a
CYBER SECURITY SPECIALISTS

Security Assessment



MANAGEMENT 25 pts

Objectives, policy and organizational support (5 pts)

1-Does the organization's executive team member conduct a cybersecurity posture assessment on potential risks and vulnerabilities in terms of confidentiality, integrity and availability of information resources.

yes
partially
no

2-Are the accesses of unused users revoked or deleted?

yes
partially
no

3-Does your organization have information security policies and are they fully enforced?

yes
partially
no

4-Does the organization's budget include funds to support security, including personnel, hardware and software based on the total IT budget?

yes
partially
no

Security management Implementation (5 pts)

5-As a result of the cybersecurity posture assessment, has the organization's leadership team member performed the implementation of controls that protect against the risks?

yes
partially
no

6-Does the organization have a list of its assets and information systems that will be covered by the baseline controls and, for any excluded items, provide a rationale and accept the risks.

yes
partially
no

7-Does the system use two-factor authentication for access to privileged or administrator accounts?

yes
partially
no

8-There are clearly documented procedures for reporting and documenting security incident, as well as response and follow-up actions

yes
partially
no

Security planning and preparation (15 pts)

9-Security Plan: Does the organization have a security plan that has been significantly reviewed and updated in the last 12 months?

yes
partially
no

10-Cyber Insurance: Does the organization have cyber insurance against data loss, theft and cyber incidents.

yes
partially
no

11-Benchmarks for immediate and long-term improvement of perimeter and internal defenses

yes
partially
no

12-Improvements are needed in operations, such as maintenance, backup and monitoring of the system?

yes
partially
no

13-Does your organization have an acceptable use policy and do you fully enforce that policy?

yes
partially
no

15-Is a vulnerability management plan developed and implemented? Are newly identified vulnerabilities mitigated or documented as accepted risks?

yes
partially
no

16-Security Audit: Have the organization's security operations been reviewed or audited by a third party within the last two years and an annual internal audit?

yes
partially
no

17-If an audit has been conducted, have the auditors' recommendations been fully implemented?

yes
partially
no

18-Security penetration testing: has the organization's security operations been tested by an outside group within the last two years and an annual internal audit?

yes
partially
no

19-If a penetration test was conducted, were the testers' recommendations fully implemented?

yes
partially
no

20-Perform routine network management tasks?

yes
partially
no

21-Perform all security-related tasks on a regular basis?

yes
partially
no

22-Provide customer service at appropriate levels ?

yes
partially
no

B. TECHNOLOGY (50 pts)

Perimeter defense (15 pts)

23-Is your network designed to isolate web and mail servers in a semi-isolated zone commonly called DMZ?

Yes
Partially
No

24-Is the network perimeter protected by a spam/content filter?

Yes
Partially
No

25-Does the firewall and multi-function devices include virus protection?

Yes
Partially
No

26-Are spam, content and virus protection enabled on email and web servers?

Yes
Partially
No

27-Is your IPS (Intrusion Prevention System) properly configured and fully functioning to monitor critical facilities?

Yes
Partially
No

28-Are all wireless access points fully encrypted (to WPA2, WPA3 or better)?

Yes
Partially
No

29-Are perimeter defenses regularly tested to determine their vulnerability to penetration?

Yes
Partially
No

30-Are web filters in place to comply with legal requirements, with the possibility of authorized waivers?

Yes
Partially
No

31-Is your VPN configured to provide secure access to all authorized remote users? Do users use a second authentication factor?

Yes
Partially
No

32-Does the organization have email filtering in place?

Yes
Partially
No

33-Does the organization have a DNS firewall in place for DNS queries directed to the Internet?

Yes
Partially
No

Management of local networks (15 pts)

34-Do you have live monitoring of network intrusions and virus protection? Does your organization install anti-malware software and is this software properly configured, updated and monitored?

Yes
Partially
No

35-Is the network fully documented and is the equipment inventory up to date?

Yes
Partially
No

36-Are all critical servers protected by redundant units?

Yes
Partially
No

37-Standardization and redundancy: Do you have the ability to replace faulty equipment?

Yes
Partially
No

38-External partners and vendors: Have you validated the effectiveness of data privacy and security capabilities against intrusion of all external parties with whom you share confidential data?

Yes
Partially
No

39-BACKUPS: Does it happen regularly?

Yes
Partially
No

40-BACKUPS:Centralized management?

Yes
Partially
No

41-BACKUPS:Stored off-site?

Yes
Partially
No

42-BACKUPS:Is it Encrypted?

Yes
Partially
No

43-Does your organization have a backup policy plan?

Yes
Partially
No

44-Ransomware: Are critical assets backed up so they can be restored from ransomware incidents?

