Given the huge surge in cyber-attacks, CIOs and the CISOs are now fully realizing the sheer importance of not only having an Incident Response (IR) Plan, but also a Business Continuity (BC) Plan as well.  Many organizations did not have this fully in place, or if they did, it was not practiced to the point where everybody knew how to respond to a worldwide disaster, such as that posed by COVIDC 19.  But as businesses have started to reopen their doors, you can almost bet that CIOs and CISOs will now make both these topics one of the highest priorities, especially if yet another disaster happens yet once again.

What Incident Response & Business Continuity Are

Many organizations are now starting to realize the importance of having the right plans in place, especially as it relates to the perspective of both Incident Response (IR) Planning and Business Continuity (BC) Planning.  But very often, these two terms are intermixed with one another, and as a CIO or CISO, you need to fully understand the difference between these two, as this lays down the foundation for creating solid DR and BC Plans which will help you to mobilize a remote workforce quickly and effectively if needed for the future.

What An Incident Response Plan Is

Technically speaking, an Incident Response Plan can be defined as follows:

“Incident response (IR) is the systematic approach taken by an organization to prepare for, detect, contain, and recover from a suspected cybersecurity breach. An incident response plan helps ensure an orderly, effective response to cybersecurity incidents, which in turn can help protect  an organization’s data, reputation, and revenue.”

(SOURCE 1).

Or, put in simpler terms, an Incident Response means that you are reacting in a very proactive way, any security impacts that are affecting your business.  Typically, many people think of this as a Cyberattack, which is most often the case.  But these could also involve natural disasters, and even pandemics such as is the case with COVIDC 19.  IR Planning means that you are acting on a specific threat vector at one certain point in time.

As it relates to the situation that we have now, a good IR Plan will dictate how you should mobilize your resources in a quick and efficient manner so that your remote workforce can be deployed in just a matter of a few hours versus the total number of days that it took before.  Although this will be examined in much further detail in the next section, a good IR Plan will typically consist of the following, broad components:

  • How it supports the goals and objectives of your overall Security Policy;
  • What your approach to Incident Response will be;
  • The various activities that are needed in order to effectively mitigate the threat variant at hand;
  • Who the members of the Incident Response team will be, and what their specific roles are in a crisis situation;
  • The communication process that will take place;
  • The metrics that will be included in order to gauge the true effectiveness of your IR Plan.

It should be noted that it is bullet point #5 that is probably amongst one of the most important.  For example, you may have a great IR Plan on paper, but if the lines of communications actually break down in the event of a real time security breach, then this will  be worth nothing.  Even before COVIDC 19 hit, the CIOs and the CISOs were ill prepared for this kind of planning. For example, in a recent study that was conducted by the Ponemon Institute, the following was discovered:

  • 77% of the respondents claimed that they do not even have an Incident Response Plan in place;
  • Only 32% had any faith that their particular IR Plan would even work;
  • 57% of the respondents claimed that the total time it takes to actually respond to mitigate a security breach is lengthening to unfathomable levels.

(SOURCE:  2).

Thus, as a CIO or CISO, you need to fully understand how the correlation of Incident Response impacts limiting more damage that is going to happen, and it is as easy as this:  A timely Incident Response will greatly mitigate any more time that a Cyberattacker can reside from within your IT and Network Infrastructure and cause more damage.  And of course, a timely response will only come from a rock-solid IR Plan.

What A Business Continuity Plan Is

Once again, in technical terms, a Business Continuity Plan can be defined as follows:

“A business continuity plan (BCP) is a document that outlines how a business will continue operating during an unplanned disruption in service. It’s more comprehensive than a disaster recovery plan and contains contingencies for business processes, assets, human resources and business partners – every aspect of the business that might be affected.”

(SOURCE: 3).

In other words, after you have contained the threat variant with the IR Plan, the next step is determining how you will proceed to resume normal business operations ASAP.  The primary difference here with the Business Continuity (BC) Plan versus the Incident Response Plan is that the latter will take a much longer time frame to achieve, depending upon the severity of the security breach that took place.  As a CIO or CISO, it is also very important to keep in mind that the Business Continuity approach will be more of a phased in methodology.

