The Ransomware Readiness Assessment questions are based on the NIST Cyber Security Framework (NIST CSF). The following table shows the questions and the NIST CSF framework items that these questions take into account.
Q. No.
|
Question |
NIST CSF Ref |
Q.01 |
Have all the locations of storage for your organization's critical information/data been identified? (This includes, but is not limited to removable media, cloud storage, systems servers, internal networks and partners). |
ID.AM-3 |
Q.02 |
How does your organization track the IT equipment and devices it owns? |
ID.AM-1 |
Q.03 |
Has your organization established different levels of data protection according to its sensitivity? |
ID.AM-5 |
Q.04 |
Does your organization have software/application restrictions in place in a way that prevents execution of unapproved/malicious programs? |
ID.AM-1 |
Q.05 |
How does your organization do when keeping up with trends in security vulnerabilities in systems and addressing them? |
ID.GV-3 |
Q.06 |
How confident are you that your organization has a good overall understanding of your information asset lifecycle (including third-party agreements) that includes provisions for securing and protecting information, and securely removing, transferring and decommissioning assets and or data? |
ID.GV-3 |
Q.07 |
How does your organization manage risks, including cyber security risks and third-party exposure? Is there a risk register that captures and monitors these risks? |
PR.AT-3 |
Q.08 |
Are you confident your organization is aware of the existing internal and external cyber security risks and threats it faces and is ready to handle it according to their relative importance? |
ID.GV-4 |
Q.09 |
Does your organization have a formal process for managing the lifecycle of user accounts including creation, verification, revocation, and periodic review for authorized devices, users and processes? |
PR.AC-1 |
Q.10 |
How do users authenticate when connecting remotely to your environment? |
PR.AC-7 |
Q.11 |
Does your organization manage remote access (such as VPN), including management of user accounts, in a way that it monitors and records any security events? |
PR.AC-3 |
Q.12 |
Are you confident that your organization only gives the required access that people need, including external partners, in order to perform their activities, to the systems and data they need access to? |
PR.AC-1 |
Q.13 |
How does your organization make sure that its mission-critical systems and any other important systems are segmented from the rest of your IT environment? |
PR.AC-2 |
Q.14 |
Does your organization require additional protection like the use of multi-factor authentication, that adds an extra layer of security, to verify the identity of users trying to access any of your critical systems, networks or information (whether on or off site)? |
PR.AC-1 |
Q.15 |
Does your organization restrict the use of privileged accounts? |
|
Q.16 |
Does your organization have a cyber security awareness program? If yes, does it specifically cover phishing training and social engineering? And do you have a reporting mechanism that is used by your employees? |
PR.AT-1 |
Q.17 |
How confident are you that all service accounts, and employees (or any other parties) who have access to the systems, networks and applications of your company use secure passwords? |
PR.DS-5 |
Q.18 |
Are you confident that your organization has the right capabilities (e.g., processes, tools, devices and security controls) to prevent and detect malicious activities/within your environment? |
PR.AC-3 |
Q.19 |
Does your organization utilize hardened Standard Operating Environment or Gold Disks and are these reviewed and updated on a regular basis? |
PR.IP-1 |
Q.20 |
Does your organization have security mechanisms/filters like Proxy, Web Filter to prevent malicious traffic from communicating externally? |
PR.PT-4 |
Q.21 |
Does your organization have security mechanisms/filters to reduce and detect malicious activities via email like Phishing attacks? |
PR.PT-4 |
Q.22 |
Does your organization provide remote access via Remote Desktop (RDP)? |
PR.AC-3 |
Q.23 |
Have you limited the use of Microsoft Office Macros? |
N/A |
Q.24 |
How are operating systems patched? And to what schedule? |
RS.AN-5 |
Q.25 |
How are applications patched? And to what schedule? |
RS.AN-5 |
Q.26 |
Does your organization have a formalized process for triaging information for detected events of potentially suspicious activity? |
DE.AE-1 |
Q.27 |
Does your organization employ a centrally managed anti-malware solution to prevent and detect malware infections on your systems? |
DE.CM-3 |
Q.28 |
Does your organization use host-based and network-based intrusion detection technologies to monitor your environment for anomalies in real-time? |
PR.PT-4 |
Q.29 |
Where relevant, i.e. where third parties have direct access to your networks, systems or data, What measures are taken to minimize the cyber security risk inherited from your suppliers? |
DE.CM-6 |
Q.30 |
Does your organization conduct vulnerability scans across your environment on a regular basis? |
ID.AM-4 |
Q.31 |
Does your organization routinely perform penetration tests on your IT environment? |
DE.CM-6 |
Q.32 |
Does your organization have measures in place to monitor, alert and record any security events (i.e. attempted unauthorized access, or other strange behavior) on your key systems and networks and make sure they are brought to the attention of the right people? |
DE.CM-3 |
Q.33 |
Do you think your organization is prepared to effectively respond to a cyber security incident? |
PR.IP-8 |
Q.34 |
Is your organization prepared to respond to an emergency situation like one which affects your most critical systems? |
ID.BE-4 |
Q.35 |
How does your organization test and update response plans? Does the testing include relevant suppliers and third-parties? |
RS.RP-1 |
Q.36 |
Does your organization have a regular backup process for critical systems and information? Is the restoration process regularly tested? |
ID.BE-5 |
Q.37 |
Does your organization have a business continuity plan? Is this subject to periodic testing, including relevant suppliers and third-parties, and upon significant changes in the environment? |
ID.BE-5 |
Q.38 |
Does your organization possess and have tested the right technologies and processes to recover critical systems affected by a security event? |
ID.BE-5 |
Q.39 |
How does your organization test and update recovery plans? Does the testing include relevant suppliers and third-parties? |
ID.BE-5 |
Q.40 |
If one of your organization's critical systems is affected by a cyber-attack, do you have a notion of what stakeholders should be contacted? |
ID.BE-1 |
Q.41 |
Do you have insurance policies that may assist in the case of a ransomware/cyber-attack and is this reviewed regularly? |
N/A |