Risk Management Regime

Key Focus: Ensuring that risk is identified, documented, and mitigated, with senior le
involvement in decision-making.
Checklist:
Risk Identification Process: Are security risks actively identified (internal/external) and documented in a risk register?

Risk Mitigation Strategies: Are there action plans for critical risks (e.g., vulnerability management, patching, business continuity

Executive Involvement: Are risk management practices reported to and overseen by executive leadership?

Security Frameworks: Does the organization align with a recognized security framework (e.g., ISO 27005, NIST RMF)?

Third-Party Risk Assessments: Are third-party vendors evaluated for their security posture?

Security Focused Questions:

How are new risks (e.g., emerging threats) incorporated into the risk management process?

Are there formal procedures for vendor and supply chain risk management?

Verification by customer:
Review the risk register and cross-check if identified risks are tied to security controls.

Check if third-party contracts include specific security clauses.

Secure Configuration
Key Focus: Secure configuration practices should ensure systems are set up secure
exposure to vulnerabilities.
Checklist:

Hardening Guidelines: Are there security baseline configurations (e.g., CIS, NIST) enforced across all systems?

Patching Schedule: Are all systems patched regularly based on the criticality of vulnerabilities?

Unnecessary Services Disabled: Are unused ports, protocols, and services disabled to reduce attack surfaces?

Configuration Management Tools: Are tools (e.g., Puppet, Ansible) used to automate configuration control?

Security Focused Questions:

How are configuration deviations identified and corrected?

Are admin accounts reviewed and restricted on sensitive systems?

Verification by customer:

Check the patching records and baseline configurations for compliance.

Audit user access controls and admin privileges.

Network Security
Key Focus: Design and protect network infrastructure to prevent unauthorized acces
malicious activity.
Checklist:

Segmentation of Critical Assets: Is the network segmented, and are sensitive systems isolated from general access ne

Firewall Rules: Are firewalls configured with least privilege and regularly audited?

Intrusion Detection/Prevention Systems (IDS/IPS): Are they deployed, and are alerts monitored regularly?

Network Traffic Encryption: Is traffic encrypted using strong protocols (e.g., TLS 1.2/1.3)?

Zero Trust Architecture: Is a zero trust model implemented, requiring verification of all access?

Security Focused Questions:

Are firewall rules reviewed periodically, and how are changes tracked?

How are encryption protocols managed and updated?

What security measures are in place for internal network traffic (e.g., micro-segmentation)?

Verification by customer:

Review network diagrams and firewall configurations for compliance.

Test segmentation by attempting to access critical systems from different zones.

User Education and Awareness

Key Focus: Ensure all users understand security threats and their role in protecting
Checklist:

Security Training Programs: Is mandatory cybersecurity training provided, including for phishing and password polici

Role-Specific Training: Do privileged users receive additional security training tailored to their roles?

Phishing Simulations: Are phishing tests conducted, and are results analyzed for weaknesses?

Security Awareness Metrics: Are there KPIs to track the effectiveness of training (e.g., click rates on phishing simulati

Security Focused Questions:

How often is the security training updated to reflect current threats?

Are users tested on their understanding of data protection and incident reporting?

Verification by customer:

Review training schedules and participation records.

Evaluate the results of phishing tests and security quizzes.

Incident Management
Key Focus: Ensure that incidents are detected quickly, and there are procedures to r

Checklist:

Incident Response Plan (IRP): Is there a documented IRP, and are roles clearly defined?

Incident Detection: Are logs monitored for signs of security incidents? Is SIEM (Security Information and Event Manag

Forensic Readiness: Are systems configured to log and preserve evidence for investigations?

Incident Escalation: Is there a clear chain of command for escalating incidents?

Security Focused Questions:

How quickly are incidents detected and escalated?

Is incident response automated (e.g., through SOAR platforms) to reduce response times?

Are post-incident reviews conducted and incorporated into security improvements?

Verification by customer :

Review incident response records and response times.

Check if logs are tamper-proof and accessible for forensic investigation.

Asset Management
Key Focus: Identifying and managing the full lifecycle of all information assets within
ensuring visibility and control over assets.
Checklist:

Is there a comprehensive and up-to-date asset inventory that covers hardware, software, and cloud assets?

Are assets categorized by their sensitivity, criticality, and ownership (e.g., high-value vs low-value assets)?

Is there a process for onboarding and offboarding assets, including decommissioning and secure disposal?

How are assets tagged or marked for easy tracking (e.g., using RFID, barcoding, or automated tools)?

Security Focused Questions:

How are asset discovery tools (e.g., network scanning, automated discovery systems) used to detect rogue or unmana

Are all endpoints (servers, workstations, IoT devices) visible to the IT/security teams, and are they monitored continuo

Are mobile devices and remote assets accounted for in the asset inventory?

How is software asset management handled, especially with respect to licensing and tracking unauthorized software i

Verification by customer:

Review Asset inventory on regular basis.

Home and Mobile Working

Key Focus: Implement secure mobile access and enforce strong security controls on
Checklist:

MDM Solutions: Is mobile device management enforced for personal and corporate devices?

Data Encryption on Mobile: Are communications and data on mobile devices encrypted?

Mobile Security Policies: Are policies for secure mobile use documented and enforced?

Security Focused Questions:

How are lost or stolen devices managed?

Is mobile app usage controlled, and are apps regularly assessed for security?

Verification by customer:

Review MDM logs and policies on mobile data protection.

Inspect how the organization handles mobile app risks.

Remote Working
Key Focus: Secure remote access to company systems, ensuring compliance with in
policies.
Checklist:

Secure Access (VPN, MFA): Is VPN access enforced for remote users, and is MFA required?

Remote Device Management: Are corporate devices remotely monitored and updated?

Zero Trust Policies: Are remote devices treated as untrusted, requiring regular authentication?

Security Focused Questions:

Are remote sessions logged and monitored for abnormal activity?

How are remote devices secured and managed?

Verification:

Review VPN logs and remote access policies.

Check device management configurations for security enforcement.

Removable Media Controls

Key Focus: Limit the use of removable media to prevent data breaches or malware in
Checklist:

Media Restrictions: Is the use of USB drives and other removable media restricted by policy or technical controls?

Media Encryption: Is sensitive data stored on removable media encrypted?

Media Monitoring: Are devices that connect to the network monitored for unauthorized access?

Security Focused Questions:

Are unauthorized devices blocked from accessing the network?

How is data on removable media tracked and secured?

Verification by customer:

Review endpoint protection policies regarding removable media.

Check if encryption is enforced on all removable devices.

Malware Protection
Key Focus: Protect against malware through proactive measures, ensuring systems
infections.
Checklist:

Endpoint Protection Solutions: Is EDR (Endpoint Detection and Response) deployed, and is it regularly updated?

Malware Signature Updates: Are malware signatures and behavioral detection methods updated regularly?

Web Filtering: Are suspicious websites blocked, and are downloads scanned?

Quarantine Policies: Are infected machines isolated from the network to prevent spread?

Security Focused Questions:

How are new malware strains detected and managed?

Is user access to high-risk websites restricted by policy or filtering?

Verification by customer:

Review malware detection logs and check for timely responses.

Inspect web and email filtering controls for effectiveness.