For example, your first priority is to get those mission critical applications up and running first.  This will typically be those applications that serve both your employees and clients.  Then gradually from that point, you need to move to the next steps, resuming operation of what you deem “normal business processes”.

So as in the case with COVD 19, the IR Plan will help you to mobilize your remote workforce quickly, and the BC Plan will then help you to keep your employees working from home (WFH) in a safe and productive manner for the long haul, if need be.  Being the CIO or CISO, you need to fully understand just how impactful any business downtime can have without having the right BC Plan in place.  Consider these statistics:

  • An infrastructure failure can cost a typical business at least $100,000 per hour;
  • A critical application failure can cost in the upwards range of $500,000 to $1,000,000 per hour.

In the next section, we detail the components that are needed in an Incident Response Plan, so that you can avoid the above-mentioned staggering costs.

The Components of the Incident Response Plan

The last section of this e-book provides an overview into what some of the critical components that should be included into an Incident Response Plan.  In this section, we now do a deep dive as to the details of these components.  It should be noted that a typical Incident Response Plan is divided into four major sections:

  • Preparation: This involves getting your company prepared for a potential security breach;
  • Detection and Analysis: This is the phase in which you are bracing for an imminent threat based upon the Cyberthreat Landscape that your IT Security Team is seeing;
  • Response: This is how your Incident Response Team will respond to a security breach that is happening in real time;
  • Recovery and Follow Up: These are the steps that you take after the security breach has been mitigated.

The Preparation Phase

This part of your Incident Response Plan is considered to be one of the most important, as this section will provide the cornerstone of how the actual threat will be detected and mitigated.  Here is what should be included:

1. Conduct a Risk Assessment Analysis:

You will first need to identify all of the assets in your company, from both a virtual and physical standpoint.  For example, physical assets will include such items that are tangible, such as servers, workstations, wireless devices, software applications, etc.  The virtual assets are those that are digital in nature, and this will typically include those items such as your Intellectual Property (IP), shared resources that reside on the servers, the Personal Identifiable Information (PII) of your clients and employees that reside on your databases, etc.  Once you have made an inventory of all these items, you then need to rank all of them, as to which ones are most at risk for a security breach all the way down to those that are least susceptible to a security breach.  Obviously, those assets that are deemed to be the highest in risk will need the most protection, and extremely quick response times in the case that they are impacted.  In this regard, it is very important to use some categorization scheme that is numerical so that your assets can be ranked.  Also, at this point, make sure that you have enough security assets on hand to protect your most at-risk based assets.

2. The Roles and Responsibilities:

At this stage, you will want to identify the members of your company that will actually comprise the Incident Response Team.  It is very important that you select at least one representative individual from each department that your company has.  This will include IT, Finance, Accounting, Human Resources, Legal, Customer Support, Public Relations, etc.  Obviously, you will want to align the IR responsibilities to what that specific person is doing in his or her department.  For example, it is quite conceivable that the greatest number of representatives on your IR Team will be from the IT Department.  So, you will want to task them with security breach identification and mitigation.  A Customer Support Representative will make sure that all of your customers are still being served in the event of any downtime that is experienced.  A Public Relations Representative will keep the key external stakeholders apprised of what is currently happening.  After you have crafted this part of your IR Plan, you need to have the buy in and approval from the higher ups, especially the C-Suite and even the Board of Directors, so that everybody is on the same page. It is also important here that after your IR Team is in place, that the appropriate chain of command is created from within that.

3. Obtain all forms of Relevant Contact Information:

Once the Incident Response Team has been assembled in the last step, you  need to obtain all of their contact information so that they can be immediately notified in case a security breach does indeed happen.  This includes the following:

  • Landline and Smartphone numbers;
  • Work and Personal Email addresses;
  • Residential Home addresses.

Once this information has been collected and compiled, it should be stored both online (such as on a Virtual Server) as well as offline, in order to ensure the highest levels of redundancy.  Equally important is to make sure that this information is always secured and kept up to date, at least on a monthly basis.

