Baseline Cyber Security Controls for Small and Medium Organizations

What's your cyber score?

Your score: ___

Enter the information below and click "Next" to start evaluating your security defences, find out your cyber security score and receive recommendations on actions you can take to keep your business safe.

This tool is provided as-is for organizations with fewer than 500 employees to perform a self assessment against a baseline of recommended cybersecurity controls. Any use which you or a third party makes of the report, or any reliance or decision to be made based on it, are the responsibility of you, your organization and such third parties. Akouto accepts no responsibility for damages, if any, suffered by you, your organization or any third party as a result of decisions made or actions based on this report.

If you need help with any of the questions, visit
Have you reviewed all of the systems you use and the information that is collected, retained and used by these systems?
Have you assessed the potential injury to the confidentiality, integrity, and availability to their information systems and assets?
Have you completed a threat assessment and identified your primary cyber threats?
Has someone in a leadership role been identified and assigned to be specifically responsible for IT security?
Have you identified your financial spending levels for IT and IT security investment as raw numbers and as a percent of total expenditures?
Do you know your internal staffing levels for IT and IT security as raw numbers and as a percent of total staff?
Has senior management  committed to progressive improvements to cyber security?
Does your organization have a basic plan for how to respond to incidents of varying severity?
Does your organization have a plan for what it will do in the event of an incident that it is unable to handle on its own?
Does your organization have a written incident response plan that details who is responsible for handling incidents, including any relevant contact information for communicating to external parties, stakeholders, and regulators?
Does your organization have an up-to-date hard copy version of this plan available for situations where soft copies are not available?
Does your organization have a cyber security insurance policy that includes coverage for incident response and recovery activities? If not, has the decision maker provided a rationale for not purchasing one?
Has your organization enabled automatic patching for all software and hardware OR established full vulnerability and patch management solutions?
Has your organizations conducted risk assessment activities as to whether to replace any software and hardware that are not capable of automatic updates?
Does your organization have a business process to ensure regular manual updates on devices or systems that are not capable of automatic updates?
Has your organization enabled anti-malware solutions that update and scan automatically on all devices?
Has your oganization activated software firewalls included on the devices that are within organizational networks OR documented the alternative measures in place instead of these firewalls?
Has your organization implemented secure configurations for all devices, changing all default passwords, turning off unnecessary features, and enabling all relevant security features?
Has your organization implemented two-factor authentication wherever possible, and document all instances where the business decision was made not to do so?

Does your organization only enforce password changes on suspicion or evidence of compromise?

Does your organization have clear policies on password length and reuse?
Does your organization have a policy on the use of password managers?
Does your organization have a policy for if, when, and how users can physically write down and securely store a password?
Has your organization invested in cyber security awareness and training for employees?
Does your organization back up systems that contain essential business information, and ensure that recovery mechanisms effectively and efficiently restore these systems from back-ups?
Does your organization store back-ups offline at a secure offsite location OR provide the rationale for not doing so?
Does your organization securely store back-ups in an encrypted state, and restrict access to them to those who must access them for the testing or use of restoration activities?

Has your organization decided on an ownership model for mobile devices and documented the rationale and associated risks?
Does your oganization enforce separation between work and personal data on mobile devices with access to corporate IT resources, and documented the details of this separation?
Does your organization ensure that employees only download mobile device apps from the organization’s list of trusted sources?
Does your organization require that all mobile devices store all sensitive information in a secure, encrypted state?
Has your organization considered implementing an enterprise mobility management solution for all mobile devices OR documented the risks assumed to the audit, management, and security functionality of mobile devices by not implementing such a solution?
Does your organization enforce or educate users to (1) disable automatic connections to open networks, (2) avoid connecting to unknown Wi-Fi networks, (3) limit the use of Bluetooth and NFC for the exchange of sensitive information, and (4) use corporate Wi-Fi or cellular data network connectivity rather than public Wi-Fi?
Does your organization use a VPN if users require connectivity to public Wi-Fi networks OR provide the rationale for not using a VPN?
Does your organization have dedicated firewalls at the boundaries between its corporate network and the Internet?
Does your organization isolate Internet-facing servers from the rest of the corporate network?
Does your organizations implement a DNS firewall for outbound DNS requests to the Internet?
Does your organization require secure connectivity to all corporate IT resources, and require VPN connectivity with two-factor authentication for all remote access into corporate networks?
Does your organization only use secure Wi-Fi, preferably WPA2-Enterprise?
Does your oganization connect public Wi-Fi networks to the corporate network?
Does your organization isolate point-of-sale systems from the Internet and other areas of the corporate network with a firewall?

Has your oganizations implementated DMARC on all of the organization’s email services?
Has your organization implemented email filtering at points of ingress and egress?
Does your organization require that all cloud service providers share an AICPA SSAE 18 SOC 3 report that states that they achieved Trust Service Principles compliance?
Has your organization evaluated the comfort level with how outsourced IT providers handle and access sensitive information?
Has your organization evaluated the comfort level with the legal jurisdictions where outsourced providers store or use sensitive information?
Has your organization taken steps to ensure that the IT infrastructure and users communicate securely with all cloud services and applications?
Does your organization ensure that administrative accounts for cloud services use two-factor authentication and differ from internal administrator accounts?
Does your organization ensure that your websites address the OWASP top 10 vulnerabilities?

Does your organization understand the ASVS level that must be met for each website?
Does your organization provision accounts with the minimum functionality necessary for tasks and in particular should restrict administrator privileges to an as-required basis?
Does your organization only permit administrator accounts to perform administrative activities (and not user-level activities such as accessing email or browsing the web)?
Does your organization have a business process to ensure that accounts and/or functionality is removed when employees no longer require these for their tasks?
Does your organization have a centralized authorization control system OR provided a rationale for not implementing a centralized authorization control system?
Does your oganization mandate the sole use of organization-owned secure portable media, have strong asset controls for these devices, and require the use of encryption on all of these devices?
Does your organization have processes for the sanitization or destruction of portable media prior to disposal?

Posted in .