1.
A security awareness training program is in place & all users are provided training at least annually.
2.
Critical or sensitive data is protected by encryption technology at rest and in transit.
3.
Network segmentation is used logically or physical separate systems according to policy.
4.
The organization has a formal change management process.
5.
There is a formal process documented for conducting, maintaining & testing data backups.
6.
Data backups of critical systems have at least 3 copies, 2 of which are located on different mediums and at least one of which is physically located offsite.
7.
All systems are secured and hardened using industry best practices or according to policy.
8.
There is a formal Vulnerability and Patch Management program in which systems, devices, software and applications are regularly scanned for known vulnerabilities and then patched or upgraded accordingly.
9.
Removable media and / or mobile devices are protected and restricted in accordance with policy.
10.
Access permissions & authorizations are managed, incorporating the principles of least privilege & separation of duties.
11.
Physical access to critical systems and devices is managed.
12.
Multi-Factor authentication is used to authenticate to critical systems or applications.
13.
There is a formal, written Disaster Recovery (DR) and Business Continuity Plan (BCP).
14.
There is a formal, written Incident Response and Recovery Plan.
15.
Perimeter defenses such as Firewalls and Intrusion Detection / Prevention systems are implemented and managed.
16.
Endpoint protection such as Anti-Virus and Anti-Malware defenses are implemented and managed.
