Transcription

ASSESSMENT his comprehensive tool covers the key questions needed toaccurately assess an organization’s cybersecurity postureIDENTIFYQ1Do you havevisibility of allconnectedusers, devices,data andservices acrossyour network?ID.AMAIf you don’t know that something is happening, you can’t do anything about it. That’s whynetwork visibility is a key component of NIST’s Identity and Access Management.With increased visibility, you can better protect your network from problematic devices, usersand services. This is because you have a much better chance of intervening if somethingunusual, dangerous or unexpected happens.With the right tools and services, you can see and interpret everything that takes place onyour network.For example, you can monitor network activity, see what devices have connected, who ownswhich device, what services are accessed by whom and when.There is a wealth of useful information available that can better protect the network, itsusers and your business partners and customers. But a note of caution: if an administrator ispresented with too much information, illogically organized, it can lead to security oversights.Choosing visibility tools that simplify monitoring activities taking place on the network is thename of the game. The services and available configurations should underpin your businessand security requirements.Quality management software, such as Acronis Cyber Protect, offers a single solution tointegrate remote desktop, backup, disaster recovery, AI-based protection against malware andransomware, and security tools in a single agent.Simple detection and onboarding of new devices needing management and protectionreduces both workload and potential exposure.TIP: Ensure your access management tools provide easy-to-digest log information forstakeholders that highlight any important issues. These can simplify information securityauthorization requests.www.acronis.com1

ASSESSMENT QUESTIONNAIRE2Is yourapproach tocybersecuritycorrectlyaligned withthe needs andobjectivesof yourorganization,taking intoaccountregulatoryand legalrequirements?ID.DE andID.GVWhen it comes to cybersecurity, anyone who touts one size fits all is talking nonsense.State laws regarding cybersecurity requirements vary from state to state, just as industrycompliance regulations vary depending on your industry sector. It is important to understandthe requirements and how they impact your organization.But this alone will not help your business to grow. Today’s security is about understandingyour organization’s objectives and then aligning your security policies and procedures toprotect these objectives.For example, let’s say your company sells widgets to a customer base. Each of thesecustomers has an account on your network, and these are regularly accessed by managers.And let’s add that we know that a key company objective is to grow the customer base.The security goal should underpin this main business objective: protect that customer’s data from unauthorized access. (protecting this informationis a key requirement for many industry bodies and state regulators, so this businessobjective aligns nicely); and ensure authorized access is as frictionless as possible (this security goal is unlikely to bementioned by any regulatory body, but it is a key organization and security concern: ifaccess is painful and slow, users are motivated to find a work-around, one that might putthe entire network at risk).The key to a strong security policy is a deep understanding of the business objectives, as wellas understanding the regulatory requirements.TIP: Stay on top of changing business needs and regulations by regularly checking inwith all relevant personnel to ensure their needs are being met, and updating policies toaccommodate new legal or business requirements. Regular (ideally monthly) surveys or allhands calls can be a good way to monitor satisfaction.3Are youregularlyperforming riskassessmentsto measureyour threatexposure(includingthose fromyour supplychain, users,businesspartners andcustomers)?ID.RA. ID.RMID.SEwww.acronis.comRisk assessments perform a number of key tasks to reduce an organization’s overall exposureto threats. Risk assessments evaluate the security of services, configurations, user policies,hardware implementation, etc.These risk checks ensure that those in charge of the infrastructure are aware of how thesystem and services are used, and highlight areas for improved security, such as findingvulnerabilities, lax security protocols, or authentication oversights.It is also important to be confident in the security implementations of your supply chain.Business partners that provide products and services to you and your customers should beable to present you with a recent report on their security risk report to help build confidencein the partnership.TIP: Regular risk assessment is a proven method to evaluate your threat exposure.Depending on the industry and the amount of sensitive information processed, they shouldbe performed quarterly to yearly.2

