Cyberwatching GDPR Risk Temperature Tool

Identification
Self-assessment
Vulnerability assessment

* Value required to continue the assessment.

- I have read and understood the Privacy Policy *

- I have read and understood the Terms of use *

A - Company Name *

B - Email *

Cancel

* Value required to continue the assessment.

C - How good do you think your company's IT security is? Please choose from 1 to 7, where 1 is “not secured” at all and 7 is “totally secured”.

D - How dependent is your company on IT systems? Please choose from 1 to 7, where 1 is “not dependent” and 7 is “highly dependent”.

E - How do you consider the knowledge of the employees of the company about cyber security terms? Please choose from 1 to 7, where 1 is “there is no knowledge” and 7 is “high level of knowledge”.

* Value required to continue the assessment.

1 - Are there any planned specific or refresher courses about cyber security?

Training courses aimed at increasing staff knowledge and awareness of issues such as the use of IT resources and the risks arising from such use are essential in order to prevent and mitigate IT risk. For example, in Italy, only 43.6% of companies state that they provide courses related to IT securitySource: “Rapporto clusit 2020” , although the need for such courses is widely recognized.

1.1 - To whom are these courses directed?

2 - In your company are there any staff members with cyber security competencies?

The ICT security manager has the task of defining the security policy of the information system and assessing the risks associated with the use of specific IT tools. The ICT security manager should be distinguished from the IT operator, who carries out operational functions of maintenance and support of information systems.

3 - In your company is there one (or more) best practices/cyber security framework?

ISO 27001 is a standard that defines the requirements for setting up and managing an information security management system. The purpose of this certification is to protect data and information by ensuring its integrity, confidentiality and availability. It sets out the requirements for an ISMS aimed at the proper management of sensitive company data.
There are also numerous best practices that, unlike ISO 27001, do not require certification such as the Open Web Application Security Project (OWASP), NIST sp 800-53 and the Control Objectives for Information and related Technology (COBIT).

4 - What percentage of staff have administrative rights to company systems?

Administrative rights, and in general any kind of user rights, means that the holder can take potentially harmful actions, such as:

The voluntary or involuntary application of changes that may reduce the level of network security.
The introduction of malware that may adopt potentially harmful changes.
The theft of access credentials which, with administrative rights, would allow for full use by the abductor.

To increase security accordingly, it is necessary to limit the assignment of administrative rights to what is strictly necessary, ensuring that the privileges assigned are in line with each user's corporate responsibilities and tasks.

Administrative rights, and in general any kind of user rights, means that the holder can take potentially harmful actions, such as:

The voluntary or involuntary application of changes that may reduce the level of network security.
The introduction of malware that may adopt potentially harmful changes.
The theft of access credentials which, with administrative rights, would allow for full use by the abductor.

Administrative rights, and in general any kind of user rights, means that the holder can take potentially harmful actions, such as:

The voluntary or involuntary application of changes that may reduce the level of network security.
The introduction of malware that may adopt potentially harmful changes.
The theft of access credentials which, with administrative rights, would allow for full use by the abductor.

5 - What kind of Acceptable Use and Access authorization policies are adopted?

An Acceptable Use Policy (AUP) defines the acceptable and unacceptable uses of the company's information resources and IT equipment (computers, wireless devices, telephones, etc.). An appropriate and well-structured policy clarifies the criteria adopted with regard to privacy, user responsibility and personal use of company resources, as well as clarifying the consequences in case of violation. The authorization policies determine the different levels of access to information. An information management system determines whether, when and to which parts of a company’s database, the employees are allowed access. These controls define the access to critical information of the company.

6 - How does authentication to login into the company’s network work?

A user authentication policy can be used to ensure that only certain people can access certain resources in your organisation. User authentication policies are designed to ensure that the person requesting sensitive information and data is authorised to access that information.

7 - How often is it required to change of the password for access to the company’s network and to the company’s resources?

A frequent change of password improves security of the company’s network and resources.

8 - How oftenIn case of intermediate frequencies choose the closest response (e.g. if it is performed every 5 months then choose a six-monthly frequency). If it is done bimonthly, then choose quarterly. do you subject your systems to a Vulnerability Assessment and then apply a Remediation Plan?

The Vulnerability Assessment (VA) aims to bring out all the critical points and possible vulnerabilities of the IT infrastructure and network from a security point of view. The VA ends with a report containing the detected vulnerabilities with their respective severity. But the VA alone is a useless document if it is not accompanied by appropriate corrective actions (where necessary), therefore the execution of a Remediation Plan that is consistent with the results obtained from the assessment is also very important. This operation should ideally be carried out on a monthly frequency.

9 - Is an Intrusion Detection System in place?

Intrusion detection systems are used to protect the company’s network against suspicious network traffic and attempts to access database files. These systems are equipped with monitoring tools that are placed in the most vulnerable points of the company's network. The system is equipped with scanning software that knows the most common methods of cyber-attack and monitoring software that examines events as they occur for possible ongoing threats.

10 - How often is a full backup performed?

10.1 - What type of backup is performed for files that have been modified between full backups?

10.1.1 - How often is an incremental or differential backup performed?

Backup is an activity of prevention and protection of your data. Having a backup means having a copy of your data and therefore being able to recover it in case of problems in the computer system. Making intermediate backups (incremental or differential) between full backups allows you to keep your backups up to date at all times.

11 - Are there firewalls to protect the devices?

A firewall is a combination of hardware and software that controls incoming and outgoing network traffic. Usually it stands between the internal private network and unreliable external networks. It can also be used to protect part of a company's internal network from the rest of the infrastructure.
It acts by examining each user's credentials before allowing them access to the network, thus preventing any unauthorised communication entering and leaving the network.