CONTACT INFORMATION

ADMINISTRATIVE

1.0 Do you document all your business vendors?

[group vendor-yes-selected]If Yes Please Attach Document

Recommendation:
CNS recommends having a comprehensive list of all company vendors listed with their contact information, point of contact, access, and SLA information. This is helpful as you will not need to hunt around for the proper contact information, saving valuable time during an incident. Additionally, this list can be referenced as vendors are dismissed to make sure any/all access they have can be removed.
[/group]
[group vendor-no-selected]Recommendation:
CNS recommends having a comprehensive list of all company vendors listed with their contact information, point of contact, access, and SLA information. This is helpful as you will not need to hunt around for the proper contact information, saving valuable time during an incident. Additionally, this list can be referenced as vendors are dismissed to make sure any/all access they have can be removed.
[/group]

2.0 Do you currently have a full set of IT policies and procedures?

[group policies-yes-selected]Have they been updated within the last 2 years?
YesNoN/A

Please provide them

Recommendation:
Security policies are the guidelines that indicate managements intentions on securing their physical and information assets. They also provide guidance on acceptable use of these assets and the ramifications should be not be follow. CNS can provide IT security documents to your company should you request them.
[/group]
[group policies-no-selected]Recommendation:
Security policies are the guidelines that indicate managements intentions on securing their physical and information assets. They also provide guidance on acceptable use of these assets and the ramifications should be not be follow. CNS can provide IT security documents to your company should you request them.
[/group]

3.0 Do you have a written document describing each of your critical IT assets, the impact of their failure on the business, and how quickly you can recover them?

[group critical-it-assets-yes-selected]Have they been updated within the last 1 year?
YesNoN/A

Please provide them

Recommendation:
Asset documentation helps a company to assign a value to their core assets. Should a core asset become unavailable due to an incident that can cause productivity and monetary impact to a company. CNS recommends the creation of a written asset management document detailing the function of the asset as well as the impact to the company should the asset become unavailable.
[/group]
[group critical-it-assets-no-selected]Recommendation:
Asset documentation helps a company to assign a value to their core assets. Should a core asset become unavailable due to an incident that can cause productivity and monetary impact to a company. CNS recommends the creation of a written asset management document detailing the function of the asset as well as the impact to the company should the asset become unavailable.
[/group]

4.0 Do you have a written Business Continuity strategy? In the event of a major facilities or hardware loss, how will you continue to conduct business?

[group business-continuity-strategy-yes-selected]Have they been updated within the last 1 year?
YesNoN/A

Please provide them

Have they been tested within the last 2 years?
YesNoN/A[group business-continuity-strategy-tested-yes-selected]

If Yes, please provide evidence of test.
[/group]

Recommendation:
Business Continuity Plans are pre-drafted, pre-determined protocols for how your organization will overcome a business disruption caused by an emergency. Containing a serialized checklist of risk-mitigating action to take, business continuity planning addresses both natural and human disasters that can strike, ultimately bringing operations to a halt. CNS can help by providing a generic BCP that your company can use and adapt to fit your organization.
[/group]
[group business-continuity-strategy-no-selected]Recommendation:
Business Continuity Plans are pre-drafted, pre-determined protocols for how your organization will overcome a business disruption caused by an emergency. Containing a serialized checklist of risk-mitigating action to take, business continuity planning addresses both natural and human disasters that can strike, ultimately bringing operations to a halt. CNS can help by providing a generic BCP that your company can use and adapt to fit your organization.
[/group]

5.0 Do you have a written Backup Policy that details when the backups run, how often the backups are verified, and how long the backups should be retained?

[group written-backup-policy-yes-selected]Please provide them

Please provide the latest server & workstation backup report you have

Recommendation:
A backup policy help an organization manage its expectations and provides specific guidance on the “who, what, when, and how” of the data backup and restore process. The policy should go over who is responsible for managing backups and confirming they complete successfully, as well as dictate who can access the backups and how long the data should be retained. CNS can assist in providing a standard backup policy that can be adjusted to best fit your needs.
[/group]
[group written-backup-policy-no-selected]Recommendation:
A backup policy help an organization manage its expectations and provides specific guidance on the “who, what, when, and how” of the data backup and restore process. The policy should go over who is responsible for managing backups and confirming they complete successfully, as well as dictate who can access the backups and how long the data should be retained. CNS can assist in providing a standard backup policy that can be adjusted to best fit your needs.
[/group]

6.0 Does your company use encryption to receive, store, or send Protected Health Information (PHI) or Personally Identifiable Information (PII)?

