Server Management

• Do you have monitoring in place with your IT provider to alert you to issues that could cause outages?
• Do they apply security updates/ patches and do they preform regular file-restores?

Firewall Infrastructure

• Does your organisation have industry-standard Firewall hardware installed and correctly configured to the highest security settings?

Anti-Virus

• Does your organisation have anti-virus protection in place on all devices?
• Is this a managed service in terms of renewals and new activations?

Laptop/Mobile Device Encryption

• Recommended by GDPR as an appropriate way to achieve data protection goals, this is a prerequisite for all businesses with staff Laptops/mobile devices. If you don’t have encryption enabled on laptops/mobile devices you should address this as a matter of priority.

Strong Group Policy Settings

• Are passwords set to change regularly?
• Are there screen-lock settings in place?
• Are staff advised about password complexity and not sharing passwords?
• Are restricted access levels in place for administration access?

Data & GDPR Compliance

• Do you know how all your data is stored, shared and remotely accessed in your organisation?
• Do you have retention polices in line with GDPR guidelines?
• Do you have a nominated data processor/controller?
• Do you have a process for a data breach?

Disaster Recovery

• Do you have local/cloud backups activated in case of data loss? Does your organisation have a business continuity plan in place to make sure you can recover quickly from a disruptive event?

Third-party Applications

• Third-party applications, particularly those that are Cloud-based are particularly vulnerable from a security perspective.
• Is Two-Factor Authentication in place for those products?
• Do users have separate passwords?

Email

• Cloud-based email products like Office365 also need an extra layer of protection. Office365 has Two-Factor Authentication as an added feature, make sure this is activated.

Mobile device usage and BYOD

• Does your organisation allow staff to have email on personal devices?
• Are there usage policies in place for mobile devices and BYOD (Bring your own Device) policies for staff who use their own devices?

File Management

• Are files/folders held on individual machines or stored in a central location?
• It is good practice to advise staff not to store files/folder on individual machines.

Training

• Do you communicate with staff about what to do if they get a potentially harmful file or if they think their machine has been hacked?
• Do you have controls in place with key functions like finance to question emails that relate to funds-transfer?

Vulnerability Testing

• Have you ever performed internal/ external vulnerability testing on your IP’s addresses?
• WIFI
• Does your organisation have WIFI in place for staff and guest users and are they separate so guests cannot get onto the network?