ASSESSMENT QUESTIONNAIRE4Are youcorrectlyinsured againstany damageor loss ence orinsider threats?ID.RMCybersecurity insurance offers businesses financial protection from the effects andconsequences of online disasters, be they a bad agent attack, data loss, data theft,ransomware, malvertising, etc.Cybersecurity insurance is a nascent field. New cyber insurance services and providersregularly enter the space, so we now see a bevy of offerings from both unknown andestablished insurers.As it’s new, it is a complex space to navigate. Players are still jockeying for position in what istouted to be a huge market.Select your cyber insurers as you would any other insurer, remembering that the one offeringthe cheapest rates may not be the one that returns its investment in any meaningful way.By balancing the cost, the service offering, the reputation, and its customer service, you willnarrow your choices to a strong shortlist.TIP: As it has not been around for long, be very careful not to assume it is a one-size-fits-allmarket. Insurers offer a variety of cover options, so it’s key to get proper advice on whichpolicies are right for you, should a cyber threat be successful.5Is yourorganizationcompliant withthe industry'sand/or region'scybersecurityoperationalrequirements,as appropriate?(e.g. HIPAA,PCI, GDPR)ID.GVState laws regarding cybersecurity requirements vary from state to state, just as complianceregulations are specific to each industry sector (e.g. medical, financial, legal, retail, etc.).While industry standards vary, depending on the industry and its individual requirements,there is overlap between these bodies (e.g. many regulators will require that sensitive and PIIinformation must be stored securely, that backups are kept and regularly updated, and yearlyrisk assessments are conducted). But there is no one size fits all.A retail organization that processes payments will have different considerations to thoseorganizations providing medical services, and the individual regulatory stipulations take theseall into account.It is important to understand which of these bodies impact the organization. Then you canprioritize the requirements and recommendations these regulatory bodies require yourbusiness to follow.There are few things to look out for here. First, ensure your information security partnerunderstands your regulatory compliance needs, whether they are tied to industry standards,federal law, or state law.Building an information security infrastructure to protect your organizations’ people, servicesand assets while also meeting all regulatory guidelines can seem daunting at first, but thisapproach can dramatically reduce the network’s operational risk, as well as help you futureproof the organization against tomorrow’s threats.You can simplify the work of ensuring compliance with many regulations, particularly thoseregarding data retention, with a high-quality backup solution like Acronis Cyber Protect, whichis designed for even organizations with strict compliance regulations, e.g. GDPR, NIS Directive,Telecom Framework Directive, or eIDAS regulation.TIP: By using one trusted integrated solution that includes data compliance reporting, youcan eliminate complexity, improve security capabilities and uptime, all while reducing costs.www.acronis.com3

ASSESSMENT QUESTIONNAIREPROTECTQ6Do youcentrallymanage andmonitor alluser accountsand loginevents onyour network?PR.ACABeing able to centrally manage and monitor all user accounts and login events on yournetwork gives you real-time control of which users are allowed to access what services atwhich time.For example, you can set your centralized system to alert you whenever an unexpected orunwanted account request is made, allowing you review it before access is granted. Or youmight want an easy way to onboard new hires, or indeed retire accounts of leaving employees.Or, say you notice a huge amount of data being unexpectedly downloaded, a reputablecentralized system would allow you to review who is accessing what service at any given time,and select appropriate action.And considering today’s internet of things, wearables and personal devices, not to mentionBYOD policies, being able to quickly see and control any device goes a long way to protectingyour digital assets against unauthorized access, vulnerabilities, or lax security protocols.A good centralized management will store all user activities in a single secure location. Theword secure is key here, otherwise a centralized management could become a single point offailure.TIP: A comprehensive off-boarding policy is just as important as proper onboarding ofnew employees. When a user leaves the organization, or changes role, there should be astandard set of steps to ensure any unneeded accounts are disabled or deleted quicklyand efficiently.7Can youmonitor andmanage all filepermissions onyour networkto ensure thatdata sets areonly accessedby active andauthorizedusers? PR.ACAccess to the right files and folders is a basic requirement for any digital worker, but it isimportant to make sure that all users can only access those items and areas they need fortheir work, and no more. Having central oversight of which users have access rights to whichfiles and folders is key to maintaining appropriate privacy and security without impeding dayto-day business.This particularly applies to shared storage areas, where a simple error in assigning rights cangrant a user access to large amounts of information they should not be able to see. Gettingthis right requires careful structuring of both your data and your rights assignment, usuallymanaged through groups of users aligned to roles or departments.There may be cases where multiple groups need access to the same sets of files - to avoidduplication, it’s tempting to place these in areas accessible to different groups, but theseshould be carefully managed to ensure neither group is inadvertently storing group-specificfiles in shared areas.TIP: Routinely review and update your file permissions at the same time you review usergroups and rights allocations, to keep things in sync.www.acronis.com4

