Dated: 12-11-2024

Ch02 how to Determine Security Posture of an Organization

• Information security policy?
• Organization security culture and tone at the top?
• Clearly designated responsibility for security?
• How many staff in security team 10% and their roles?
• Security hardening done on IT assets?
• Which standard used for hardening?
• Internal VM program?
• Frequency of VM scanning?
• Licensed software for OS/DB/Programs?
• Last time penetration test was conducted by 3rd party?
• Maturity of system security policies pushed through AD/GP
• DR and/or backup site?
• When was the last time a DR drill was performed?
• Is internal software developed? (Secure - SDLC)
• What is the mechanism to take backups of IT assets and to test backups?
• What is the maturity of access control for users, admins
• Regular audits for access control?
• What type of security controls implemented on any transactional systems such as mobile banking or internet banking (2FA)?
• Is critical data in org encrypted?
• How do you protect test data?
• What is the mechanism to perform security accreditation of new applications or systems?
• Is security embedded in critical business processes?
• Is there a business continuity and DR policy / mechanism?
• Security standard or framework followed for governance?
• Internal security awareness program?
• Maturity of change management and incident management
• Board Steering Committee (Information Security)

---

• Note: the implementers of the security measures are often not the ones giving the best answers
• Auditors & compliance team should also be queried
• Important question: have there been any recent incidents?