• Deploy offsite or cloud backups for all critical data and systems
• Assure those critical systems, applications and processes can recover in 10 days or less

Recommended but not required: 

• Use backups that continuously test restore to a virtual machine
• Use “immutable backups” that cannot be changes

• Deploy Multi-factor Authentication (MFA) for all admin access and on any remote access

Recommended but not required: 

• At least annually, do security awareness training for all employees
• At least annual training for executives and key accounting on fraudulent transfer schemes

• If you use a cloud provider to store data and host applications, ensure they are large, reputable, and have proper controls. (AWS, Azure, Google)
• Use MFA to secure all cloud provider services 
• Encrypt all sensitive and confidential data on your systems and networks 
• Where that is not possible, segment servers with sensitive and confidential data and put in place access control with role-based assignments 
• Remove all remote access to your networks or use MFA to secure all remote access, including any RDP

• Deploy Multi-factor Authentication (MFA) for all admin access and privileged accounts
• Deploy MFA on any remote access, including any RDP connections
• Use a reputable and trusted MFA provider (Ask an InfoAdvisor™ for recommendations)
• Use an MFA type that is ideally not SMS or push-based 
• Ensure that your MFA configuration is set up such that the compromise of a single device will only compromise a single authenticator
• Deploy a privileged account management software (Ask an InfoAdvisor™ for recommendations)
• Monitor all administrator access for unusual behavior patterns

• Deploy hardened baseline configurations across all servers, laptops, desktops, and managed mobile devices
• Record and track all software and hardware assets deployed across the networks

• Deploy offsite or cloud backups for all critical data and systems
• Assure those critical systems, applications and processes can recover in 10 days or less
• Use backups that continuously test restore to a virtual machine to assure the integrity and viability of the backups
• Encrypt your backups
• Use “immutable backups” that cannot be changes

• Use protective DNS to block access to known malicious websites (Ask an InfoAdvisor™ for recommendations)

• Remove all local admin rights from all non-IT users
• Remove the ability to run Microsoft Office Macro-enabled documents on their system by default
• Use endpoint application isolation and containment technology on all endpoints

• If the applicant is a retailer, restaurant, or online retailer, deploy end-to-end or point-to-point encryption on all point-of-sale (POS) terminals

Recommended but not required: 

• Encrypt all sensitive information at rest
• Encrypt all sensitive information on mobile devices & laptops

• Deploy an endpoint detection and response (EDR) solution

Recommended solutions include:

• Use an EDR solution that provides for centralized monitoring and logging of all endpoint activity across your enterprise
• Enforce application whitelisting/blacklisting
• Deploy EDR across 100% of endpoints, including mobile devices and BYOD, if they can access the corporate network

• At least annually, do security awareness training for all employees that include social engineering and phishing simulation
• At least annual training for executives and key accounting on fraudulent transfer schemes