1. Do you know exactly what IT assets does your organisation have?
2. Do users of the IT assets administered by you have access to the privileged accounts?
3. Are the users of the IT assets administered by you allowed to install any software?
4. Are automatic startup and playback of external data carrier disabled on workstations in your organisation?
5. Do you regularly update the software currently used in your organisation?
6. Does your organisation have and use antivirus and antimalware?
7. Do you regularly monitor the log files and the incidents regarding your system?
8. Is using mobile devices allowed in your organisation?
8.1 Has an appropriate policy been implemented for encrypting device drives and other storage media?
8.2 Do you allow employees who work remotely to use a VPN?
8.3 Has an action policy been created and implemented in case equipment is stolen or lost?
9. Do you create backups as a part of protecting of the valuable data?
10. Are backups protected?
11. Has your organisation adapted a procedure for destroying the data carriers?
12. Is there a procedure of destroying the data carriers provided and implemented in your organisation?
13. Does your organisation use firewall?
14. Do you monitor the network of your organisation?
15. Have you considered centralization and introduction DNS filtering?
16. Do you separate security domains?
17. Do your organisation's employees use more than one information asset?
18. Is the two-factor authentication implemented in your organisation?
19. Does your organisation use an email to communicate?
19.1 Do you know who has access to email on the external hosting service and when?
19.2 Do you back up your mail?
19.3 Do you encrypt messages?
19.4 Do you take steps to protect your e-mail server?
19.5 Do you take steps to allow users to verify the sender of the message?
19.6 Are you aware of how much downtime your contract with the third party hosting provider allows?