Baseline Cyber Security Controls for Small and Medium Organizations What's your cyber score? Your score: ___ Enter the information below and click "Next" to start evaluating your security defences, find out your cyber security score and receive recommendations on actions you can take to keep your business safe. Name Email This tool is provided as-is for organizations with fewer than 500 employees to perform a self assessment against a baseline of recommended cybersecurity controls. Any use which you or a third party makes of the report, or any reliance or decision to be made based on it, are the responsibility of you, your organization and such third parties. Akouto accepts no responsibility for damages, if any, suffered by you, your organization or any third party as a result of decisions made or actions based on this report.If you need help with any of the questions, visit https://cyber.gc.ca/en/guidance/baseline-cyber-security-controls-small-and-medium-organizationsI accept the terms of useHave you reviewed all of the systems you use and the information that is collected, retained and used by these systems? Yes NoHave you assessed the potential injury to the confidentiality, integrity, and availability to their information systems and assets? Yes NoHave you completed a threat assessment and identified your primary cyber threats? Yes NoHas someone in a leadership role been identified and assigned to be specifically responsible for IT security? Yes NoHave you identified your financial spending levels for IT and IT security investment as raw numbers and as a percent of total expenditures? Yes NoDo you know your internal staffing levels for IT and IT security as raw numbers and as a percent of total staff? Yes NoHas senior management committed to progressive improvements to cyber security? Yes NoDoes your organization have a basic plan for how to respond to incidents of varying severity? Yes, we have a formal response plan We have an informal response plan We do not have an incident response planDoes your organization have a plan for what it will do in the event of an incident that it is unable to handle on its own? Yes NoDoes your organization have a written incident response plan that details who is responsible for handling incidents, including any relevant contact information for communicating to external parties, stakeholders, and regulators? Yes NoDoes your organization have an up-to-date hard copy version of this plan available for situations where soft copies are not available? Yes NoDoes your organization have a cyber security insurance policy that includes coverage for incident response and recovery activities? If not, has the decision maker provided a rationale for not purchasing one? Yes NoHas your organization enabled automatic patching for all software and hardware OR established full vulnerability and patch management solutions? Yes NoHas your organizations conducted risk assessment activities as to whether to replace any software and hardware that are not capable of automatic updates? Yes NoDoes your organization have a business process to ensure regular manual updates on devices or systems that are not capable of automatic updates? Yes we have a business process in place for these systems No we do not have a business process in place for these systems We do not have any systems that are not capable of automatic updatesHas your organization enabled anti-malware solutions that update and scan automatically on all devices? Yes, this has been enabled on all devices This has been enabled but not on all devices NoHas your oganization activated software firewalls included on the devices that are within organizational networks OR documented the alternative measures in place instead of these firewalls? Yes NoHas your organization implemented secure configurations for all devices, changing all default passwords, turning off unnecessary features, and enabling all relevant security features? Yes NoHas your organization implemented two-factor authentication wherever possible, and document all instances where the business decision was made not to do so? Yes NoHintDoes your organization only enforce password changes on suspicion or evidence of compromise? Yes NoHintDoes your organization have clear policies on password length and reuse? Yes NoDoes your organization have a policy on the use of password managers? Yes NoDoes your organization have a policy for if, when, and how users can physically write down and securely store a password? Yes NoHas your organization invested in cyber security awareness and training for employees? Yes NoDoes your organization back up systems that contain essential business information, and ensure that recovery mechanisms effectively and efficiently restore these systems from back-ups? Yes NoDoes your organization store back-ups offline at a secure offsite location OR provide the rationale for not doing so? Yes we store back-ups offline at a secure offsite location No we do not but we have documented the rationale No we do not and the rationale is not clearly understoorDoes your organization securely store back-ups in an encrypted state, and restrict access to them to those who must access them for the testing or use of restoration activities? Yes NoHintHas your organization decided on an ownership model for mobile devices and documented the rationale and associated risks? Yes NoDoes your oganization enforce separation between work and personal data on mobile devices with access to corporate IT resources, and documented the details of this separation? Yes NoDoes your organization ensure that employees only download mobile device apps from the organization’s list of trusted sources? Yes NoDoes your organization require that all mobile devices store all sensitive information in a secure, encrypted state? Yes NoHas your organization considered implementing an enterprise mobility management solution for all mobile devices OR documented the risks assumed to the audit, management, and security functionality of mobile devices by not implementing such a solution? Yes NoDoes your organization enforce or educate users to (1) disable automatic connections to open networks, (2) avoid connecting to unknown Wi-Fi networks, (3) limit the use of Bluetooth and NFC for the exchange of sensitive information, and (4) use corporate Wi-Fi or cellular data network connectivity rather than public Wi-Fi? Yes NoDoes your organization use a VPN if users require connectivity to public Wi-Fi networks OR provide the rationale for not using a VPN? Yes we use a VPN No VPN but we have documented the rationale No VPN and the rationale is not clearDoes your organization have dedicated firewalls at the boundaries between its corporate network and the Internet? Yes NoDoes your organization isolate Internet-facing servers from the rest of the corporate network? Yes NoDoes your organizations implement a DNS firewall for outbound DNS requests to the Internet? Yes NoDoes your organization require secure connectivity to all corporate IT resources, and require VPN connectivity with two-factor authentication for all remote access into corporate networks? Yes NoDoes your organization only use secure Wi-Fi, preferably WPA2-Enterprise? Yes NoDoes your oganization connect public Wi-Fi networks to the corporate network? Yes NoDoes your organization isolate point-of-sale systems from the Internet and other areas of the corporate network with a firewall? Yes, point of sale systems are isolated We do not use point of sale systems NoHintHas your oganizations implementated DMARC on all of the organization’s email services? Yes NoHas your organization implemented email filtering at points of ingress and egress? Yes NoDoes your organization require that all cloud service providers share an AICPA SSAE 18 SOC 3 report that states that they achieved Trust Service Principles compliance? Yes NoHas your organization evaluated the comfort level with how outsourced IT providers handle and access sensitive information? The comfort level has been assessed Outsourced IT providers do not have access to sensitive information NoHas your organization evaluated the comfort level with the legal jurisdictions where outsourced providers store or use sensitive information? Yes, the comfort level has been evaluated Outsourced providers do not store or use any sensitive information NoHas your organization taken steps to ensure that the IT infrastructure and users communicate securely with all cloud services and applications? Yes NoDoes your organization ensure that administrative accounts for cloud services use two-factor authentication and differ from internal administrator accounts? Yes NoDoes your organization ensure that your websites address the OWASP top 10 vulnerabilities? Yes NoHintDoes your organization understand the ASVS level that must be met for each website? Yes No I don't knowDoes your organization provision accounts with the minimum functionality necessary for tasks and in particular should restrict administrator privileges to an as-required basis? Yes NoDoes your organization only permit administrator accounts to perform administrative activities (and not user-level activities such as accessing email or browsing the web)? Yes NoDoes your organization have a business process to ensure that accounts and/or functionality is removed when employees no longer require these for their tasks? Yes NoDoes your organization have a centralized authorization control system OR provided a rationale for not implementing a centralized authorization control system? Yes, we have a centralized authorization control system We do not have a centralized authorization control system but the rationale is understood NoDoes your oganization mandate the sole use of organization-owned secure portable media, have strong asset controls for these devices, and require the use of encryption on all of these devices? Yes NoDoes your organization have processes for the sanitization or destruction of portable media prior to disposal? Yes NoTime is Up! Posted in .
