Baseline Cyber Security Controls for Small and Medium Organizations What's your cyber score? Your score: ___ Enter the information below and click "Next" to start evaluating your security defences, find out your cyber security score and receive recommendations on actions you can take to keep your business safe. Name Email This tool is provided as-is for organizations with fewer than 500 employees to perform a self assessment against a baseline of recommended cybersecurity controls. Any use which you or a third party makes of the report, or any reliance or decision to be made based on it, are the responsibility of you, your organization and such third parties. Akouto accepts no responsibility for damages, if any, suffered by you, your organization or any third party as a result of decisions made or actions based on this report.If you need help with any of the questions, visit https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizations I accept the terms of use Have you reviewed all of the systems you use and the information that is collected, retained and used by these systems? Yes No Have you assessed the potential injury to the confidentiality, integrity, and availability to their information systems and assets? Yes No Have you completed a threat assessment and identified your primary cyber threats? Yes No Has someone in a leadership role been identified and assigned to be specifically responsible for IT security? Yes No Have you identified your financial spending levels for IT and IT security investment as raw numbers and as a percent of total expenditures? Yes No Do you know your internal staffing levels for IT and IT security as raw numbers and as a percent of total staff? Yes No Has senior management committed to progressive improvements to cyber security? Yes No Does your organization have a basic plan for how to respond to incidents of varying severity? Yes, we have a formal response plan We have an informal response plan We do not have an incident response plan Does your organization have a plan for what it will do in the event of an incident that it is unable to handle on its own? Yes No Does your organization have a written incident response plan that details who is responsible for handling incidents, including any relevant contact information for communicating to external parties, stakeholders, and regulators? Yes No Does your organization have an up-to-date hard copy version of this plan available for situations where soft copies are not available? Yes No Does your organization have a cyber security insurance policy that includes coverage for incident response and recovery activities? If not, has the decision maker provided a rationale for not purchasing one? Yes No Has your organization enabled automatic patching for all software and hardware OR established full vulnerability and patch management solutions? Yes No Has your organizations conducted risk assessment activities as to whether to replace any software and hardware that are not capable of automatic updates? Yes No Does your organization have a business process to ensure regular manual updates on devices or systems that are not capable of automatic updates? Yes we have a business process in place for these systems No we do not have a business process in place for these systems We do not have any systems that are not capable of automatic updates Has your organization enabled anti-malware solutions that update and scan automatically on all devices? Yes, this has been enabled on all devices This has been enabled but not on all devices No Has your oganization activated software firewalls included on the devices that are within organizational networks OR documented the alternative measures in place instead of these firewalls? Yes No Has your organization implemented secure configurations for all devices, changing all default passwords, turning off unnecessary features, and enabling all relevant security features? Yes No Has your organization implemented two-factor authentication wherever possible, and document all instances where the business decision was made not to do so? Yes No HintOrganizations should require two-factor authentication for important accounts such as financial accounts, system administrators, cloud administration, privileged users, and senior executives. Does your organization only enforce password changes on suspicion or evidence of compromise? Yes No HintWe recommend only changing passwords when there is suspicion or evidence of a security issue such as the accidental disclosure of a password or evidence that someone compromised an account. Does your organization have clear policies on password length and reuse? Yes No Does your organization have a policy on the use of password managers? Yes No Does your organization have a policy for if, when, and how users can physically write down and securely store a password? Yes No Has your organization invested in cyber security awareness and training for employees? Yes No Does your organization back up systems that contain essential business information, and ensure that recovery mechanisms effectively and efficiently restore these systems from back-ups? Yes No Does your organization store back-ups offline at a secure offsite location OR provide the rationale for not doing so? Yes we store back-ups offline at a secure offsite location No we do not but we