Cyberscore Assessment
#1 Infrastructure
Answer the questions below
We maintain an inventory of all workstations, servers and network equipment and we have implemented a sustainable hardware refresh cycle.
Purchase date, serial and warranty tracked on all equipment and hardware is replaced when it reaches end-of-life
Workstation and server inventory and warranty
We utilize an incident ticketing system, we provide our management team with regular response and resolution time reports and the results of those reports are meeting the organization's expectations.
Online ticketing service desk where all incidents are logged and reported on
Service desk ticketing, time tracking and reporting
Our wireless network prevents guests from accessing our internal network and employees have unique usernames and passwords assigned for wireless access.
Separate employee and guest wireless networks and RADIUS auth with Active Directory or Azure AD
Wireless infrastructure security and management
Our office locations utilize redundant internet service provider connections, and our firewall or router automatically swaps connections in the event of an outage.
Primary copper/fiber and backup cable (COAX) connection and firewall with automatic ISP failover
Redundant internet connectivity and automatic failover
Our servers and network equipment are protected with uninterruptible power supply units that maintain a minimum of 10 minutes runtime and automatically power down servers hosting critical data.
APC UPS with managed ethernet for power monitoring automatic server shutdown feature.
Power protection, power monitoring and automatic shutdown
#2 Cybersecurity
Answer the questions below
The level of cybersecurity insurance carried by our business is adequate to protect our organization and our clients from financial loss.
Standalone policy with 1m per occurrence and 2m of aggregate coverage
Cyber liability insurance coverage
I am confident that we have the proper cybersecurity software deployed to protect personal and corporate data from attacks such as phishing and ransomware.
Advanced EDR with 24/7/365 Security Operations and Real-Time Remediation
Cybersecurity software and 24/7 security operations
We use single sign on and two-factor authentication across all critical line of business applications such as Office 365, our ERP system and remote access.
Email, outside access to ERP and VPN, RDP, VDI all use DUO or Microsoft MFA
Multi-factor authentication
We engage with all organization employees and properly train them to identify ransomware, phishing and social engineering attacks coming from email, text message and web sites.
End-user training software with at least bi-weekly phish testing and real-time micro learning
Employee security awareness training and phish testing
All organization IT systems and devices that contain PII or sensitive company information are encrypted to protect against loss or left.
Bitlocker AES 256 encryption managed by Azure Active Directory
Workstation and server encryption
#3 Compliance
Answer the questions below
We apply regular server and workstation security patches and updates across our technology infrastructure.
Weekly Windows and Mac OS updates are applied using an automated patching system
Endpoint security patching
We have a properly segmented corporate network (meaning workstations, servers, phones and guests are kept in separate logical networks).
VLAN segmentation and proper access control is in place to prevent unauthorized access between networks
Network segmentation using VLANs
We perform a regular network vulnerability scan and have archived all historical scan data for reporting and compliance purposes.
Ongoing Rapidfire Tools Cyberhawk network scans with a minimum of quarterly Network Detective scans.
Regular network vulnerability scans
We have a written information security policy (WISP) that has been agreed to by all employees.
Centrally documented WISP that includes User Termination, Incident Response, Sanction, Network Security, Access Control, Computer Use, Equipment Disposal, BYOD and Facility Security policies.
Written Information Security Policy
We are meeting all state and federal compliance requirements such as HIPAA, PCI DSS, FINRA and the New York SHIELD Act and we are confident we would pass an audit.
Depending upon specific vertical. Nearly every NJ business will have some level of NY SHIELD compliance requirements.
Regulatory compliance audits
#4 Backup & Disaster Recovery
Answer the questions below
We proactively monitor our server and cloud infrastructure for failures and performance issues so that business affecting problems can be prevented.
Service and network monitoring with real-time alerting and paging – responsible parties respond and remediate
Network and infrastructure monitoring and pro-active remediation
We regularly review our backup strategy, and we adhere to a documented process for backup frequency, retention and location.
Centrally documented backup and RPO (recovery point objective) document agreed to by all relevant parties
Documented backup and recovery point objective
We perform regular backup recovery testing, and we have a clear time objective for restoring critical systems and data.
At least quarterly recovery testing performed and logged of file, server and environment
Documented recovery time objective determined by regular backup recovery testing and logging
Along with our management team, we understand how our technology infrastructure supports our key business processes and we have calculated our costs of technology infrastructure downtime.
Cost of user, department, location and company downtime calculated, documented and known so it can be utilized when making IT related decisions
Understanding costs of downtime for a user, department and company-wide
We have a well-defined disaster response team with clearly defined roles, responsibilities and communication protocols.
1 or more persons with specific roles and processes in place to manage and/or perform data recovery and end-user access restoration
Disaster response roles, responsibilities and execution
#5 Business Strategy
Answer the questions below
The organization's management team views technology as an investment, not a cost and they agree to implement best practices when recommended by the IT team.
Technology is seen as a functional area of the business and ownership/leadership understands the importance of investing in proper technology
Understanding that technology is a functional area of a business that should drive higher efficiency and profitability
We perform a regular technical alignment assessment to identify areas of our technology infrastructure that do not meet best practices.
Utilizing a set of best practices and standards, a GAP analysis is performed quarterly or bi-annually.
Regular consistent GAP analysis
We meet regularly as a team to assess risk, discuss strategy and perform IT budget planning for our organization.
Ownership/Leadership meets with IT personnel quarterly or bi-annually to discuss GAPs and identify areas in need of improvement. These are logged into a proper organization budget.
True vCIO - business focused meetings meant to direct technology toward achieving business goals
We have a clear process for making IT related decisions in our organization, a project plan is agreed upon before implementation and communication within our organization is clear and consistent.
IT projects are reviewed and understood by management. All IT projects are performed only when a proper project plan is created, approved and followed by IT personnel.
IT Project Management
We consistently bring advances in technology to the attention of our management team, which increase employee productivity and gives us an edge over our competitors.
IT personnel are aware of new technology advancements that could help the business increase productivity and profitability. These ideas are discussed at regular strategy meetings.
Technology awareness and discussion of advancements
#6 Cloud
Answer the questions below
We utilize a secure cloud-based email solution like Microsoft 365 or Google Workspace.
Office 365 or Google Workspace email
Cloud Email
Our cloud services are configured according to service provider recommended best practices.
Follow CORE Networks Office 365 Cloud best practices (or applicable vendor)
Best practices for cloud services
Our cloud-based email and file services are configured with data loss prevention policies and alerting to prevent data breaches.
Microsoft 365 DLP policies for Email and OneDrive/Sharepoint – Alerts are sent to responsible parties
Data loss prevention policies
All users are provided with training on applicable cloud services and are required to understand and agree to a written company Cloud Usage and Security Policy.
Written Cloud Usage Policies as part of Written Information Security Policy
Cloud usage policies for users
We utilize a security information and event management (SIEM) system that monitors and alerts on our network, cloud services and critical data systems.
Perch or other real-time Intrusion Detection System with 24/7/365 Security Operations
Security Information and Event Management (SIEM)
Company contact info
Fill in your contact details
Thank you
Thanks
Please wait