Network infrastructure
Routers, switches, wireless, VPN access, segmentation, network design, exposed services, and whether your internal environment may need a deeper internal network security review.
Orange County Cybersecurity Consultation
Free Onsite Cybersecurity Consultation in Orange County
A professional, high-value cybersecurity readiness consultation for business owners, executives, IT managers, and operations leaders who want to understand their technical risk, business impact, compliance readiness, and next best security step.
25+ YearsIT, network, security and audit experience
SoCal FocusOrange County, Irvine and Los Angeles businesses
Technical + ExecutiveClear guidance for leadership and IT teams
Risk FirstPrioritized recommendations, not generic checklists
Practical Security Guidance
A technical consultation with business impact in mind
Cybersecurity is not only an IT issue. A security incident can interrupt operations, expose sensitive data, affect customers, delay projects, create cyber insurance problems, and damage business reputation.
OC Security Audit provides a free initial onsite cybersecurity consultation to help Orange County businesses understand where risk may exist across the IT environment and which security areas should be reviewed first.
This page is focused on the consultation itself. For broader security services, visit Network and Data Security, Security Audits, Compliance Consulting, or Virtual CISO.
- Review your current cybersecurity concerns in practical business language.
- Discuss your network, cloud, identity, endpoint, backup and monitoring environment.
- Identify whether a deeper assessment, audit, compliance readiness review, or vCISO engagement may be appropriate.
Technical Consultation Scope
What we can review during your free cybersecurity consultation
Every business environment is different. During the consultation, OC Security Audit can review your business concerns, IT environment, security priorities, and likely exposure areas at a high level.
The purpose is to help you understand whether your organization may need a deeper cybersecurity risk assessment, network vulnerability assessment, firewall security audit, Microsoft Office 365 audit, Azure cloud security audit, or IT security consulting.
Firewalls and perimeter security
Firewall rules, NAT, remote access, site-to-site VPNs, SSL inspection, logging, rule cleanup, and whether a network firewall security assessment is appropriate.
Active Directory and identity
Active Directory, Microsoft Entra ID, privileged accounts, MFA, conditional access, password policy, stale accounts, group memberships, and account control audit priorities.
DNS and public-facing resources
DNS records, public web servers, cloud-hosted systems, remote access portals, externally reachable assets, and the need for an external security audit.
Endpoint, EDR and XDR
Endpoint protection, EDR/XDR visibility, device management, alert handling, suspicious activity, and endpoint security maturity.
Microsoft 365 and Azure
Email security, Microsoft 365 access, cloud identity, Azure configuration, admin roles, audit logging, and cloud security hardening through Microsoft 365 Email Security and Microsoft Azure Security.
Backup and disaster recovery
Backup strategy, restore testing, redundancy, fault tolerance, ransomware recovery planning, business continuity, and Business Continuity & Disaster Recovery.
Monitoring and performance visibility
Event logs, alerting, uptime visibility, security monitoring, performance issues, suspicious activity, and whether AI-powered threat detection could improve visibility.
Incident response controls
Escalation, communication, access revocation, evidence handling, recovery coordination, and whether automated incident response or incident response and digital forensics planning is needed.
Business Risk
Understand how cyber risk could impact the company
A technical weakness becomes a business problem when it affects revenue, operations, client trust, compliance readiness, contracts, insurance, productivity, or reputation.
During the consultation, we help leadership and IT teams connect technical findings to business impact. That may include downtime risk, data exposure, account compromise, ransomware recovery, vendor security reviews, client security requirements, cyber insurance expectations, or audit preparation.
Operational downtimeSensitive data exposureClient requirementsCyber insuranceAudit readinessReputation risk
Simple Next Step
How the free onsite consultation works
The consultation is structured to provide useful direction without turning the first meeting into a confusing technical audit. We focus on context, risk, priorities, and the right next step.
Understand
We learn about your business, users, locations, cloud systems, critical applications, data, and current concerns.
Discuss
We review high-level concerns around network, identity, firewalls, cloud, endpoints, backups, monitoring, and compliance readiness.
Identify
We identify likely exposure areas and determine whether deeper technical testing or documentation review is needed.
Prioritize
We help separate urgent risks from lower-priority issues so leadership can make better security decisions.
Recommend
We recommend the right next step, such as an audit, risk assessment, compliance readiness review, or vCISO advisory support.
