CONTACT INFORMATION

    NAME *
    COMPANY *
    EMAIL ADDRESS *
    PHONE NUMBER *

    ADMINISTRATIVE

    1.0 Do you document all your business vendors?

    Recommendation:
    CNS recommends having a comprehensive list of all company vendors listed with their contact information, point of contact, access, and SLA information. This is helpful as you will not need to hunt around for the proper contact information, saving valuable time during an incident. Additionally, this list can be referenced as vendors are dismissed to make sure any/all access they have can be removed.

    2.0 Do you currently have a full set of IT policies and procedures?


    Recommendation:
    Security policies are the guidelines that indicate managements intentions on securing their physical and information assets. They also provide guidance on acceptable use of these assets and the ramifications should be not be follow. CNS can provide IT security documents to your company should you request them.

    3.0 Do you have a written document describing each of your critical IT assets, the impact of their failure on the business, and how quickly you can recover them?


    Recommendation:
    Asset documentation helps a company to assign a value to their core assets. Should a core asset become unavailable due to an incident that can cause productivity and monetary impact to a company. CNS recommends the creation of a written asset management document detailing the function of the asset as well as the impact to the company should the asset become unavailable.

    4.0 Do you have a written Business Continuity strategy? In the event of a major facilities or hardware loss, how will you continue to conduct business?


    Please provide them

    Have they been tested within the last 2 years?

    If Yes, please provide evidence of test.

    Recommendation:
    Business Continuity Plans are pre-drafted, pre-determined protocols for how your organization will overcome a business disruption caused by an emergency. Containing a serialized checklist of risk-mitigating action to take, business continuity planning addresses both natural and human disasters that can strike, ultimately bringing operations to a halt. CNS can help by providing a generic BCP that your company can use and adapt to fit your organization.

    5.0 Do you have a written Backup Policy that details when the backups run, how often the backups are verified, and how long the backups should be retained?

    6.0 Does your company receive, store, or send Protected Health Information (PHI) or Personally Identifiable Information (PII)?


    Do you utilize both encryption for data at rest, as well as for data in transit?

    Please detail what cloud service you use to store PHI/PII

    Recommendation:
    CNS recommends the implantation of encryption both at rest and in transit for any company that sends, receives, or stores PHI and PII. Encryption is a requirement as dictated in the Health Insurance Portability and Accountability Act (HIPAA) of 1996 for storing, sending, and receiving PHI and PII.

    7.0 Do you require Information Security training for your employees?

    8.0 Do you receive threat intelligence information from sharing sources such as the Information Sharing and Analysis Center (ISAC)?

    9.0 Do you have a listing of all user accounts?

    After user termination, do you disable accounts?
    How long after termination do you disable accounts?

    Recommendation:
    It is best practice to have a listing of all user accounts so you can make sure no account is left with access after employees leave. CNS maintains user lists through several different vectors including, Active Directory, Azure Active Directory, and N-Central. It is important to notify us when user status’ change so we can make the appropriate modifications to the user’s access.

    10.0 Do any of your users have admin access?

    11.0 Are background checks performed?

    Recommendation:
    Background checks should be performed on an annual basis as many items that may impact your business through an employee’s behavior may not be visible to you. CNS recommends you update your background check policy, notify your employees, and perform background checks on an annual basis.

    12.0 Do you use a Mobile Device Management (MDM) solution to control and revoke access to company data and software on personal devices?

    What MDM solution do you utilize?

    Recommendation:
    CNS recommends that if employees have access to company data on mobile devices the mobile device be protected by a MDM solution. CNS utilizes Microsoft Intune to manage devices and we can assist you in deploying this solution.

    13.0 Do you have a way of distinguishing levels of access for employees based on various factors such as job role, location, and/or device?

    14.0 Do you utilize Multi-Factor Authentication (MFA) for any/all of the following assets?

    Please select if any:

    Recommendation:
    Multi-factor authentication should be enabled on all critical systems for any users who have access. Accounts secured with MFA can remain unbreached even if the account username and password have been compromised.

    WEB ASSETS

    15.0 Please provide a list of all external domain names used by your company, including any sub-domains, forwarded domains, and affiliated websites.

    16.0 Do you conduct any form of e-commerce or sales through your website or another vendor?

    Are your sites secured with an SSL certificate?

    Have you performed a PCI DSS compliance audit of your site?

    Recommendation:
    If you perform any e-commerce on your network, CNS recommends the site be secured by an SSL certificate and the site be consistently audited for PCI DSS compliance. PCI DSS is the information security standard for organization that handle branded credit cards and their information.

    EMAIL/CLOUD

    17.0 What type of email solution does your organization utilize?

    18.0 Do you utilize an anti-spam solution for your email system?

    What anti-spam solution do you utilize?

    Recommendation:
    Anti-Spam solutions are import to both reduce the amount of unnecessary and unwanted email and to block malicious email from reaching your users inboxes.

    19.0 Do you utilize any other Advanced Email Security solution in addition to an Anti-Spam system (Example Microsoft ATP, Mail Assure, Barracuda Email Security Gateway)?

    What solution do you use?

    Recommendation:
    Advanced email security suites offer many advanced solutions to protect email systems beyond traditional anti-spam / anti-malware solutions. Solutions such as Impersonation Protection and Sandboxing for links and attachments greatly increase the security of email systems.

    20.0 Do you have a way to send encrypted emails?

    What solution do you use?

    Recommendation:
    CNS recommends that any time private or sensitive information needs to be emailed, it should be sent via an encrypted email. An encrypted email protects the contents of the email from being viewed by unauthorized 3rd parties.

    21.0 Do you utilize a Data Loss Prevention (DLP) solution to prevent users from leaking sensitive data?

    What DLP solution do you use?

