IT Security

1. Are all computers in your organization running Windows 10 or later?

If NO, is all end-of-life segregated and offline?

2. Do you protect all your devices with anti-virus, anti-malware, and/or endpoint protection software?

3. Do you install all security patches (e.g., those issued by Microsoft) within 60 days of release?

4. Do you use cloud-based email services (e.g., Office365, Gmail, Microsoft Outlook on the web)?

If YES, have you enabled multifactor authentication (MFA) on all accounts?

5. Do you allow remote access to your network (e.g., enabling employees to work from home)?

If YES, do you require multi-factor authentication (MFA) for all remote connections?

6. Have you taken measures to ensure that you comply with all privacy and data protection laws and regulations that apply to your organization (e.g., PCI, HIPAA, PIPEDA)?

Please add any additional commentary/clarifications to answers provided here:

7. Are firewalls installed at all gateways and configured to block inbound connections by default?

8. Are access controls employed using the principle of least privilege?

9. Do you maintain physically disconnected ‘offline’ back-ups (e.g., tape drives) for all critical data?

11. Have you disabled all Remote Desktop Protocol (RDP) ports?

12. Do you encrypt all personal and confidential data in-transit?

13. Have you taken measures to ensure that your organization’s website and print content do not infringe on any trademarks or copyrights?

14. Do you scan all incoming emails for malicious attachments and/or links?

Please add any additional commentary/clarifications to answers provided here:

15. Do you utilize next generation anti-virus or behavioral analysis software, including Endpoint Detection and Response (EDR) tools?

If YES, please state which product is used (e.g., CrowdStrike Falcon, SentinelOne)?

16. Are employees trained in phishing and social engineering techniques?

17. Do you utilize email filtering tools and/or software?

If YES: please state which software and/or tools are used (e.g., Proofpoint with e.g. SPF. DKIM and DMARC enabled):

18. Have you disabled all local administrator accounts on workstations and servers?

If NO, do all local administrator accounts utilize a unique password?

19. Do you run any version of Windows Server?

If YES, do you take frequent back-ups of Active Directory servers?

If YES, do all login attempts to Domain Administrator accounts require multifactor authentication (MFA)?

Please add any additional commentary/clarifications to answers provided here: