Baseline Cyber Security Controls for Small and Medium Organizations What's your cyber score? Your score: ___ Enter the information below and click "Next" to start evaluating your security defences, find out your cyber security score and receive recommendations on actions you can take to keep your business safe. Name Email This tool is provided as-is for organizations with fewer than 500 employees to perform a self assessment against a baseline of recommended cybersecurity controls. Any use which you or a third party makes of the report, or any reliance or decision to be made based on it, are the responsibility of you, your organization and such third parties. Akouto accepts no responsibility for damages, if any, suffered by you, your organization or any third party as a result of decisions made or actions based on this report.If you need help with any of the questions, visit https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizationsI accept the terms of useHave you reviewed all of the systems you use and the information that is collected, retained and used by these systems?YesNoHave you assessed the potential injury to the confidentiality, integrity, and availability to their information systems and assets?YesNoHave you completed a threat assessment and identified your primary cyber threats?YesNoHas someone in a leadership role been identified and assigned to be specifically responsible for IT security?YesNoHave you identified your financial spending levels for IT and IT security investment as raw numbers and as a percent of total expenditures?YesNoDo you know your internal staffing levels for IT and IT security as raw numbers and as a percent of total staff?YesNoHas senior management committed to progressive improvements to cyber security?YesNoDoes your organization have a basic plan for how to respond to incidents of varying severity?Yes, we have a formal response planWe have an informal response planWe do not have an incident response planDoes your organization have a plan for what it will do in the event of an incident that it is unable to handle on its own?YesNoDoes your organization have a written incident response plan that details who is responsible for handling incidents, including any relevant contact information for communicating to external parties, stakeholders, and regulators?YesNoDoes your organization have an up-to-date hard copy version of this plan available for situations where soft copies are not available?YesNoDoes your organization have a cyber security insurance policy that includes coverage for incident response and recovery activities? If not, has the decision maker provided a rationale for not purchasing one?YesNoHas your organization enabled automatic patching for all software and hardware OR established full vulnerability and patch management solutions?YesNoHas your organizations conducted risk assessment activities as to whether to replace any software and hardware that are not capable of automatic updates?YesNoDoes your organization have a business process to ensure regular manual updates on devices or systems that are not capable of automatic updates?Yes we have a business process in place for these systemsNo we do not have a business process in place for these systemsWe do not have any systems that are not capable of automatic updatesHas your organization enabled anti-malware solutions that update and scan automatically on all devices?Yes, this has been enabled on all devicesThis has been enabled but not on all devicesNoHas your oganization activated software firewalls included on the devices that are within organizational networks OR documented the alternative measures in place instead of these firewalls?YesNoHas your organization implemented secure configurations for all devices, changing all default passwords, turning off unnecessary features, and enabling all relevant security features?YesNoHas your organization implemented two-factor authentication wherever possible, and document all instances where the business decision was made not to do so?YesNoHintDoes your organization only enforce password changes on suspicion or evidence of compromise?YesNoHintDoes your organization have clear policies on password length and reuse?YesNoDoes your organization have a policy on the use of password managers?YesNoDoes your organization have a policy for if, when, and how users can physically write down and securely store a password?YesNoHas your organization invested in cyber security awareness and training for employees?YesNoDoes your organization back up systems that contain essential business information, and ensure that recovery mechanisms effectively and efficiently restore these systems from back-ups?YesNoDoes your organization store back-ups offline at a secure offsite location OR provide the rationale for not doing so?Yes we store back-ups offline at a secure offsite locationNo we do not but we have documented the rationaleNo we do not and the rationale is not clearly understoorDoes your organization securely store back-ups in an encrypted state, and restrict access to them to those who must access them for the testing or use of restoration activities?YesNoHintHas your organization decided on an ownership model for mobile devices and documented the rationale and associated risks?YesNoDoes your oganization enforce separation between work and personal data on mobile devices with access to corporate IT resources, and documented the details of this separation?YesNoDoes your organization ensure that employees only download mobile device apps from the organization’s list of trusted sources?YesNoDoes your organization require that all mobile devices store all sensitive information in a secure, encrypted state?YesNoHas your organization considered implementing an enterprise mobility management solution for all mobile devices OR documented the risks assumed to the audit, management, and security functionality of mobile devices by not implementing such a solution?YesNoDoes your organization enforce or educate users to (1) disable automatic connections to open networks, (2) avoid connecting to unknown Wi-Fi networks, (3) limit the use of Bluetooth and NFC for the exchange of sensitive information, and (4) use corporate Wi-Fi or cellular data network connectivity rather than public Wi-Fi?YesNoDoes your organization use a VPN if users require connectivity to public Wi-Fi networks OR provide the rationale for not using a VPN?Yes we use a VPNNo VPN but we have documented the rationaleNo VPN and the rationale is not clearDoes your organization have dedicated firewalls at the boundaries between its corporate network and the Internet?YesNoDoes your organization isolate Internet-facing servers from the rest of the corporate network?YesNoDoes your organizations implement a DNS firewall for outbound DNS requests to the Internet?YesNoDoes your organization require secure connectivity to all corporate IT resources, and require VPN connectivity with two-factor authentication for all remote access into corporate networks?YesNoDoes your organization only use secure Wi-Fi, preferably WPA2-Enterprise?YesNoDoes your oganization connect public Wi-Fi networks to the corporate network?YesNoDoes your organization isolate point-of-sale systems from the Internet and other areas of the corporate network with a firewall?Yes, point of sale systems are isolatedWe do not use point of sale systemsNoHintHas your oganizations implementated DMARC on all of the organization’s email services?YesNoHas your organization implemented email filtering at points of ingress and egress?YesNoDoes your organization require that all cloud service providers share an AICPA SSAE 18 SOC 3 report that states that they achieved Trust Service Principles compliance?YesNoHas your organization evaluated the comfort level with how outsourced IT providers handle and access sensitive information?The comfort level has been assessedOutsourced IT providers do not have access to sensitive informationNoHas your organization evaluated the comfort level with the legal jurisdictions where outsourced providers store or use sensitive information?Yes, the comfort level has been evaluatedOutsourced providers do not store or use any sensitive informationNoHas your organization taken steps to ensure that the IT infrastructure and users communicate securely with all cloud services and applications?YesNoDoes your organization ensure that administrative accounts for cloud services use two-factor authentication and differ from internal administrator accounts?YesNoDoes your organization ensure that your websites address the OWASP top 10 vulnerabilities?YesNoHintDoes your organization understand the ASVS level that must be met for each website?YesNoI don't knowDoes your organization provision accounts with the minimum functionality necessary for tasks and in particular should restrict administrator privileges to an as-required basis?YesNoDoes your organization only permit administrator accounts to perform administrative activities (and not user-level activities such as accessing email or browsing the web)?YesNoDoes your organization have a business process to ensure that accounts and/or functionality is removed when employees no longer require these for their tasks?YesNoDoes your organization have a centralized authorization control system OR provided a rationale for not implementing a centralized authorization control system?Yes, we have a centralized authorization control systemWe do not have a centralized authorization control system but the rationale is understoodNoDoes your oganization mandate the sole use of organization-owned secure portable media, have strong asset controls for these devices, and require the use of encryption on all of these devices?YesNoDoes your organization have processes for the sanitization or destruction of portable media prior to disposal?YesNoTime is Up! Posted in .