Security Coverage
From infrastructure to cloud security
The consultation may point toward a focused technical service when your environment needs a deeper review. OC Security Audit supports businesses with cybersecurity risk management, AI-powered cybersecurity, AI-driven vulnerability management, security audits, firewall assessments, cloud reviews, and ongoing advisory services.
- Internal security audit and network exposure review.
- Firewall security audit, VPN review, and perimeter control discussion.
- Microsoft Office 365 full audit and Azure cloud security audit readiness.
- Security governance and executive cybersecurity leadership support.
Compliance Readiness
Review data security, documentation and control readiness
If your business handles sensitive data or receives vendor security questionnaires, cyber insurance requests, client audit questions, or regulatory requirements, the consultation can help identify which readiness areas deserve attention.
Microsoft 365 and email security
Discuss email protection, MFA, secure access, monitoring, and Microsoft 365 security controls. Learn more about Microsoft 365 Email Security.
HIPAA readiness
Discuss administrative, technical, and physical safeguards, risk assessment needs, and readiness gaps. See HIPAA Compliance, HIPAA Risk Assessment, and the Free HIPAA Security Checklist.
PCI, SOC 2, NIST, ISO and CMMC
Discuss control review, gap analysis, documentation support, and preparation for PCI-DSS, SOC 2, NIST, ISO/IEC 27000, or CMMC 2.0.
Important: The free consultation is a high-level review and discussion. It is not a full cybersecurity audit, penetration test, vulnerability scan, compliance certification, legal opinion, or formal attestation. If deeper testing, configuration review, documentation, or reporting is needed, OC Security Audit can recommend the appropriate next step.
Local Professional Experience
Why business owners and IT leaders choose OC Security Audit
OC Security Audit brings technical depth, executive communication, and practical cybersecurity assessment experience to businesses in Orange County, Irvine, Los Angeles, and Southern California.
With 25+ years of experience under the management of Ali Hassani, OC Security Audit has worked on dozens of business networks across Southern California. The team’s professional background includes certifications and experience associated with CISSP, CCISO, MCSE, MCSA Security, MCITP, CCNA, CCNP, and related IT/security disciplines.
Our goal is to help make your network and data more secure while supporting stronger compliance readiness, better risk management, and clearer business decision-making.
Security leadership for business decisions
For executive guidance, risk conversations, board-level planning, and program oversight, explore Virtual CISO, Risk Assessment Services, and Business Leadership Role in HIPAA and Cybersecurity.
For executive guidance, risk conversations, board-level planning, and program oversight, explore Virtual CISO, Risk Assessment Services, and Business Leadership Role in HIPAA and Cybersecurity.
Questions
Frequently asked questions
Is the onsite cybersecurity consultation really free?
Yes. OC Security Audit offers a free initial onsite or virtual consultation to help Orange County businesses discuss cybersecurity concerns, risk areas, business impact, and possible next steps.
Is this the same as a cybersecurity audit?
No. The free consultation is an initial review and discussion. A complete security audit, vulnerability assessment, firewall audit, Microsoft 365 audit, Azure audit, compliance readiness review, or formal report would be separately scoped if needed.
Can you review our routers, switches, firewalls, Active Directory, DNS, EDR or XDR?
We can discuss these areas at a high level during the consultation and identify whether a deeper technical review is appropriate. The consultation may cover routers, switches, firewalls, VPNs, Active Directory, Microsoft Entra ID, DNS, public web servers, endpoint protection, EDR/XDR, monitoring, backup, disaster recovery, and incident response controls.
Do you help with compliance?
Yes. OC Security Audit can help with compliance readiness, gap analysis, control review, documentation support, and preparation services for areas such as HIPAA, PCI-DSS, SOC 2, NIST, ISO/IEC 27000, and CMMC 2.0. The consultation itself is not a certification, attestation, legal opinion, or regulatory determination.
Who should attend the consultation?
Business owners, executives, IT managers, compliance leaders, office managers, operations leaders, or anyone responsible for technology risk, client security requirements, cyber insurance, or business continuity can benefit from the discussion.
Request Consultation
Not sure where your biggest cybersecurity risk is?
That is exactly why the consultation exists. You do not need to know whether you need a firewall audit, Microsoft 365 security review, vulnerability assessment, compliance readiness review, incident response planning, or vCISO support before contacting us.