ASSESSMENT QUESTIONNAIRE8Do youprohibitaccountsharing acrossall servicesand users aspart of yourinformationsecurity policy?PR.ACMost of us know that account sharing is a big no-no, and yet many organizations continueto operate with shared accounts for a variety of reasons: reduce spend, ease of access,simplification, etc.But it can cripple your chances of spotting and deterring potential threats.Here are a few security considerations: Changing passwords becomes difficult - how would a new password be communicated toall users? The likelihood of spotting unauthorized users accessing the system becomes difficult, if notimpossible. Once a shared account is compromised, an attack’s payload (e.g. encrypting files in thecase of ransomware) can spread more widely and quickly. There is no valid audit trail, and without it, accountability and responsibility becomedifficult-to-resolve issues.Regularly review your accounts, ensuring that every user is using unique log-in credentials thatfollow security best practice.Remote desktop access, a feature seen in products like Acronis Cyber Protect, candramatically reduce the time and resource required to manage users working from home, oranywhere for that matter.TIP: To ease the burden on staff and simplify IT’s tasks during the onboarding of newusers or the removal of old ones, consider employing a reputable, network-wide, centrallymanaged password management service.9Do youcontrol andmonitor whatapplicationsyour usersare allowed toinstall and use?PR.ACAs companies grow, the activities and requirements of their staff inevitably become morecomplex. The set of applications needed within the network can expand rapidly. This can beexacerbated by staff preferences, when an individual finds the standard tool in use in yourenvironment does not offer the user experience they are used to from previous positions.It’s important to restrict users to only known and trusted applications managed andmaintained by IT staff, and prevent installation and use of any other tools or solutions.A good rule of thumb is to operate by least privilege: only give users access to what they needfor their work, and nothing more. By controlling and limiting what applications each user hasaccess to, you can hinder even a successful attacker’s attempts at accessing your sensitivefiles.Plus, with central management software, not only can you instantly view the login attemptsand block a specific user or device, but you can revise access controls to lock down your dataand services.TIP: Try to make sure all potential user requirements can be met using the set of trustedtools maintained within your system. If a new workflow is scheduled to launch, locate theappropriate software to facilitate it, and set it up, test it, and connect it to your patchingand version management processes so it is available when needed. With a little foresight,you can avoid having to urgently add new services at short notice – hurried changes add riskand uncertainty.www.acronis.com5