Yes
Partially
No

Wide Area Network (WAN) Management (20 pts)

45-Maintenance and Monitoring Protocols: Network monitoring for bandwidth, connections and file types

Yes
Partially
No

46-Routine preventive maintenance of desktop computers, LAN servers, network devices

Yes
Partially
No

47-Scheduled network performance test

Yes
Partially
No

48-Standardization and redundancy: Do you have the ability to replace faulty equipment?

Yes
Partially
No

49-Does your organization store sensitive information that could potentially compromise its ability to continue operations if it were to be exfiltrated (intellectual property, government information, financial records, payment card data, etc.)?

Yes
Partially
No

50- Segmentation: Are the computer connections on your network logically organized by building, department or other hierarchical structure? Patch and virus management: Is virus protection software installed and updated automatically on each workstation? • Are software vulnerabilities systematically patched on all workstations?

Yes
Partially
No

51-Add an extra point if the patch is applied automatically.

Yes
Partially
No

52- External Partners and Vendors: Have you validated the effectiveness of data privacy and intrusion security capabilities of all external parties with whom you share data or receive services (e.g., payroll, email, web hosting, ISP, etc.)? Do vendor passwords track the organization

Yes
Partially
No

53-Encryption: Is all employee and financial data encrypted in storage and transit?

Yes
Partially
No

54-Cloud Security: Are contracts structured to address security? The contract delineates the full division of responsibilities between the organization and the vendor. The contract or service level agreement includes the recording and notification of events 1.DDOS protection 2.Availability conditions 3. Intrusion detection and preventionData ownership 4.Data security 5.Compliance with legal requirements and organizational policies The contract with the service provider specifies that the d

Yes
Partially
No

55-Passwords: Is there an organization-wide authentication and authorization policy and is it actively enforced?

Yes
Partially
No

56-Passwords: If all computers are password protected.

Yes
Partially
No

57-Passwords: If passwords need to be changed periodically.

Yes
Partially
No

C. Business continuity (15 pts)

IT crisis management plan (7 pts)

58-IT Crisis Management Plan: Do you have an asset-based model that includes details of all systems and is reviewed and updated annually?

Yes
Partially
No

59-Inventory and Redundancy: Does the plan include a complete assessment of inventory and required redundancies in equipment and personnel?

Yes
Partially
No

60-Has your organization implemented and tested disaster recovery capabilities for critical systems?

Yes
Partially
No

61-Crisis Management: Has a crisis management/operational continuity plan been developed or updated in the last two years?

Yes
Partially
No

62-Training and Testing: Have staff members practiced implementing the crisis management plan in the past year and then revised the plan based on that experience?

Yes
Partially
No

Environmental security (4 pts)

63-Environmental Disasters: Is your network infrastructure located and installed in an area protected from flooding, hurricanes, tornadoes or other natural threats of regional significance?

Yes
Partially
No

64-Fire Protection: Are network servers protected by appropriate fire alarms and fire suppression equipment?

Yes
Partially
No

65-Temperature and humidity control: Is the network equipment properly ventilated?

Yes
Partially
No

66-Power: Are all servers and network devices protected by uninterruptible power supplies (UPS)?

Yes
Partially
No
>
Physical security (4 pts)

67-Secure Locations: Are all network devices located in secure facilities dedicated exclusively to network operations?

Yes
Partially
No

68-Secure infrastructure: Are all switches, hubs and cabinets located in spaces that are not also used by custodians, librarians, etc.?

Yes
Partially
No

69-Equipment Security: Is all equipment located in high traffic areas secured to prevent theft?

Yes
Partially
No

70-Power: Are all servers and network devices protected by uninterruptible power supplies (UPS)?

Yes
Partially
No

71-Access Control: Are computer facilities accessible to students and staff only under controlled circumstances (ID cards, entry logs)?

Yes
Partially
No

D. Stakeholder/end user (10 pts)

User engagement and stakeholder communication (10 pts)

72-Have all users received cybersecurity awareness training or has your organization conducted phishing tests?

Yes
Partially
No

73-Communication: Are regular technology and security updates sent to stakeholders via email, newsletters, posters, and public media?

yes
partially
no

74-Feedback: Is there a help desk to track problems and suggestions? Are there regular electronic and face-to-face forums for user comments, suggestions and complaints? Is feedback listened to respectfully and acted upon?

yes
Partially
No

75-Summary: Have you created a community of trust in which users take responsibility for their role in security and also feel that their rights are respected and their needs are addressed?

yes
Partially
No

76-Awareness: Do leaders demonstrate competence and knowledge of strategic security practices? Are users integrating critical security practices into technology use?

yes
Partially
No

77-Access control: Is personnel access to technology controlled on a need-to-know and least privilege basis, is RBAC (Role Base Access Control) configured?

Yes
Partially
No