4. Get other Third Parties involved:

Apart from selecting the internal members of your Incident Response Team, you will also need to work with external agencies as well, primarily that of Law Enforcement and other Regulatory bodies at the Federal, State and Local Levels.  It is important that you reach out to them to identify a representative that you can work with after the security breach has been mitigated.  A very key crucial activity that needs to be done is conducting further investigations as to what happened, and how it happened.  In this regard, this where a Forensics Team will come into place.  It is important that you identify somebody that you can work with at this stage of creating your Incident Response Plan, so that you can mobilize them literally at a moment’s notice.  The primary reason for this is that you want to collect the evidence when it is fresh, and not let it degrade over time after the security breach has occurred.  You will also need to perhaps identify a preferred hardware vendor, just in case you need to get new workstations, laptops, and wireless devices within a few hours’ notice.

5. Make sure you have a data backup and recovery strategy in place:

As the CIO or CISO of your company, you have to know that one of the primary targets of a Cyberattacker are your databases.  Although they may be fortified at all levels, the fact still remains that they can be hacked into.  Therefore, you need to have the best possible data backup and recovery policies at hand, and make sure you know how they will be utilized in the event of a security breach.  All information and data should be backed up at least daily, if not hourly.  At the very minimum, you should store at least one set of backups on-site and off-site as well.  In this regard, it is highly recommended that you make use of a solid Cloud Provider, such as that of Microsoft Azure.  By using this, you will be able to restore any lost information/data in just a matter of a few minutes, rather than spending time fumbling around through the traditional methods.

6. Maintain a hotline:

Probably one of the best ways to avoid a security breach is to try to prevent one from happening in the first place.  True, your IT Security team will be well armed with some of the latest tools in order to help them triage the real threat warnings and alerts that are coming in, but this will not necessarily prevent an Insider Attack from occurring.  In this regard, your employees will be best eyes and ears in witnessing any forms of abnormal or malicious types of behavior that are transpiring from within your company.  Therefore, you should maintain a 24 X 7 X 365 hotline so that your employees can report any forms of erratic behavior anonymously.

The Detection and Analysis Phase

This is the second major component of the Incident Response Plan.  This phase, as it is appropriately termed, consists of the following:

  • The monitoring of security related events;
  • The detection of any imminent threat variants;
  • The alerting to the IT Security team of any potential threats that are trying to infiltrate through the lines of defense of your business;
  • The reporting of the start of any security breach to the Incident Response Team, as detailed in the last section.

It is important to keep in mind that this phase includes the careful scrutiny of all sorts of threat variants, whether they are known, unknown, or even suspicious to the smallest degree.  The following components should be included in this second phase of Incident Response Plan:

1. Develop a detailed plan with regards to the security tools that you are planning to use in your business environment:

With your IT Security specifically, you need to establish an inventory of all of the security tools that you are currently using, and what you have planned for the future.  In this regard, it is very important to get away from the traditional mindset that simply deploying more security tools in a large amount will keep your business safe.  While this can be referred to as the proverbial “Safety In Numbers” concept, as a CIO or CISO of your organization, you need to get away from this thinking.  For example, if you deploy ten firewalls from different vendors, not only will your costs go up quickly, but you will be getting log out files from each and every one of them.  This can be especially inundating, especially for your IT Security Team, as they will have to filter through all of these specific reports to ascertain any sort of malicious or anomalous types of network behavior.  Also, this will greatly increase the total number of false positives that are being reported.  This is turn will only create a phenomenon which is known as “Alert Fatigue”, and as a result, your IT Security Team will get burnt out pretty quickly with this oversaturation, and cause them to lose their focus on looking out for the real warnings and messages.  Therefore, in this regard, just like you conducted the Risk Assessment, you also need to assess where your current security tools are, in terms of effectiveness, and if they are even being used to their optimal levels.  By conducting such a study, you can then see and determine where you need to realign your security technologies so that they can offer the best levels of protection with the fewest number of possible risks.  By taking this kind of approach, you are decreasing the attack surface for the Cyberattacker to penetrate.  In other words, rather than using ten firewalls, it is far better to deploy perhaps just three of them in the most strategic locations possible so that you will get the maximum results possible.  Also, when doing an inventory of your security technologies/tools, you need to make sure that you have set them to the requirements of your security needs, and that they are not set to the default settings from the vendor.  Also in this regard, you need to secure endpoints as well.  These merely refer to the points of origination and points of destination in between your network lines of communication.  This is very often an overlooked area in Cybersecurity, and a place where the Cyberattacker will often reside.  Therefore, you should consider using such tools such as Endpoint Detection and Response Tools (aka “EDR”), Next Generation Antivirus Software (aka “NGAV”), as well as User/Entity Behavior Analytics (aka “UEBA/UBA”).  Finally, in order to centralize and triage all of the warnings and messages that come in, you should also make use of Artificial (AI) as well as Security Information and Event Management (SIEM) tools.  With this, all of these alerts are centralized into one place for quick and easy review, and most importantly, it will filter for all the false positives, and only present those that are legitimate.

