mobile device be protected by a MDM solution. CNS utilizes Microsoft Intune to manage devices and we can assist you in deploying this solution.

    13.0 Do you have a way of distinguishing levels of access for employees based on various factors such as job role, location, and/or device?

    14.0 Do you utilize Multi-Factor Authentication (MFA) for any/all of the following assets?

    Please select if any:

    Multi-factor authentication should be enabled on all critical systems for any users who have access. Accounts secured with MFA can remain unbreached even if the account username and password have been compromised.


    15.0 Please provide a list of all external domain names used by your company, including any sub-domains, forwarded domains, and affiliated websites.

    16.0 Do you secure your website with an SSL certificate?

    Have you performed a PCI DSS compliance audit of your site?

    If you perform any e-commerce on your network, CNS recommends the site be secured by an SSL certificate and the site be consistently audited for PCI DSS compliance. PCI DSS is the information security standard for organization that handle branded credit cards and their information.


    17.0 Do you use Microsoft 365 as your email provider?

    What email provider does your organization use?

    18.0 Do you utilize an anti-spam solution for your email system?

    What anti-spam solution do you utilize?

    Anti-Spam solutions are import to both reduce the amount of unnecessary and unwanted email and to block malicious email from reaching your users inboxes.

    19.0 Do you utilize any other Advanced Email Security solution in addition to an Anti-Spam system (Example Microsoft ATP, Mail Assure, Barracuda Email Security Gateway)?

    What solution do you use?

    Advanced email security suites offer many advanced solutions to protect email systems beyond traditional anti-spam / anti-malware solutions. Solutions such as Impersonation Protection and Sandboxing for links and attachments greatly increase the security of email systems.

    20.0 Do you have a way to send encrypted emails?

    What solution do you use?

    CNS recommends that any time private or sensitive information needs to be emailed, it should be sent via an encrypted email. An encrypted email protects the contents of the email from being viewed by unauthorized 3rd parties.

    21.0 Do you utilize a Data Loss Prevention (DLP) solution to prevent users from leaking sensitive data?

    What DLP solution do you use?

    DLP prevents the accidental (or intentional) disclosure of private/sensitive data. By configuring DLP thresholds, an organization can choose what happens when an outgoing email/OneDrive/SharePoint link attempts to send sensitive email to a 3rd party. The content can be blocked, encrypted, or otherwise locked down. CNS recommends implementing a DLP solution if your organization works with any type of sensitive information (PHI, PII, Credit Card Info, Corporate IP, etc.)


    22.0 Do you use a firewall between your internal network and the internet?

    Have you changed the default username and password for your firewall?

    Does your firewall have an active security subscription?

    Firewalls are used to block unauthorized incoming traffic to your network. CNS recommends that firewalls be set with a DENY ALL rule for incoming traffic. With very few exceptions, nothing from outside should be allowed into the network without first originating from within the corporate network. Additionally, we recommend configuring logging on the firewall so that access and changes can be audited.

    23.0 Do you have a redundant ISP connection?

    24.0 Do you segregate internal network traffic based upon datatype (Data, Voice, Management)?

    25.0 Do you use secure authentication for your organization’s internal Wi-Fi?

    What type of authentication do you use? (WEP, WPA2, RADIUS, OTHER)?

    Wireless access can be very beneficial for organizations that have a distributed user base within their headquarters or remote offices. That being said, it is important that wireless networks be configured securely so as not to introduce additional attack vectors into your network. Internal and guest networks, rogue AP scanning, and wireless encryption should all be setup to ensure your wireless network remains secure.

    26.0 Do you have an intrusion detection product in place today?

    What Intrusion Detection Solution do you use?

    Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are critical in preventing and documenting attacks as they happen against your network. IDS systems are valuable tools for IT professionals who need to diagnose the who, what, when, and where of attacks after they have happened.

    27.0 Are you monitoring your IT environment for anomalous events?

    28.0 Do you perform vulnerability scans of your environment?

    Do you perform internal and external scans?

    How often are the scans performed?