[group phi-pii-yes-selected]Is the data stored locally on your network or in a cloud service?
LocalCloud

[group phi-pii-local-cloud-local-selected]

Do you utilize both encryption for data at rest, as well as for data in transit?YesNoN/A[/group][group phi-pii-local-cloud-cloud-selected]

Please detail what cloud service you use to store PHI/PII
[/group]

Recommendation:
CNS recommends the implantation of encryption both at rest and in transit for any company that sends, receives, or stores PHI and PII. Encryption is a requirement as dictated in the Health Insurance Portability and Accountability Act (HIPAA) of 1996 for storing, sending, and receiving PHI and PII.
[/group]
[group phi-pii-no-selected]Recommendation:
CNS recommends the implantation of encryption both at rest and in transit for any company that sends, receives, or stores PHI and PII. Encryption is a requirement as dictated in the Health Insurance Portability and Accountability Act (HIPAA) of 1996 for storing, sending, and receiving PHI and PII.
[/group]

7.0 Do you require Information Security training for your employees?

[group require-information-security-yes-selected]What type of training do you provide?
Instructor Led TrainingReading MaterialsPhishing Training/Simulations

What is the frequency of the training?

Recommendation:
It is essential to your business to ensure your employees are trained on the constantly changing security threats and how to avoid these threats. CNS provides both online training courses as well as Phishing simulations to help employees learn what to watch for and how to avoid phishing scams.
[/group]
[group require-information-security-no-selected]Recommendation:
It is essential to your business to ensure your employees are trained on the constantly changing security threats and how to avoid these threats. CNS provides both online training courses as well as Phishing simulations to help employees learn what to watch for and how to avoid phishing scams.
[/group]

8.0 Do you receive threat intelligence information from sharing sources such as the Information Sharing and Analysis Center (ISAC)?

[group receive-threat-intelligence-yes-selected]Recommendation:
Leveraging Threat Intelligence is important as you can gain vital information about your business sector that would enable you to detect and defend against known attacks. CNS does monitor ISAC and other threat intelligence providers for the latest information on new and ongoing threats.
[/group]
[group receive-threat-intelligence-no-selected]Recommendation:
Leveraging Threat Intelligence is important as you can gain vital information about your business sector that would enable you to detect and defend against known attacks. CNS does monitor ISAC and other threat intelligence providers for the latest information on new and ongoing threats.
[/group]

9.0 Do you have a listing of all user accounts?

[group user-account-listing-yes-selected]

Recommendation:
It is best practice to have a listing of all user accounts so you can make sure no account is left with access after employees leave. CNS maintains user lists through several different vectors including, Active Directory, Azure Active Directory, and N-Central. It is important to notify us when user status’ change so we can make the appropriate modifications to the user’s access.
[/group]
[group user-account-listing-no-selected]Recommendation:
It is best practice to have a listing of all user accounts so you can make sure no account is left with access after employees leave. CNS maintains user lists through several different vectors including, Active Directory, Azure Active Directory, and N-Central. It is important to notify us when user status’ change so we can make the appropriate modifications to the user’s access.
[/group]

10.0 Do you limit the use of admin access for all users who do not need the permissions to perform their job duties?

[group users-admin-access-yes-selected]Recommendation:
Admin access allows users to install, delete, or modify applications and programs that may not be consistent with your business model. CNS recommends the removal or limit the use of admin access for all users who do not need the additional permissions to perform their job duties.
[/group]
[group users-admin-access-no-selected]Recommendation:
Admin access allows users to install, delete, or modify applications and programs that may not be consistent with your business model. CNS recommends the removal or limit the use of admin access for all users who do not need the additional permissions to perform their job duties.
[/group]

11.0 Are background checks performed?

[group background-checks-yes-selected]Only at new hireAnnually

Recommendation:
Background checks should be performed on an annual basis as many items that may impact your business through an employee’s behavior may not be visible to you. CNS recommends you update your background check policy, notify your employees, and perform background checks on an annual basis.
[/group]
[group background-checks-no-selected]Recommendation:
Background checks should be performed on an annual basis as many items that may impact your business through an employee’s behavior may not be visible to you. CNS recommends you update your background check policy, notify your employees, and perform background checks on an annual basis.
[/group]

12.0 Do you use a Mobile Device Management (MDM) solution to control and revoke access to company data and software on personal devices?

[group mdm-yes-selected]What MDM solution do you utilize?

Recommendation:
CNS recommends that if employees have access to company data on mobile devices the mobile device be protected by a MDM solution. CNS utilizes Microsoft Intune to manage devices and we can assist you in deploying this solution.
[/group]
[group mdm-no-selected]Recommendation:
CNS recommends that if employees have access to company data on mobile devices the mobile device be protected by a MDM solution. CNS utilizes Microsoft Intune to manage devices and we can assist you in deploying this solution.
[/group]

13.0 Do you have a way of distinguishing levels of access for employees based on various factors such as job role, location, and/or device?

[group levels-of-access-yes-selected]Recommendation:
CNS recommends only giving users those privileges which are essential to perform their intended job function. By restricting users access to only what they need an organizations security will be greatly increased. Should an attack occur, privilege escalation becomes much more difficult for the attacker.
[/group]
[group levels-of-access-no-selected]Recommendation:
CNS recommends only giving users those privileges which are essential to perform their intended job function. By restricting users access to only what they need an organizations security will be greatly increased. Should an attack occur, privilege escalation becomes much more difficult for the attacker.
[/group]

14.0 Do you utilize Multi-Factor Authentication (MFA) for any/all of the following assets?

[group mfa-yes-selected]Please select if any:
Line of Business ApplicationsWorkstationsCloud Solutions (Office 365, Google Docs)

Recommendation:
Multi-factor authentication should be enabled on all critical systems for any users who have access. Accounts secured with MFA can remain unbreached even if the account username and password have been compromised.
[/group][group mfa-no-selected]Recommendation:
Multi-factor authentication should be enabled on all critical systems for any users who have access. Accounts secured with MFA can remain unbreached even if the account username and password have been compromised.
[/group]

WEB ASSETS

15.0 Please provide a list of all external domain names used by your company, including any sub-domains, forwarded domains, and affiliated websites.

16.0 Do you secure your website with an SSL certificate?

[group ssl-cert-yes-selected]Have you performed a PCI DSS compliance audit of your site?
YesNoN/A

Recommendation:
If you perform any e-commerce on your network, CNS recommends the site be secured by an SSL certificate and the site be consistently audited for PCI DSS compliance. PCI DSS is the information security standard for organization that handle branded credit cards and their information.
[/group][group ssl-cert-no-selected]Recommendation:
If you perform any e-commerce on your network, CNS recommends the site be secured by an SSL certificate and the site be consistently audited for PCI DSS compliance. PCI DSS is the information security standard for organization that handle branded credit cards and their information.
[/group]

EMAIL/CLOUD

17.0 Do you use Microsoft 365 as your email provider?

[group o365-no-selected]What email provider does your organization use?
Please SelectLocally hosted Microsoft ExchangeMicrosoft Office 365Hosted POP/IMAP EmailOther
[/group]

18.0 Do you utilize an anti-spam solution for your email system?

[group anti-spam-yes-selected]

Recommendation:
Anti-Spam solutions are import to both reduce the amount of unnecessary and unwanted email and to block malicious email from reaching your users inboxes.
[/group]
[group anti-spam-no-selected]Recommendation:
Anti-Spam solutions are import to both reduce the amount of unnecessary and unwanted email and to block malicious email from reaching your users inboxes.
[/group]

19.0 Do you utilize any other Advanced Email Security solution in addition to an Anti-Spam system (Example Microsoft ATP, Mail Assure, Barracuda Email Security Gateway)?

[group ams-yes-selected]

Recommendation:
Advanced email security suites offer many advanced solutions to protect email systems beyond traditional anti-spam / anti-malware solutions. Solutions such as Impersonation Protection and Sandboxing for links and attachments greatly increase the security of email systems.
[/group]
[group ams-no-selected]Recommendation:
Advanced email security suites offer many advanced solutions to protect email systems beyond traditional anti-spam / anti-malware solutions. Solutions such as Impersonation Protection and Sandboxing for links and attachments greatly increase the security of email systems.
[/group]

20.0 Do you have a way to send encrypted emails?

[group encrypted-email-yes-selected]

Recommendation:
CNS recommends that any time private or sensitive information needs to be emailed, it should be sent via an encrypted email. An encrypted email protects the contents of the email from being viewed by unauthorized 3rd parties.
[/group]
[group encrypted-email-no-selected]Recommendation:
CNS recommends that any time private or sensitive information needs to be emailed, it should be sent via an encrypted email. An encrypted email protects the contents of the email from being viewed by unauthorized 3rd parties.
[/group]

21.0 Do you utilize a Data Loss Prevention (DLP) solution to prevent users from leaking sensitive data?

[group dlp-yes-selected]

Recommendation:
DLP prevents the accidental (or intentional) disclosure of private/sensitive data. By configuring DLP thresholds, an organization can choose what happens when an outgoing email/OneDrive/SharePoint link attempts to send sensitive email to a 3rd party. The content can be blocked, encrypted, or otherwise locked down. CNS recommends implementing a DLP solution if your organization works with any type of sensitive information (PHI, PII, Credit Card Info, Corporate IP, etc.)
[/group]
[group dlp-no-selected]Recommendation:
DLP prevents the accidental (or intentional) disclosure of private/sensitive data. By configuring DLP thresholds, an organization can choose what happens when an outgoing email/OneDrive/SharePoint link attempts to send sensitive email to a 3rd party. The content can be blocked, encrypted, or otherwise locked down. CNS recommends implementing a DLP solution if your organization works with any type of sensitive information (PHI, PII, Credit Card Info, Corporate IP, etc.)
[/group]

NETWORK

22.0 Do you use a firewall between your internal network and the internet?

[group firewall-yes-selected]Have you changed the default username and password for your firewall?
YesNoN/A

Does your firewall have an active security subscription?
YesNoN/A

Recommendation:
Firewalls are used to block unauthorized incoming traffic to your network. CNS recommends that firewalls be set with a DENY ALL rule for incoming traffic. With very few exceptions, nothing from outside should be allowed into the network without first originating from within the corporate network. Additionally, we recommend configuring logging on the firewall so that access and changes can be audited.
[/group]

[group firewall-no-selected]Recommendation:
Firewalls are used to block unauthorized incoming traffic to your network. CNS recommends that firewalls be set with a DENY ALL rule for incoming traffic. With very few exceptions, nothing from outside should be allowed into the network without first originating from within the corporate network. Additionally, we recommend configuring logging on the firewall so that access and changes can be audited.
[/group]

23.0 Do you have a redundant ISP connection?

[group redundant-isp-yes-selected]Recommendation:
If your organization requires internet access for work, CNS recommends having a redundant ISP connection to your router. A redundant connection will prevent an office from going offline should an ISP have an outage. We understand that failures will happen and a redundant ISP connection is a good step towards minimizing the impact from the failure of a single component.
[/group]
[group redundant-isp-no-selected]Recommendation:
If your organization requires internet access for work, CNS recommends having a redundant ISP connection to your router. A redundant connection will prevent an office from going offline should an ISP have an outage. We understand that failures will happen and a redundant ISP connection is a good step towards minimizing the impact from the failure of a single component.
[/group]

24.0 Do you segregate internal network traffic based upon datatype (Data, Voice, Management)?

[group segregate-traffic-yes-selected]Recommendation:
Data segregation helps to prevent unauthorized people or devices from accessing sensitive information. Network segmentation helps to prevent attackers from having full access to your network should one segment be compromised. Additionally, it makes implementing the Principle of Lease Privilege easier because some users will have access to some network segments while others will not.
[/group]
[group segregate-traffic-no-selected]Recommendation:
Data segregation helps to prevent unauthorized people or devices from accessing sensitive information. Network segmentation helps to prevent attackers from having full access to your network should one segment be compromised. Additionally, it makes implementing the Principle of Lease Privilege easier because some users will have access to some network segments while others will not.
[/group]

25.0 Do you use secure authentication for your organization’s internal Wi-Fi?

[group wi-fi-yes-selected]

Recommendation:
Wireless access can be very beneficial for organizations that have a distributed user base within their headquarters or remote offices. That being said, it is important that wireless networks be configured securely so as not to introduce additional attack vectors into your network. Internal and guest networks, rogue AP scanning, and wireless encryption should all be setup to ensure your wireless network remains secure.
[/group]
[group wi-fi-no-selected]Recommendation:
Wireless access can be very beneficial for organizations that have a distributed user base within their headquarters or remote offices. That being said, it is important that wireless networks be configured securely so as not to introduce additional attack vectors into your network. Internal and guest networks, rogue AP scanning, and wireless encryption should all be setup to ensure your wireless network remains secure.
[/group]

26.0 Do you have an intrusion detection product in place today?

[group int-detection-yes-selected]

Recommendation:
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are critical in preventing and documenting attacks as they happen against your network. IDS systems are valuable tools for IT professionals who need to diagnose the who, what, when, and where of attacks after they have happened.
[/group]
[group int-detection-no-selected]Recommendation:
Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are critical in preventing and documenting attacks as they happen against your network. IDS systems are valuable tools for IT professionals who need to diagnose the who, what, when, and where of attacks after they have happened.
[/group]

27.0 Are you monitoring your IT environment for anomalous events?

[group anomalous-yes-selected]Recommendation:
Anonymous event monitoring is a type of advanced network security provided by a SIEM solution. A SIEM will review all network logs in real time to notify IT staff of incidents as they are happening. Modern day networks have hundreds of different devices that connect and manage the network. Being able to review all of their logs in real time can drastically improve time to action for IT Security professionals.
[/group]
[group anomalous-no-selected]Recommendation:
Anonymous event monitoring is a type of advanced network security provided by a SIEM solution. A SIEM will review all network logs in real time to notify IT staff of incidents as they are happening. Modern day networks have hundreds of different devices that connect and manage the network. Being able to review all of their logs in real time can drastically improve time to action for IT Security professionals.
[/group]

28.0 Do you perform vulnerability scans of your environment?

[group vulnerability-yes-selected]Do you perform internal and external scans?
YesNoN/A[group vulnerability-scans-yes-selected]

[/group]

Recommendation:
Due to the large amount of devices that modern day networks have, it can be difficult to stay on top of the latest threats to each of them. This is why Vulnerability Scanning is so important. A vulnerability scanner will be able to inform IT Professionals of all known vulnerabilities with the equipment on your network. Knowing there is an issue is the first step in resolving the issue. We recommend reoccurring vulnerability scans both internally and externally on your network to identify any newly disclosed vulnerabilities.
[/group]
[group vulnerability-no-selected]Recommendation:
Due to the large amount of devices that modern day networks have, it can be difficult to stay on top of the latest threats to each of them. This is why Vulnerability Scanning is so important. A vulnerability scanner will be able to inform IT Professionals of all known vulnerabilities with the equipment on your network. Knowing there is an issue is the first step in resolving the issue. We recommend reoccurring vulnerability scans both internally and externally on your network to identify any newly disclosed vulnerabilities.
[/group]

WORKSTATIONS

29.0 Do you use any kind of Remote Monitoring & Management tool to manage your workstations?

[group rem-monitoring-yes-selected]

Does your RMM tool retain any of the following logs?

Patching LogsAV/AM LogsAccess Logs

Recommendation:
RMM tools can be very valuable for IT professionals to efficiently manage endpoints on a network, but they also need to be configured correctly to ensure they are not adding vulnerabilities to your network.
[/group]
[group rem-monitoring-no-selected]Recommendation:
RMM tools can be very valuable for IT professionals to efficiently manage endpoints on a network, but they also need to be configured correctly to ensure they are not adding vulnerabilities to your network.
[/group]

30.0 Are Microsoft software updates scheduled and reviewed before deployment?

[group microsoft-updates-yes-selected]

Recommendation:
Reviewing Windows Updates before they are installed is an important step in the patching process. Filtering out updates that do not apply or have known issues associated with them will help to ensure your business systems remain in good working order. CNS recommends reviewing all updates before they are installed to ensure not unforeseen issues will arise. It is also important to deploy updates to a Pilot group before deploying to all production machines. A pilot group will help to identify any issues that may arise from updates and provide time to remediate the issue or deny the update.
[/group]
[group microsoft-updates-no-selected]Recommendation:
Reviewing Windows Updates before they are installed is an important step in the patching process. Filtering out updates that do not apply or have known issues associated with them will help to ensure your business systems remain in good working order. CNS recommends reviewing all updates before they are installed to ensure not unforeseen issues will arise. It is also important to deploy updates to a Pilot group before deploying to all production machines. A pilot group will help to identify any issues that may arise from updates and provide time to remediate the issue or deny the update.
[/group]

31.0 How are 3rd party application updates scheduled and reviewed?

[group app-updates-yes-selected]

Recommendation:
Similar to Windows updates themselves, 3rd party applications also frequently release updates (Adobe Reader, Java, Slack, Notepad++, etc.). To keep your systems secure it is important to update these programs in a timely manner. CNS can help with this by taking over management of your 3rd party application updates and automating them.
[/group]
[group app-updates-no-selected]Recommendation:
Similar to Windows updates themselves, 3rd party applications also frequently release updates (Adobe Reader, Java, Slack, Notepad++, etc.). To keep your systems secure it is important to update these programs in a timely manner. CNS can help with this by taking over management of your 3rd party application updates and automating them.
[/group]

32.0 Do you maintain active support agreements with your line of business application vendors?

[group support-agreements-yes-selected]Recommendation:
Support agreements are very important to maintain, especially for all Line of Business (LoB) applications. Often times when issues arise with LoB applications, the application vendor is the only entity with the knowledge and ability to investigate the cause of the issue and implement remediation steps. Not maintaining vendor support agreements can end up costing more money in the long run.
[/group]
[group support-agreements-no-selected]Recommendation:
Support agreements are very important to maintain, especially for all Line of Business (LoB) applications. Often times when issues arise with LoB applications, the application vendor is the only entity with the knowledge and ability to investigate the cause of the issue and implement remediation steps. Not maintaining vendor support agreements can end up costing more money in the long run.
[/group]

33.0 Do you have a workstation idle time lockout policy?

[group idle-lock-yes-selected]

Recommendation:
As business data can be accessed from terminals on the network, it is important to never leave those terminals accessible to wandering eyes. Having your workstation’s screen set to auto-lock after a short period of time will help to protect any information on the PC and network. Having a locked screen helps to ensure that your data is secure even when you are away from your desk.
[/group]
[group idle-lock-no-selected]Recommendation:
As business data can be accessed from terminals on the network, it is important to never leave those terminals accessible to wandering eyes. Having your workstation’s screen set to auto-lock after a short period of time will help to protect any information on the PC and network. Having a locked screen helps to ensure that your data is secure even when you are away from your desk.
[/group]

34.0 Do you block the use of USB Mass Storage devices on your workstations/laptops?

[group usb-ports-yes-selected]Recommendation:
Attackers can use USB drives to infect PCs with malware when USBs are plugged in. You should determine whether to allow this risk by allowing USB storage devices to be used, or to mitigate this risk by blocking the use of USB storage devices. CNS recommends looking at your business processes and needs to see if the use of USB storage devices is necessary or not.
[/group]
[group usb-ports-no-selected]Recommendation:
Attackers can use USB drives to infect PCs with malware when USBs are plugged in. You should determine whether to allow this risk by allowing USB storage devices to be used, or to mitigate this risk by blocking the use of USB storage devices. CNS recommends looking at your business processes and needs to see if the use of USB storage devices is necessary or not.
[/group]

35.0 Are user credentials private and not being shared?

[group user-creds-yes-selected]
Recommendation:
User credentials (usernames/passwords) are the primary line of defense used against preventing unauthorized access to organization resources, applications, and data. By sharing account credentials, the organization is opened to additional risk as the organization cannot confirm who has performed an action. CNS recommends that all users have unique usernames and passwords for all systems. User accounts should never be shared between employees or to external parties as it increases the risk faced by the organization.
[/group]
[group user-creds-no-selected]

Recommendation:
User credentials (usernames/passwords) are the primary line of defense used against preventing unauthorized access to organization resources, applications, and data. By sharing account credentials, the organization is opened to additional risk as the organization cannot confirm who has performed an action. CNS recommends that all users have unique usernames and passwords for all systems. User accounts should never be shared between employees or to external parties as it increases the risk faced by the organization.
[/group]

36.0 Do you have an inventory of devices such as printers, scanners, and computers on your network?

[group device-inventory-yes-selected]Recommendation:
Maintaining an accurate inventory of workstations, printers, and other networking devices helps to keep network security high. By knowing what devices are on your network and where they are located it makes it easier to handle device retirement and replacement. Removing old/legacy devices should be done on a reoccurring basis.
[/group]
[group device-inventory-no-selected]Recommendation:
Maintaining an accurate inventory of workstations, printers, and other networking devices helps to keep network security high. By knowing what devices are on your network and where they are located it makes it easier to handle device retirement and replacement. Removing old/legacy devices should be done on a reoccurring basis.
[/group]

37.0 Do you provide surge protection to your PCs?

[group surge-protect-yes-selected]Recommendation:
Surge protectors should be connected to all network connected devices. Surge protectors can help to protect organization data by power surges. Devices that do not have a surge protector and lose power or potentially corrupt data. CNS recommends that all devices be connected to power with a surge protector.
[/group]
[group surge-protect-no-selected]Recommendation:
Surge protectors should be connected to all network connected devices. Surge protectors can help to protect organization data by power surges. Devices that do not have a surge protector and lose power or potentially corrupt data. CNS recommends that all devices be connected to power with a surge protector.
[/group]

38.0 Do all computers use a trusted anti-virus/anti-malware application?

[group trusted-anti-virus-yes-selected]

Recommendation:
Endpoint Anti-Virus/Anti-Malware is an excellent tool for helping to prevent intrusions into your network. These applications scan your local machines for malicious software, phishing attempts, ransomware, and other intrusion attempts. CNS recommends that all workstations and servers on the network have up to date AV/AM software and that you maintain an active vendor support agreement with the supplier of the AV/AM software.
[/group]
[group trusted-anti-virus-no-selected]Recommendation:
Endpoint Anti-Virus/Anti-Malware is an excellent tool for helping to prevent intrusions into your network. These applications scan your local machines for malicious software, phishing attempts, ransomware, and other intrusion attempts. CNS recommends that all workstations and servers on the network have up to date AV/AM software and that you maintain an active vendor support agreement with the supplier of the AV/AM software.
[/group]

39.0 Do you utilize a form of endpoint encryption for your computers?

[group endpoint-yes-selected]

Recommendation:
Endpoint encryption helps to protect the data on a device by making the contents of the hard drive unreadable. Should a device be lost or stolen, endpoint encryption will prevent the malicious entity from being able to read the data on the PC. CNS recommends that all organization workstations be encrypted with an up-to-date encryption software, such as Microsoft’s BitLocker Encryption.
[/group]
[group endpoint-no-selected]Recommendation:
Endpoint encryption helps to protect the data on a device by making the contents of the hard drive unreadable. Should a device be lost or stolen, endpoint encryption will prevent the malicious entity from being able to read the data on the PC. CNS recommends that all organization workstations be encrypted with an up-to-date encryption software, such as Microsoft’s BitLocker Encryption.
[/group]

40.0 If applicable, describe your virtualization status (VMWare, Microsoft Hyper-V, Physical, etc.)

[group virtual-yes-selected]

Recommendation:
Virtualization of servers can help to reduce costs incurred by the organization when equipment must be replaced. By using a small number of virtual server hosts, the organization reduces the likelihood of a piece of hardware failing resulting in data loss. Additionally, virtualization allows for scaling of “virtual” hardware for your severs.
[/group]
[group virtual-no-selected]Recommendation:
Virtualization of servers can help to reduce costs incurred by the organization when equipment must be replaced. By using a small number of virtual server hosts, the organization reduces the likelihood of a piece of hardware failing resulting in data loss. Additionally, virtualization allows for scaling of “virtual” hardware for your severs.
[/group]

