Organizational Commitment and Risk Management
Leadership Involvement:
Is Cybersecurity an agenda item during the organization’s board meetings?
Policy Review and Updates:
Are Cybersecurity policies and procedures regularly reviewed and updated?
Has your organization performed regular Cybersecurity assessments and vulnerability testing (e.g., risk assessments, cybersecurity framework reviews, penetration tests)?
Organizational Culture and Improvement Practices:
Does the organization promote a culture of Cybersecurity awareness and continuous improvement in its Cybersecurity practices?
Protective and Detection Technologies
Access Control:
Are Access controls for sensitive systems and data effectively managed, and is multi-factor authentication utilized?
Intrusion Detection Systems/ Intrusion Prevention Systems and Security Monitoring:
Does the organization use security tools (e.g., Intrusion Detection Systems (IDS)/ Intrusion Prevention Systems (IPS), Security Information and Event Management (SIEM)) to actively monitor for and detect suspicious activity?
Response and Recovery
Incident Response Plan:
Is the incident response plan comprehensive, regularly tested through simulations, adaptable to different incidents, and does it incorporate third-party cyber expertise?
Does the organization have a well-defined backup and disaster recovery plan, with frequent testing to ensure data can be restored?
Third-Party Management
TPRM and Vendor Risk Management:
Does your organization assess the Cybersecurity practices of third-party vendors and suppliers?
Are Cybersecurity requirements formally included in third-party contracts and agreements?
Training and Awareness
Employee Training and Awareness:
Do your organization’s employees go through regular Cybersecurity training and awareness programs?
Does your organization hold phishing simulations or security awareness campaigns?
