Comprehensive assessment to identify vulnerabilities and get actionable recommendations
How do you primarily store customer/personal data?
Do you classify data based on sensitivity (e.g., financial, health, personal)?
Is sensitive data separated from non-sensitive data?
Do you use encryption for data at rest and in transit?
How often do you review and update your data storage practices?
What type of access control do you use?
How often are user access rights reviewed?
Do you enforce least privilege (users only get the access they need)?
Are administrator/root accounts separately monitored?
Do you have procedures for promptly revoking access when staff leave?
How often do you back up data?
Where are backups stored?
Do you encrypt your backups?
How often do you test restoring from backups?
Do you maintain multiple backup versions (in case one is corrupted)?
How often do staff receive training on data protection/cybersecurity?
Do you train staff to recognize phishing or suspicious activity?
Is there a designated Data Protection Officer or security lead?
Do you provide refresher training after policy or law changes (e.g., NDPA, GDPR)?
Do you evaluate the effectiveness of staff training (quizzes, monitoring incidents)?
Do you have a documented incident response plan?
How often is the plan reviewed and updated?
Have you tested the plan with a simulated breach?
Do you have pre-drafted templates for customer/regulator notifications?
Is there a clear chain of command for breach response (who does what)?
How do you handle software updates and patches?
How quickly are security patches applied?
Do you track and retire unsupported/end-of-life software?
Do you keep an inventory of all software and systems in use?
Are updates tested before deployment to avoid disruptions?