41.0 Are your servers protected from power outages via a secondary power source such as a UPS?

[group power-outage-yes-selected]Recommendation:
Surge protectors should be connected to all network connected devices. Surge protectors can help to protect organization data by power surges. Devices that do not have a surge protector and lose power or potentially corrupt data. CNS recommends that all devices be connected to power with a surge protector.
[/group]
[group power-outage-no-selected]Recommendation:
Surge protectors should be connected to all network connected devices. Surge protectors can help to protect organization data by power surges. Devices that do not have a surge protector and lose power or potentially corrupt data. CNS recommends that all devices be connected to power with a surge protector.
[/group]

42.0 Do you have any Windows Workstations or Servers with unsupported operating systems?

[group unsupported-operating-system-yes-selected]Recommendation:
CNS recommends that all Windows workstations and server be updated to versions supported by Microsoft. Unsupported operating system versions do not receive Critical or Security updates. The absence of such updates can lead to vulnerabilities that are unable to be fixed.
[/group]
[group unsupported-operating-system-no-selected]Recommendation:
CNS recommends that all Windows workstations and server be updated to versions supported by Microsoft. Unsupported operating system versions do not receive Critical or Security updates. The absence of such updates can lead to vulnerabilities that are unable to be fixed.
[/group]

PHYSICAL

43.0 Is your physical office locked when vacant?

[group office-locked-yes-selected]Recommendation:
CNS recommends locking not only your office when it is vacant, but any other areas inside your office where sensitive information is stored. This includes the server room, offices, and file cabinets.
[/group]
[group office-locked-no-selected]Recommendation:
CNS recommends locking not only your office when it is vacant, but any other areas inside your office where sensitive information is stored. This includes the server room, offices, and file cabinets.
[/group]

44.0 Do you maintain a Sign-In log when visitors come to your office?

[group sign-in-log-yes-selected]Recommendation:
Maintaining a log of who comes and goes from the organizations premises is an important step in maintaining site security. The sing-in log can be used after an incident occurs to find out who was on site, and it can also be used to prevent access to individuals who do not have the correct level of access. CNS recommends having all employees and visitors sign in and sign out when they access the premises.
[/group]
[group sign-in-log-no-selected]Recommendation:
Maintaining a log of who comes and goes from the organizations premises is an important step in maintaining site security. The sing-in log can be used after an incident occurs to find out who was on site, and it can also be used to prevent access to individuals who do not have the correct level of access. CNS recommends having all employees and visitors sign in and sign out when they access the premises.
[/group]

45.0 Do you utilize a 3rd party data disposal vendor to securely dispose of your hard copy documents?

[group data-disposal-yes-selected]Recommendation:
Dumpster diving is a real threat when documents are not properly disposed of. Any documents that contain sensitive data (IP, PII, PHI, Credit Card data, etc.) need to be fully destroyed before disposal. Disposal can be done via an approved cross shredder or through a 3rd party disposal service. Often times disposal services will provide a certificate of destruction as well.
[/group]
[group data-disposal-no-selected]

Recommendation:
Dumpster diving is a real threat when documents are not properly disposed of. Any documents that contain sensitive data (IP, PII, PHI, Credit Card data, etc.) need to be fully destroyed before disposal. Disposal can be done via an approved cross shredder or through a 3rd party disposal service. Often times disposal services will provide a certificate of destruction as well.
[/group]

46.0 Do you have Cyber Security Insurance?

[group cyber-security-insurance-yes-selected]Recommendation:
CNS recommends that all companies carry Cyber Security Insurance.
For more information please download: WHY EVERY ORGANIZATION NEEDS CYBERBREACH INSURANCE
[/group]
[group cyber-security-insurance-no-selected]Recommendation:
CNS recommends that all companies carry Cyber Security Insurance.
For more information please download: WHY EVERY ORGANIZATION NEEDS CYBERBREACH INSURANCE
[/group]