ASSESSMENT QUESTIONNAIRE1011Do you enforcebest securitypractices, suchas and whereadvisable,single sign—on to users?PR.ACMany companies rely only on a username and password to allow a user to log into a serviceon the network. The problem with this as a single security measure is that it can also be asingle point of failureDo you have anup—to—dateinventory of allthird—partyapplicationsrunning onyour system,including theirpatch level?PR.ACThe accelerated rate of technological change means that companies today often need toevaluate, install and decommission applications so frequently, it is easy to lose track of theapplications running on the system.We know that the majority of successful data breaches begin with an authorized agent gettingaccess to bona fide login information. By using legitimate login information, the attacker triesto effectively hide from detection, sneaking around under the guise of being a legitimate user.Implementing secure authentication policies can greatly reduce your exposure to the risk ofhijacked accounts. Multi-factor authentication can be a particularly strong protection againststolen or guessed login details, making a password of limited value to an attacker. Centralizedpassword-management can reduce the overhead of keeping up with large numbers ofcomplex passwords, and helps enforce password strength and account re-use policies.TIP: Educate your users on the reasons for imposing secure authentication, so theyunderstand the risk, and the counter-measures they can employ. Combine this with trainingin how to use any multi-factor or password-management tools, which should emphasise theadded ease of use.Every application, if not properly managed, could open the door to unwanted activity on yournetwork.Application inventory is effectively the process of keeping records of all the applicationsavailable or installed to a network.Being able to see what applications are installed across your network requires an up-to-dateinventory that is both easy to access and understand.In fact, it is rather difficult to imagine how an administrator could perform their day-to-daytasks without having a solid system to monitor all the applications across the network.At-a-glance management interfaces can provide a wealth of real-time information regardingthe applications on your network: version number, patch levels, users etc. This is a powerfultool, giving the administrator full control on the applications available.Say for instance an application was found to be vulnerable. An at-a-glance look at yourinventory will tell you whether it is installed anywhere, and whether it is patched. Thatinformation will allow you to make the decision to suspend its access until it is properlyprotected, or to implement a workaround to mitigate the danger.TIP: There are a number of considerations when choosing inventory tools, including ease ofuse, reliability, features, customer support, user reviews, and versatility. Make sure to assessthe considerations against your specific organizational goals and objectives.www.acronis.com6

ASSESSMENT QUESTIONNAIRE12Do you allowIoT devicessuch as digitalassistants,smart whitegoods etc. toconnect toyour network?PR ACAs more and more hardware devices become “smart” and “connected”, the divide betweenthe “computers” managed by the IT team and other devices acquired and owned by otherdepartments - such as catering and facilities - can become blurred. With many IoT devicemakers paying minimal attention to security issues such as patching and built-in adminpasswords, granting such devices access to your key company networks can be risky.If IoT hardware is in use within your environment, there is rarely any need for it to connect toyour core systems or networks. To provide internet access to these devices, the best policy isto run a segregated network, keeping all non-IT devices separate from your carefully securedand managed systems. Pay attention also to whether devices require updates or othermaintenance from the IT side.TIP: Implement a policy requiring IT vetting and approval of all devices connecting to yournetworks, even low-impact segregated areas.13Do you preventusers fromconnectingnon—authorizeddevices toyour network(physically orwirelessly)?PR.ACIf a hacker or another unauthorized user connects to your network, it is important to beable to identify and block this user from accessing any areas that might contain sensitiveinformation.Blocking unknown devices is important, but equally important is having real-time remotemanagement capabilities. A remote access feature, like that found in Acronis Cyber Protect,can radically simplify this task of only allowing known devices onto the network.Here’s why: say the boss loses his phone and buys a new one and requires immediate accessto the network from their home office, the administrator should have the tools to make thesechanges quickly and securely (including blocking the old phone and authorizing the newdevice, without hindering business operations).Of course, having mobile device management in place to approve and secure new devicesis key, as is multi-factor authentication, wherever it can be implemented. You should have asecurity policy that is clear enough that users - be they the CEO or a new entry-level employee- know what their responsibilities are when they use the device, and/or access the network.TIP: Consider disabling unwanted connection ports, such as USB sockets. This can bedone using cheap blanking plates, or by disconnecting the ports internally, and preventsconnection of unwanted physical devices.www.acronis.com7

ASSESSMENT QUESTIONNAIRE14Have yourenamedor disableddefaultaccounts andpasswordsfor all devices,services andsoftware,includingIoT devices(e.g. smartwhite goods,wearables,digitalassistants,etc.)? PR.ACDefault administrator accounts and passwords are a major risk point, especially common in“Internet of Things” devices.Often created by companies specialising in the hardware side with limited experience orexpertise in software or security, IoT devices are often found to have extremely weak privacyand security, with some hardware proving impossible to update when vulnerabilities arediscovered.As connected devices become more common, businesses need to carefully review the kit theyplan to acquire, making sure it not only performs its key function properly, but does so in asecure and manageable way. Selecting based on brand is less of a guarantee of quality in thisarea, as some large firms may simply bolt internet connections on to their existing productlines with little thought for the security implications. This makes it all the more important thatfactors like ease of updating and control of login accounts are checked for compliance withsecurity standards.Once a device has been acquired, any built-in accounts, especially those with admin rights,are likely to be readily available online. Set up your own accounts with strong passwords, anddisable any built-in ones, before connecting the device to any important networks.TIP: When connecting smart devices within an office setting, consider using a segregatedwifi or wired network which is kept separate from your key business network and data. Ifthe device only requires access out to the internet and does not need to connect directly toanything internal, this segregation can hugely reduce the risk from poorly-secured devices.15Do you allow"Bring YourOwn Device"(BYOD) at yourorganizationand if so, doyou have anup—to—datepolicy tomanage andcontrol theiraccess to yourservices anddata? PR.ACBring your own device (BYOD) is not a recommended approach to security, but truth be told,we know that many companies rely on users’ personal equipment. This can be due to userspreferring to use their own devices rather than company-provided machines. It could alsosimply be a cost-saving exercise - both valid reasons, but operating with BYOD does increaseyour cyber risk.If you do allow personal devices to connect to your network and access your organization’sonline systems, services and data, it is strongly recommended to have an up to date BYODpolicy to control what devices can access what services. The policy should also tell users whatsecurity protocols and procedures they need to follow in order to use a specific device toaccess the network.For example, you might only authorize access to the network from personal devices thathave specific security services installed (e.g. VPN, encryption, back up, firewall, anti-malware,password manager, etc), all controlled by centralized mobile device management.Being able to manage devices remotely and securely is key. For instance, Acronis CyberProtect, with its single interface across all its services, can radically simplify remote devicemanagement.TIP: Always aim to grant the least amount of access rights possible, without impactingbusiness growth.www.acronis.com8

ASSESSMENT QUESTIONNAIRE1617Do you allowusers to accessyour networkremotely (e.g.from homeor whiletravelling),and are youconfident theconnectionis properlyauthenticated,encrypted, andtracked? PR.ACThe benefits of having a remote working and device policy, allowing users to access thenetwork and its data regardless of their location, can be huge. Aside from providing flexibilityduring crises when workers are unable to travel to offices, remote access can also reduce theenvironmental and time impact of commuting, and allows workers the freedom to fit in workaround other commitments, improving job satisfaction and ultimately productivity. It can alsobe vital when a key worker’s input is needed but they are not able to attend the office due totravel or other commitments.Can youremotelyaccess,configure,audit, trackand securelywipe anydevices youallow on yournetwork, evenwhen theyare outside ofyour network?PR.ACBeing able to manage remote workers’ accounts, devices and access rights at the touch ofa few buttons is an incredible advantage, particularly when, in 2020, we are facing so manypeople having to work from home for the first time.Depending on your policy, some users will be accessing the network from their own devices,while others will be using company-owned hardware. Either way, it’s crucial to ensure alldevices accessing your networks and data are known and trusted, ideally centrally managedwith enforceable protections conforming to your core security policies. Make sure secureauthentication is required to access your network, track what devices are connecting andwhen, and block all unapproved and unmanaged devices.TIP: Make sure any mobile device management software is properly configured to allowremote location tracking and remote wiping of devices, in case something which could bestoring company data gets mislaid or stolen.Device management refers to software that is used to oversee, regulate, and secureemployees’ portable devices. It can include a host of services, including user, application,service, access and content management.Users may try to access the network with unauthorized devices or accounts; they may haveconfiguration issues; their devices may be compromised. Issues like these are easily resolvedwith a reputable remote tool that simplifies the daily management of remote devices, whetherthey belong to the company, the user or a third party.Integrated security solutions, like Acronis Cyber Protect, can offer Remote Desktop access asa built-in feature, so you don’t need to use different consoles and systems to manage yoursecurity requirements, and manage users working offsite.TIP: Complete oversight of your network is key to ensure the systems are healthy andrunning smoothly, but too much information can be worse. Set your console to provide theright level of information for your needs.www.acronis.com9

ASSESSMENT QUESTIONNAIRE18If you provideguest access toyour networks,do you providesegregationfrom yourcritical systemsand sensitivedata? PR. ACProviding business visitors and customers with access to the internet brings many benefits,but if you do not secure guest internet access for business visitors you will be exposingyourself – and them – to considerable risk.Segmenting your network is important for a few reasons. It stops visitors gaining access toparts of the network used by your employees for business operations. Guest users should notbe able to see confidential files and resources.Recommendations include: Set up a second SSID specifically for guests to use to stop guest users to access yourinternal WiFi network, and make sure it is password protected. Choose the SSID name wisely – so that it does not advertise the fact that the networkbelongs to your business. This will make it harder for hackers to attack your WiFi network. Disable remote admin access on wireless networks – if a hacker succeeds in gaining accessto your WiFi network, this will limit the harm that can be caused. Use a management solution that collects guest credentials so you can monitor guestbehavior to ensure no one is trying to abuse the system. -Modern routers and accesspoints support WPA2 encryption. Make sure this is enabled – or WPA3 if it is supported.TIP: In the event of a malware or ransomware infection, a segregated network can be veryeffective in limiting the harm caused.19If you arestoring anydata in thecloud (e.g.AWS, Google,Office 365,etc.), haveyou usedall availabletools andbest practicesto hardenits security?PR.AC, PR.DSwww.acronis.comHow many times have we read about a company, even those boasting a strong reputation,who’ve accidentally left their online cloud database, full of PII, for all and sundry to find? Insome of these cases, the organization has been lucky and gets a chance to harden its securityagainst unauthorized access before anything gets stolen. Others however have been draggedthrough the press for leaving sensitive information about employees, customers, services orbusiness partners open for anyone who happens to land on the page. Set up role-based access and permissions for accessing all your cloud resources, and evenyour database instances. During transit, your data is vulnerable to failures, outages or attacks that may result in dataloss or cause compliance issues. Make sure you secure the data by encrypting in transitand at rest. Make sure to back up all the information for optimum security.TIP: Default configuration is rarely designed to offer optimal security. It is often balancedbetween some security and additional services. It is vital to read through all theconfigurations and assess if the settings meet your particular organization’s requirements.10

ASSESSMENT QUESTIONNAIRE20Do you trackall systems,services, users,and contactlists to ensureanythingunwantedor expired isdeactivatedor disabled?PR.AC, PR.DSAccidentally sending unauthorized users’ sensitive information can lead to a whole world oftrouble. Not only can it be embarrassing and likely to have a reputational impact, but in somecases, you will even need to notify the authorities, especially if user account information mighthave been accessed by an unexpected user.Regularly reviewing the network to see what systems, services, and users are currentlyauthorized is highly recommended.A key question is this: Do any accounts need to be removed? Added? Permissions edited?This is often referred to as ‘tidying house’ This approach verifies that the right information isaccessed by the right people at any given time, and that old, unwanted or expired informationis removed.Information management is simplified if you have intimate knowledge of your system andservices. Regular maintenan

ASSESSMENT QUESTIONNAIRE Cybersecurity Assessment Questionnaire This comprehensive tool covers the key questions needed to . The key to a strong security policy is a de