Security Assessment

Do you have a documented and available set of updated and current procedures for security and IT management in your organization? This includes documents on data integrity, business conitnuity, incident response, physical security, etc

Is there a person or IT team primarily responsible for managing security initiatives within your organization?

Do you have a prepared and tested Business Continuity/Disaster Recovery plan?

Do you have a prepared and tested Incident Response Plan (including handling, monitoring and reporting of the incident)?

Do you have an ongoing security training (security awareneess, email phishing, etc) specific for the employees responsibilities?

Are you performing vulnerability assessments, penetration testing and vulnerability management on information system assets (network, website, endpoints, servers, sowtware, web applicaitons,etc)?

Are you performing regular inventory of all IT assets (hardware and software)?

Do you manage the security and access restrictions of your wireless networks?

Are you employing anti-malware and other security controls such as firewall, data loss prevention, intrusion detection/prevention systems across your environment?

Are you compliant ready - do you have documentation and processes in place for the audit?

Do you have a prepared and tested Business Continuity/Disaster Recovery plan?

Do you have a prepared and tested Incident Response Plan (including handling, monitoring and reporting of the incident)?

If you are developing in software/applications, have you implemented a secure software development lifecycle?

Are you performing vulnerability assessments, penetration testing and vulnerability management on information system assets (network, website, endpoints, servers, software, web applications, etc)?

Are you performing regular inventory of all IT assets (hardware and software)?

Are you following a formal configuration management, patching and change control process?

Do you have a documented and standardized process for hardening systems and hosts, and is this process automated via a configuration management system?

Do you actively manage supply chain security risk and enforcing third party risk management?

Are you employing anti-malware and other security controls such as firewall, data loss prevention, intrusion detection/prevention systems across your environment?

Do you collect, monitor and analyze yoursystem, application and security logs in a dedicated, secure, centralized logging solution or a security monitoring system?