OC Security Audit will help you understand your environment, your concerns, your business impact, and your best next step.
Optional worksheet for your free onsite cybersecurity consultation
IT Environment Readiness Worksheet for OC Security Audit
Use this cybersecurity readiness worksheet to help OC Security Audit prepare for a more useful consultation. The questions cover your website, public DNS, network infrastructure, routers, switches, firewalls, VPN, servers, virtualization, Microsoft 365, Azure, AWS, Google Cloud, email security, Active Directory, backup, disaster recovery, SIEM, EDR, XDR, MDR, compliance readiness, and business risk.
You do not need to answer every item.
If you are not sure, select “Not sure” or add a note. The goal is to prepare for a productive business and technical conversation, not to complete a full audit before the consultation.
If you are not sure, select “Not sure” or add a note. The goal is to prepare for a productive business and technical conversation, not to complete a full audit before the consultation.
Consultant / auditor: OC Security Audit
This worksheet supports a free initial onsite cybersecurity consultation and is not a penetration test, formal audit report, compliance certification, legal opinion, or regulatory attestation.
This worksheet supports a free initial onsite cybersecurity consultation and is not a penetration test, formal audit report, compliance certification, legal opinion, or regulatory attestation.
14technical and business categories
124structured discovery questions
Yes / Noquick response options
Notesspace for vendors, counts, risks, and details
| Category | Item | Description / Question | Yes | No | Not Sure | Risk / Impact | Notes / Details |
|---|---|---|---|---|---|---|---|
| Business & Consultation Contact Information | |||||||
| Business Profile | Company name | What is the legal or operating name of the business? | Text response | High | Company name |
||
| Business Profile | Business website | What is the main public website URL for the business? | Text response | High | https:// |
||
| Business Profile | Primary business location | What city and state is the primary location? | Text response | Medium | City, State |
||
| Business Profile | Number of locations | How many physical offices, warehouses, clinics, branches, or sites does the company operate? | Text response | Medium | Example: 1 office, 3 branches, 1 warehouse |
||
| Business Profile | Primary contact | Who should OC Security Audit contact for this free onsite cybersecurity consultation? | Text response | High | Name of primary contact |
||
| Business Profile | Contact title | What is the title or role of the primary contact? | Text response | Medium | Owner, CEO, COO, IT Manager, Office Manager, Compliance Manager, etc. |
||
| Business Profile | Contact email | What is the best email address for scheduling and follow-up? | Text response | High | email@company.com |
||
| Business Profile | Contact phone | What phone number should OC Security Audit use to reach the contact? | Text response | High | Phone number |
||
| Business Profile | IT manager or technical contact | Who manages IT, network, cloud, servers, security, or support? | Text response | High | Internal IT, MSP, consultant, IT manager name, or “None” |
||
| Business Profile | Approximate user count | How many employees, users, or active accounts are supported? | Text response | High | Example: 25 users, 75 users, 250 users |
||
| Business Profile | Consultant / auditor | Cybersecurity consultation provider. | Text response | Low | OC Security Audit |
||
| Website, Hosting, Public DNS & Internet-Facing Resources | |||||||
| Website & Public DNS | Website hosting provider | Who hosts the business website? | Text response | Medium | GoDaddy, WP Engine, AWS, Azure, Cloudflare, Bluehost, in-house, not sure |
||
| Website & Public DNS | Website platform | What platform or CMS is used for the website? | Text response | Medium | WordPress, Shopify, custom, Wix, Webflow, Drupal, other, not sure |
||
| Website & Public DNS | DNS registrar | Who is the public domain registrar? | Text response | Medium | GoDaddy, Namecheap, Network Solutions, Cloudflare Registrar, etc. |
||
| Website & Public DNS | Authoritative DNS provider | Who hosts public DNS records for the domain? | Text response | Medium | Cloudflare, GoDaddy DNS, Microsoft, AWS Route 53, DNSMadeEasy, etc. |
||
| Website & Public DNS | Web application firewall | Is there a WAF or website protection service in front of the website? | High | Cloudflare WAF, Sucuri, Akamai, AWS WAF, Azure Front Door, Wordfence, other |
|||