2. Consider the use of Compromise Assessment tools:

With this, you are keeping a 24 X 7 X 365 watch on both your IT and Network Infrastructures.  The primary objective here is to conduct more detailed assessments as to whether or not any of them have been penetrated by a malicious attempt, so that you can then quickly begin the remediation processes which is the next part of the Incident Response Plan.

The Response Phase

As its name implies, this part of the Incident Response Plan will clearly spell out the steps that the IR Team needs to take in order to combat whatever has hit your company.  Keep in mind that not everybody will be involved with the technical aspects of this; this part will be mostly left to your IT Security Team.  The bottom line is that first you need to try and identify the threat variant and contain it as quickly and as much as possible, so that it does not further proliferate itself into the other areas of your company.  After this, you then want to try to remove the .EXE files that triggered the security breach in the first place.  Here are the specific components of this part that need to be included into your Incident Response Plan:

1. Determine what sorts of information/data have been hijacked and/or compromised:

After you have identified, contained, and purged the threat variant(s) from your systems, you then need to ascertain as quickly as possible those datasets that have been impacted as well.  For example, if any of your wireless devices have been compromised in any way, you can issue a “Remote Wipe” command so that any information/data that resides in them can be deleted in just a matter of a few seconds.  Obviously, once your datasets have been hijacked, there is really not much you can do to retrieve them.  More than likely, they will appear on the Dark Web so that they can be sold to the highest bidder.  The only thing you really can do in this instance is to quickly notify those individuals whose Personal Identifiable Information (PII) datasets have been compromised, and remind them to keep checking their credit cards and other financial accounts to make sure that they have not been further compromised in any way.  This area also underscores the need to have a good backup in place and ready to deploy at a moment’s notice.  If you have used a Cloud based Infrastructure such as that of Microsoft Azure, you can do this process in just a matter of a few minutes.

2. Keep detailed Log Output Files:

In this regard, your IT Security Team needs to keep a detailed, versioned history of all of the log files that have been outputted from all of the security technologies/tools that your company is currently using.  This not only includes those tools mentioned in the last subsection, but this involves your network security technologies, such as Firewalls, Network Intrusion Devices, Routers, etc.  By engaging in this process, your IT Security Team will have a much clearer understanding as to the time and even the possible geo location as to where this particular Cyberattack originated from.  Also, you should be able to determine if this attack precipitated from within the external or internal environment of your company.  If it is the latter, then the most likely culprit is an Inside Attacker. It is also very important to include other key pieces of evidence such as memory dumps, network traffic data, and even disk images.

3. Keep all pieces of Evidence safe and in a locked area:

Once you have completely responded to the Security Breach, the next step is to gather all of the evidence that you can so that the Forensics Team you have hired can conduct an exhaustive analysis and investigation as to what exactly happened.  It is also important to preserve this evidence from the legal perspective as well.  For example, if the Cyberattacker is actually apprehended and is going to face possible legal proceedings, then most likely this evidence will then be used in a court of law in order to bring him or her to justice.  In this regard, the integrity of all of the evidence that has been collected must be intact, coupled with a detailed Chain of Custody document.

4. Notifying the Key Stakeholders:

Your IT Security Team will not be involved in this aspect, your other Incident Response Team members will be though.  Therefore, it is very critical that all members are constantly updated with what has happened so that so that they can provide the most timely and accurate information to the stakeholders that are involved with your company.  This will include primarily your Board of Directors, outsourced third party vendors, suppliers, shareholders, and most importantly your clients.  Apart from simply notifying them that their Personal Identifiable Information (PII) may have been compromised, you also need to keep them updated as quickly and regularly as possible.  You should also offer to them other free ancillary services, primarily that of free credit report acquisition as well as a dedicated hotline and customer support representatives so that they address any fears, questions, or concerns that you clients may have over time.