    Recommendation:
    DLP prevents the accidental (or intentional) disclosure of private/sensitive data. By configuring DLP thresholds, an organization can choose what happens when an outgoing email/OneDrive/SharePoint link attempts to send sensitive email to a 3rd party. The content can be blocked, encrypted, or otherwise locked down. CNS recommends implementing a DLP solution if your organization works with any type of sensitive information (PHI, PII, Credit Card Info, Corporate IP, etc.)

    NETWORK

    22.0 Do you use a firewall between your internal network and the internet?

    Have you changed the default username and password for your firewall?

    Recommendation:
    Firewalls are used to block unauthorized incoming traffic to your network. CNS recommends that firewalls be set with a DENY ALL rule for incoming traffic. With very few exceptions, nothing from outside should be allowed into the network without first originating from within the corporate network. Additionally, we recommend configuring logging on the firewall so that access and changes can be audited.

    23.0 Do you have a redundant ISP connection?

    24.0 Do you segregate internal network traffic based upon datatype (Data, Voice, Management)?

    25.0 Do you utilize Wi-Fi for your business?

    What authentication method do your use for your WiFi (WEP, WPA2, RADIUS)?
    Have you changed the default username/password for your device?
    How do you store/protect the wireless access password?

    Recommendation:
    Wireless access can be very beneficial for organizations that have a distributed user base within their headquarters or remote offices. That being said, it is important that wireless networks be configured securely so as not to introduce additional attack vectors into your network. Internal and guest networks, rogue AP scanning, and wireless encryption should all be setup to ensure your wireless network remains secure.

    26.0 Do you have an intrusion detection product in place today?

    What DLP solution do you use?

    Recommendation:
    Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are critical in preventing and documenting attacks as they happen against your network. IDS systems are valuable tools for IT professionals who need to diagnose the who, what, when, and where of attacks after they have happened.

    27.0 Are you monitoring your IT environment for anomalous events?

    28.0 Do you perform vulnerability scans of your environment?

    Do you perform internal and external scans?
    How often are the scans performed?

    Please provide the latest vulnerability scan report

    Recommendation:
    Due to the large amount of devices that modern day networks have, it can be difficult to stay on top of the latest threats to each of them. This is why Vulnerability Scanning is so important. A vulnerability scanner will be able to inform IT Professionals of all known vulnerabilities with the equipment on your network. Knowing there is an issue is the first step in resolving the issue. We recommend reoccurring vulnerability scans both internally and externally on your network to identify any newly disclosed vulnerabilities.

    WORKSTATIONS

    29.0 Do you use any kind of Remote Monitoring & Management tool to manage your workstations?

    Who has access to the RMM tool?

    Does your RMM tool retain any of the following logs?

    Recommendation:
    RMM tools can be very valuable for IT professionals to efficiently manage endpoints on a network, but they also need to be configured correctly to ensure they are not adding vulnerabilities to your network.

    30.0 How are Microsoft software updates scheduled and reviewed?

    Microsoft Update Method

    31.0 How are 3rd party application updates scheduled and reviewed?

    3rd Party Update Method

    Recommendation:
    Similar to Windows updates themselves, 3rd party applications also frequently release updates (Adobe Reader, Java, Slack, Notepad++, etc.). To keep your systems secure it is important to update these programs in a timely manner. CNS can help with this by taking over management of your 3rd party application updates and automating them.

    32.0 Do you maintain active support agreements with your application vendors?

    33.0 How long before your computer screen is set to lock when not in use?

    Lock Screen Threshold

    34.0 Do you allow the use of USB ports on your workstations/laptops?

    35.0 Are user credentials private and not being shared?

    How are user credentials shared?

    Recommendation:
    User credentials (usernames/passwords) are the primary line of defense used against preventing unauthorized access to organization resources, applications, and data. By sharing account credentials, the organization is opened to additional risk as the organization cannot confirm who has performed an action. CNS recommends that all users have unique usernames and passwords for all systems. User accounts should never be shared between employees or to external parties as it increases the risk faced by the organization.

    36.0 Do you have an inventory of devices such as printers, scanners, and computers on your network?

    37.0 Do you provide surge protection to your PCs?

    38.0 Do all computers use a trusted anti-virus/anti-malware application?

    How often does this solution update?

    Recommendation:
    Endpoint Anti-Virus/Anti-Malware is an excellent tool for helping to prevent intrusions into your network. These applications scan your local machines for malicious software, phishing attempts, ransomware, and other intrusion attempts. CNS recommends that all workstations and servers on the network have up to date AV/AM software and that you maintain an active vendor support agreement with the supplier of the AV/AM software.

    39.0 Do you utilize a form of endpoint encryption for your computers?

    What software do you utilize?

    Recommendation:
    Endpoint encryption helps to protect the data on a device by making the contents of the hard drive unreadable. Should a device be lost or stolen, endpoint encryption will prevent the malicious entity from being able to read the data on the PC. CNS recommends that all organization workstations be encrypted with an up-to-date encryption software, such as Microsoft’s BitLocker Encryption.

    40.0 If applicable, describe your virtualization status (VMWare, Microsoft Hyper-V, Physical, etc.)

    Currently Using

    Recommendation:
    Virtualization of servers can help to reduce costs incurred by the organization when equipment must be replaced. By using a small number of virtual server hosts, the organization reduces the likelihood of a piece of hardware failing resulting in data loss. Additionally, virtualization allows for scaling of “virtual” hardware for your severs.

    41.0 Are your servers protected from power outages via a secondary power source such as a UPS?

    PHYSICAL

    42.0 Is your physical office locked when vacant?

    43.0 Do you maintain a Sign-In log when visitors come to your office?

    44.0 How are hard copy documents handled before disposal?

    45.0 Do you have Cyber Security Insurance?