CYBERSECURITY SELF-ASSESSMENT

All employees use multi-factor authentication (MFA) for email and key business applications.

Users only have access to systems and data required for their job (least privilege).

Inactive or terminated employee accounts are disabled within 24 hours.

Shared or generic credentials are prohibited or strictly controlled with audit logging.

All company devices run endpoint detection and response (EDR) or advanced antivirus software.

Operating systems and applications are patched within 30 days of critical updates.

Full-disk encryption is enabled on all laptops and workstations.

Mobile devices (phones, tablets) used for work are enrolled in mobile device management (MDM).

SPF, DKIM, and DMARC are configured for the organization's email domain.

An advanced email filtering or anti-phishing solution is deployed.

Employees are trained to recognize and know how to report suspicious emails.

There is a defined process to verify wire transfer or payment requests received via email.

Remote access to the network requires VPN with MFA rather than direct internet exposure.

Sensitive systems are isolated from general office network traffic (segmentation).

Firewall rules are reviewed regularly and unnecessary open rules are removed.

Guest Wi-Fi is separated from the corporate network.

Sensitive customer and business data is encrypted at rest.

The organization knows where sensitive data resides and who has access to it.

Data retention and disposal policies are defined and followed.

USB drives and removable media are prohibited or controlled.

Critical systems and data are backed up regularly (at least daily).

Backups are stored offline or in a separate environment isolated from production.

Backup restoration has been tested successfully in the last 12 months.

Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are defined for critical systems.

The organization has a written incident response plan with defined roles.

Employees know how to report a security incident and who to contact first.

The team has practiced responding to an incident through a tabletop exercise in the last year.

Cyber insurance is in place and the incident response hotline number is known before an incident.

An inventory of third-party vendors with system or data access is maintained.

Vendors are required to meet security standards as part of contract terms.

Vendor access is reviewed and revoked promptly when relationships end.

Critical vendors' security practices are assessed at least annually.