5. Completely address the Legal Aspects:

At this juncture, you need to reach out to different entities:

  • Your Legal Team:
    If you have in house legal counsel, they should also be part of the Incident Response Team.  From here, they can help you to traverse all of the legal headwinds that you could potentially face, ranging all the way from possible lawsuits to making sure that you have still maintained compliance with both the GDPR and the CCPA, especially from the perspective of any audits and/or financial penalties that you could be facing.
  • Law Enforcement:
    As reviewed earlier in this e-Book, this is where having contacts previously established earlier in your Incident Response Plan will now bear fruit.  Rather than wasting time with whom to contact, you now have that information at your fingertips.  Immediately notifying law enforcement at all levels (Federal, State, and Local) will also help you to get a quicker payout if you a file Cybersecurity Insurance Claim.  This is one of the first things that your carrier will look at.

The Recovery/Follow Up Phase

This can be considered as the last major section of your Incident Response Plan.  This is the part where you detail how you plan to move the company forward, after you have accomplished the following goals:

  • You have identified the threat variant;
  • You have isolated said threat;
  • It has been more or less eradicated from your IT and Network Infrastructure;
  • You have notified all of the key stakeholders what has just happened;
  • Are working closely with the various Law Enforcement Agencies that you need to be keeping informed.

Of particular importance in this component of the IR Plan are the following components:

1. Identifying the Gaps and Weaknesses that led to the Security Breach:

Although conducting a thorough Forensics examination will yield very important pieces of evidence and clues as to what could have happened, you will not still not get the complete picture as to what really happened.  In this regard, you will need to have a thorough Penetration Test in order to completely ascertain where all of the known as well as hidden vulnerabilities lie from within your IT and Network Infrastructures.  By doing this, you will be also be able to deploy solutions that can fill these voids so that the statistical probabilities of being impacted again by yet another Cyberattack is greatly diminished.  You should also conduct a Threat Hunting exercise as well, which will study your environment to see if there are any threat variants lurking from inside your systems as well.  As part of your Incident Response Plan, you should also establish key relationships with one or more very reputable cyber incident response companies so that you can mobilize them as quickly as possible if needed.

2. Apply the lessons that have been learned:

It is very critical that once you know what has happened and how to avoid it from happening again in the future, that you keep your Incident Response Plan updated at all times.  But the key here is don’t just wait for a Cyberattack to happen in order to test your Incident Response Plan!!!  You can even test your IR Plan by conducting mock exercises on a regular basis, and applying the lessons learned from that as well.

KAMIND IT Security Overview

KAMIND IT is a provider of cloud services in four different areas, which includes Government Community Cloud, Academic, Charity and Corporate environments.  Our deployment is designed around CMMC, NIST 800-171  and compliance standards – allowing KAMIND to build a baseline infrastructure for our clients.

KAMIND has published three books on Office 365 and has migrated over 100,000 users to the Microsoft Cloud. ​​

KAMIND IT also offers three security options for organizations to scale –  based on the security  needs that fit our clients’ risk profiles.  KAMIND leads with our security product suites built around Microsoft 365 Business Premium with Microsoft Defender Advanced Threat Protection,  Microsoft 365 E3 with E5 security, and Microsoft 365 E5 subscriptions.​

KAMIND builds security and support solutions on Microsoft Azure and integrates all of the solutions through the Azure Sentinel SIEM. KAMIND’s US based 24 x & help desk and US based SOC allows KAMIND to fully Manage, Detect and Respond  as needed.  This is backed up with our knowledge and expertise of the Microsoft Cloud.