    Please provide the latest vulnerability scan report

    Due to the large amount of devices that modern day networks have, it can be difficult to stay on top of the latest threats to each of them. This is why Vulnerability Scanning is so important. A vulnerability scanner will be able to inform IT Professionals of all known vulnerabilities with the equipment on your network. Knowing there is an issue is the first step in resolving the issue. We recommend reoccurring vulnerability scans both internally and externally on your network to identify any newly disclosed vulnerabilities.


    29.0 Do you use any kind of Remote Monitoring & Management tool to manage your workstations?

    Who has access to the RMM tool?

    Does your RMM tool retain any of the following logs?

    RMM tools can be very valuable for IT professionals to efficiently manage endpoints on a network, but they also need to be configured correctly to ensure they are not adding vulnerabilities to your network.

    30.0 Are Microsoft software updates scheduled and reviewed before deployment?

    What tool do you use to approve and schedule Microsoft updates?

    Reviewing Windows Updates before they are installed is an important step in the patching process. Filtering out updates that do not apply or have known issues associated with them will help to ensure your business systems remain in good working order. CNS recommends reviewing all updates before they are installed to ensure not unforeseen issues will arise. It is also important to deploy updates to a Pilot group before deploying to all production machines. A pilot group will help to identify any issues that may arise from updates and provide time to remediate the issue or deny the update.

    31.0 How are 3rd party application updates scheduled and reviewed?

    What tool do you use to approve and schedule 3rd Party updates?

    Similar to Windows updates themselves, 3rd party applications also frequently release updates (Adobe Reader, Java, Slack, Notepad++, etc.). To keep your systems secure it is important to update these programs in a timely manner. CNS can help with this by taking over management of your 3rd party application updates and automating them.

    32.0 Do you maintain active support agreements with your line of business application vendors?

    33.0 Do you have a workstation idle time lockout policy?

    How long before your computer screen is set to lock when not in use?

    34.0 Do you block the use of USB Mass Storage devices on your workstations/laptops?

    35.0 Are user credentials private and not being shared?

    User credentials (usernames/passwords) are the primary line of defense used against preventing unauthorized access to organization resources, applications, and data. By sharing account credentials, the organization is opened to additional risk as the organization cannot confirm who has performed an action. CNS recommends that all users have unique usernames and passwords for all systems. User accounts should never be shared between employees or to external parties as it increases the risk faced by the organization.

    How are user credentials shared?

    36.0 Do you have an inventory of devices such as printers, scanners, and computers on your network?

    37.0 Do you provide surge protection to your PCs?

    38.0 Do all computers use a trusted anti-virus/anti-malware application?

    How often does this solution update?

    Endpoint Anti-Virus/Anti-Malware is an excellent tool for helping to prevent intrusions into your network. These applications scan your local machines for malicious software, phishing attempts, ransomware, and other intrusion attempts. CNS recommends that all workstations and servers on the network have up to date AV/AM software and that you maintain an active vendor support agreement with the supplier of the AV/AM software.

    39.0 Do you utilize a form of endpoint encryption for your computers?

    What software do you utilize?

    Endpoint encryption helps to protect the data on a device by making the contents of the hard drive unreadable. Should a device be lost or stolen, endpoint encryption will prevent the malicious entity from being able to read the data on the PC. CNS recommends that all organization workstations be encrypted with an up-to-date encryption software, such as Microsoft’s BitLocker Encryption.

    40.0 If applicable, describe your virtualization status (VMWare, Microsoft Hyper-V, Physical, etc.)

    Currently Using

    Virtualization of servers can help to reduce costs incurred by the organization when equipment must be replaced. By using a small number of virtual server hosts, the organization reduces the likelihood of a piece of hardware failing resulting in data loss. Additionally, virtualization allows for scaling of “virtual” hardware for your severs.

    41.0 Are your servers protected from power outages via a secondary power source such as a UPS?

    42.0 Do you have any Windows Workstations or Servers with unsupported operating systems?


    43.0 Is your physical office locked when vacant?

    44.0 Do you maintain a Sign-In log when visitors come to your office?

    45.0 Do you utilize a 3rd party data disposal vendor to securely dispose of your hard copy documents?

    How do you dispose of hard copy documents?

    46.0 Do you have Cyber Security Insurance?