have documented the rationale No we do not and the rationale is not clearly understoor Does your organization securely store back-ups in an encrypted state, and restrict access to them to those who must access them for the testing or use of restoration activities? Yes No HintLong term backups (e.g. weekly backups) must be stored offline, but frequent backups (e.g. daily backups) may be stored online. Has your organization decided on an ownership model for mobile devices and documented the rationale and associated risks? Yes No Does your oganization enforce separation between work and personal data on mobile devices with access to corporate IT resources, and documented the details of this separation? Yes No Does your organization ensure that employees only download mobile device apps from the organization’s list of trusted sources? Yes No Does your organization require that all mobile devices store all sensitive information in a secure, encrypted state? Yes No Has your organization considered implementing an enterprise mobility management solution for all mobile devices OR documented the risks assumed to the audit, management, and security functionality of mobile devices by not implementing such a solution? Yes No Does your organization enforce or educate users to (1) disable automatic connections to open networks, (2) avoid connecting to unknown Wi-Fi networks, (3) limit the use of Bluetooth and NFC for the exchange of sensitive information, and (4) use corporate Wi-Fi or cellular data network connectivity rather than public Wi-Fi? Yes No Does your organization use a VPN if users require connectivity to public Wi-Fi networks OR provide the rationale for not using a VPN? Yes we use a VPN No VPN but we have documented the rationale No VPN and the rationale is not clear Does your organization have dedicated firewalls at the boundaries between its corporate network and the Internet? Yes No Does your organization isolate Internet-facing servers from the rest of the corporate network? Yes No Does your organizations implement a DNS firewall for outbound DNS requests to the Internet? Yes No Does your organization require secure connectivity to all corporate IT resources, and require VPN connectivity with two-factor authentication for all remote access into corporate networks? Yes No Does your organization only use secure Wi-Fi, preferably WPA2-Enterprise? Yes No Does your oganization connect public Wi-Fi networks to the corporate network? Yes No Does your organization isolate point-of-sale systems from the Internet and other areas of the corporate network with a firewall? Yes, point of sale systems are isolated We do not use point of sale systems No HintOrganizations should consider following the Payment Card Industry Data Security Standard (PCI DSS). Has your oganizations implementated DMARC on all of the organization’s email services? Yes No Has your organization implemented email filtering at points of ingress and egress? Yes No Does your organization require that all cloud service providers share an AICPA SSAE 18 SOC 3 report that states that they achieved Trust Service Principles compliance? Yes No Has your organization evaluated the comfort level with how outsourced IT providers handle and access sensitive information? The comfort level has been assessed Outsourced IT providers do not have access to sensitive information No Has your organization evaluated the comfort level with the legal jurisdictions where outsourced providers store or use sensitive information? Yes, the comfort level has been evaluated Outsourced providers do not store or use any sensitive information No Has your organization taken steps to ensure that the IT infrastructure and users communicate securely with all cloud services and applications? Yes No Does your organization ensure that administrative accounts for cloud services use two-factor authentication and differ from internal administrator accounts? Yes No Does your organization ensure that your websites address the OWASP top 10 vulnerabilities? Yes No HintSee https://owasp.org/www-project-top-ten/ Does your organization understand the ASVS level that must be met for each website? Yes No I don't know Does your organization provision accounts with the minimum functionality necessary for tasks and in particular should restrict administrator privileges to an as-required basis? Yes No Does your organization only permit administrator accounts to perform administrative activities (and not user-level activities such as accessing email or browsing the web)? Yes No Does your organization have a business process to ensure that accounts and/or functionality is removed when employees no longer require these for their tasks? Yes No Does your organization have a centralized authorization control system OR provided a rationale for not implementing a centralized authorization control system? Yes, we have a centralized authorization control system We do not have a centralized authorization control system but the rationale is understood No Does your oganization mandate the sole use of organization-owned secure portable media, have strong asset controls for these devices, and require the use of encryption on all of these devices? Yes No Does your organization have processes for the sanitization or destruction of portable media prior to disposal? Yes No Time is Up! Time's up Posted in .