Shield

  • Benchmark your controls with  Secure Score​
  • Log Analytics​
  • Threat Protection (Virus, Malware)​for Emails​
  • Malware and Spyware Detection  and Removal​
  • Access to Security & Compliance  Center​
  • Self-managed security center  alerts in Microsoft Azure​
  • 2-Factor authentication needed  to access data on PC/Mobile​
  • Secured DNS​
  • Standard email signature​
  • Self-managed security center  alerts in Microsoft Azure​
  • Microsoft Azure Sentinel for  Shield

Guard

Includes Shield offering plus…​

  • Intelligent Security Graph​
  • Cloud App Security​
  • Advanced Multi-Factor  Authentication​
  • Single Sign-on to 2600 + SaaS  applications​
  • Mobile Application Management​
  • Windows Information Protection​
  • Azure Identity Protection​
  • Tracking, Reporting, and  Revoking Privileges​
  • Azure ATP: Host intrusion​prevention capabilities​
  • Data Loss Prevention​
  • Advanced Threat Protection: Safe  Links, Safe Attachments​
  • Microsoft Azure Sentinel for Guard​

KAM-Fort

Includes Guard offering plus…​

  • Mobile Device Management​
  • Device Guard: Preventing malicious code  from running​
  • Windows Information Protection​
  • Client backup to Azure​
  • Proactive account management​
  • Managed Remediation Detection​
  • Monthly security status reports​
  • Monthly security account review​
  • Microsoft Incidence Team option​
  • Cyber – liability insurance option​
  • Compliance management option​
  • Pen testing quarterly service option​
  • NIST 800-171 Lite audit option​
  • NIST 800-171 heavy audit option​
  • Microsoft Azure Sentinel for KAM-Fort

 

Exhibit A – Incident Response Checklists

Incident Response Checklist

  • Does incident justify escalation?
  • Begin documentation of decisions and actions
  • Begin mitigation of the incident
  • Activate Incident Response Plan and notify and convene with the Incident Response Team
  • Notify cyber insurance carrier
  • Notify affected business partners, clients, etc., as appropriate
  • Engage forensics to mitigate continued harm, gather evidence, and investigate
  • Assess scope and nature of data compromised
  • Determine whether to notify authorities, including local and federal law enforcement
  • Begin preparing the public relations message
  • Engage notification / credit services vendor
  • Investigate whether data has been “breached”
  • Determine when notification “clock” started
  • Remediate and protect against future breaches
  • Confirm notification / remediation obligations
  • Determine proper remediation services
  • Prepare staff; arm them with FAQs (frequently asked questions) with detailed responses
  • Prepare notification letters for clients and vendors
  • Plan timeline for notification
  • Implement public relations strategy
  • Implement Cyber Risk Management Program

Checklists Prior to Any Incident

IDENTIFICATION PROCEDURES

  • Do all your staff members have Photo ID badges?
  • Do they wear them at all time when in your facility?
  • Do you provide temporary ID badges for visitors?
  • Do you check the credentials of visitors?
  • Is a policy in place for conducting background checks for employees and visitors?
  • Can you cut off access to employees and visitors if necessary?

PERSONAL & PHYSICAL SECURITY

  • Do you have procedures in place to prevent unauthorized physical access to computers and other electronic information systems?
  • Do you have solutions in place to prevent physical access to your secure areas, such as door locks, access control systems, security offices, or video surveillance monitoring?
  • Do you have security desks, and sign-in/sign-out logs for users accessing these areas?
  • Do you physically escort visitors out of secure areas?
  • Can you ensure users always log out of their computers when leaving them?
  • Are all computers set to lock automatically after 10 minutes if left idle?
  • Can you remotely wipe computers, laptops, and mobile devices that are lost or stolen?
  • Are all modems in Auto-Answer OFF mode when not in use?
  • Is there a policy in place to protect data during equipment repairs?
  • Do you have security policies in place for all your computers, laptops, tablets, and smartphones?
  • Do you have a “Bring Your Own Device (BYOD)” policy in place for employee mobile devices?
  • Do you have an “Acceptable Use Policy (AUP)” in place and are employees aware of it?
  • Do you have emergency evacuation plans in place for employees?
  • Do all employees have emergency shelter-in-place kits for emergencies where they can’t leave your facility? (canned food and a can opener, bottled water, a blanket, prescription medicines, sanitary wipes, a garbage bag with ties and toilet paper for personal sanitation)
  • Do key employees know how to seal off designated areas in your facility if necessary?

PASSWORD POLICIES

  • Do you adhere to the NIST Digital Guidelines?
  • Do only authorized personnel have password access to computer devices?
  • Do you require users adopt secure password standards (NIST) and then enforce them?
  • Are passwords updated every three months?
  • Do administrators have separate accounts for network management?

DATA PRIVACY POLICIES

  • Is your data stored in a secure off-site facility?
  • Is all confidential data encrypted?
  • Do you have procedures in place to identify and secure the location of confidential information – whether as digital or hard copies?
  • Do you have procedures in place to identify and secure the location of personal private information?
  • Do you continually create retrievable backup and archival copies of critical information?
  • Do you have procedures in place for shredding and securely disposing of paper documents?
  • Do you lock your shredding and recycling bins?
  • Do you have policies in place for secure disposal of electronic/computer equipment?
  • Do you have policies in place for secure disposal of electronic media such as thumb drives, tapes, CDs and DVDs, etc.?
  • Do you have procedures in place to regularly assess I.T. compliance with required regulations (HIPAA, PCI, FINRA, etc.)?
  • Do you conduct regular reviews of users with physical access to protected facilities or electronic access to information technology systems?
  • Do you employ systems in a hardened/secure state?

BUSINESS CONTINUITY & DISASTER RECOVERY

  • Do you have an up-to-date business continuity and disaster recovery plan in place?
  • Can you create retrievable backups of critical data?
  • Are your backups stored offline in a secure cloud?
  • Does your backup, continuity, and recovery plan include a method for accessing critical passwords for equipment, systems, and servers when needed?
  • Do your backup, continuity, and recovery plan include a method for accessing encryption keys in an emergency?
  • Do you have an up-to-date crisis communications plan?
  • Does your crisis communications plan identify who should be contacted, how to contact them, contact information, and who initiates the contacting?
  • Do you have a PR representative who will communicate to the press and community in an emergency?
  • Does your crisis communications plan detail how employees can contact their family members?
  • Have you identified recovery time objectives for each system, and tested for achievability?
  • Do you regularly test your business continuity, disaster, and crisis communications plans?

CYBERSECURITY TRAINING

  • Do you provide staff training from an I.T. expert on cybersecurity?
  • Do you provide this training on a regular basis?
  • Does your staff know how to recognize phishing attempts in emails?
  • Does your staff know how to recognize phishing attempts that arrive via text, social media, or phone calls?
  • Are your employees trained on reporting phishing emails to the security team?
  • Are your employees being taught about using secure passwords?
  • Are your employees trained to identify and protect classified data, as we as hard copies of documents and removable media?
  • Is your staff trained in the secure management of credit card data (PCI standards) and private personal information? COMPLIANCE REVIEW
  • Do you regularly review and update your cybersecurity requirements, strategies, plans, and practices?
  • Do you conduct regular audits of your security requirements, strategies, plans, and practices?
  • Are you testing your backup and disaster recovery plans regularly?
  • Do you conduct regular reviews of who in your organization has access to sensitive information and data?
  • Do you have an inventory of your authorized devices and software?
  • Do you regularly test all your systems for vulnerabilities?
  • Are you following the best practices established by the Center for Internet Security (CIS) in their CIS Top 20 list?
  • For each question where you answered “No,” you should implement activities to correct the deficits or vulnerabilities to the security of your data, facility, or personnel. Unless you act, the ability for your business to thrive/survive will be negatively impacted. Be sure to also follow up and reassess by completing this survey again in six months’ time. After that, we advise that you continue to review these questions on an annual basis.
  • Have you produced security procedures with the organization? If so, are employees informed of your policy and can the staff enforce it?
  • What is the organizational definition of the incident?
  • Do you prioritize and document security incidents?
  • Who is accountable for every phase in the incident response method (identification, containment, eradication, restoration, and lessons uncovered)?
  • Does the Incident Response (IR) team have all the necessary tools along with a “jump bag” required to manage incidents?
  • An Incident Responder journal
  • A contact record of anyone on the incident response team
  • USB drives
  • A bootable USB drive or CD with all applications needed to fix file programs and eradicate risk(s)
  • A laptop computer or other unit to accomplish forensics
  • Endpoint security and anti-malware software utilities
  • Community and endpoint toolkits to add/remove factors
  • Who communicates critical updates from incident response?
  • Who will function with legislation enforcement officials, if needed?
  • Who will convey methods back again on the web during the function of an impactful information breach?

Sources