| Website & Public DNS | DDoS protection | Is there DDoS protection for the website or public services? | Medium | Provider, plan, or unknown |
|||
| Website & Public DNS | Public web servers | Does the company host public-facing web servers or portals? | High | List public web servers, portals, customer logins, admin portals, or remote access portals |
|||
| Website & Public DNS | Exposed services | Are RDP, VPN, SSH, FTP/SFTP, database ports, admin portals, or other services accessible from the internet? | High | List known exposed services or “Not sure” |
|||
| Website & Public DNS | SSL/TLS certificates | Are SSL/TLS certificates tracked, renewed, and monitored? | Medium | Certificate provider, expiration monitoring, or unknown |
|||
| Website & Public DNS | Website backups | Is the website backed up and restorable? | Medium | Backup provider, retention, restore testing, or unknown |
|||
| Network Infrastructure, Sites, Routers, Switches & Wireless | |||||||
| Network Infrastructure | Environment type | Is the IT environment mostly local/on-premises, cloud-based, or hybrid? | Text response | High | Local, cloud, hybrid, not sure |
||
| Network Infrastructure | Physical sites | How many physical sites are connected to the network? | Text response | High | Offices, branches, warehouses, clinics, remote sites |
||
| Network Infrastructure | Data centers / server rooms | Does the company operate a data center, server room, MDF, IDF, or network closet? | Medium | Number of rooms/closets and location details |
|||
| Network Infrastructure | Routers | How many routers are in use? | Text response | Medium | Quantity, vendor, models if known |
||
| Network Infrastructure | Switches | How many switches are in use? | Text response | Medium | Quantity, vendor, managed/unmanaged, PoE, core/access |
||
| Network Infrastructure | Network segmentation | Are VLANs or network segmentation used? | High | Describe user, server, voice, guest, Wi-Fi, camera, IoT, or management VLANs |
|||
| Network Infrastructure | Guest Wi-Fi | Is guest Wi-Fi separated from internal business systems? | Medium | SSID names, isolation method, captive portal, or unknown |
|||
| Network Infrastructure | Wireless access points | How many wireless access points are used and who manages them? | Text response | Medium | Vendor, controller/cloud management, number of APs |
||
| Network Infrastructure | Firmware patching | Are routers, switches, access points, and network devices kept current with firmware updates? | High | Patch cadence, responsible party, last known firmware update |
|||
| Network Infrastructure | Network documentation | Are network diagrams, IP ranges, VLANs, firewall zones, and site connections documented? | High | Where documentation is stored and last updated |
|||
| Firewalls, VPN, Remote Access & Perimeter Security | |||||||
| Firewall & VPN | Firewall vendor and model | What firewall brand, model, and subscription services are in use? | Text response | High | Fortinet, Palo Alto, SonicWall, Cisco, Meraki, Sophos, WatchGuard, Ubiquiti, etc. |
||
| Firewall & VPN | Firewall high availability | Is firewall redundancy or HA configured? | High | Active/passive, active/active, dual WAN, failover method |
|||
| Firewall & VPN | Firewall rule review | Are firewall rules reviewed, cleaned up, and documented regularly? | High | Last review date, process, responsible person |
|||
| Firewall & VPN | IDS/IPS | Is intrusion prevention or intrusion detection enabled on the firewall or network? | Medium | IDS/IPS subscription, monitoring, tuning, or unknown |
|||
| Firewall & VPN | Geo-blocking / security filtering | Are geo-blocking, web filtering, DNS filtering, or threat filtering enabled? | Medium | Describe enabled security services |
|||
| Firewall & VPN | Remote access VPN users | How many users have VPN or remote access? | Text response | High | Number of VPN users, admin users, vendors, contractors |
||
| Firewall & VPN | VPN MFA | Is MFA required for VPN or remote access? | High | MFA provider and coverage |
|||
| Firewall & VPN | Site-to-site VPNs | Are there site-to-site VPN tunnels or private circuits between locations/clouds? | Medium | Number of tunnels, connected locations/clouds, vendors |
|||
| Firewall & VPN | Firewall logs | Are firewall logs collected, retained, monitored, or forwarded to SIEM? | High | Retention period, SIEM/log platform, alerting owner |
|||
| Servers, Hypervisors, Virtualization, Redundancy & Failover | |||||||
| Servers & Virtualization | Physical servers | How many physical servers are in use? | Text response | High | Quantity, location, purpose, OS, hardware age |
||
| Servers & Virtualization | Virtualization platform | What hypervisor or virtualization platform is used? | Text response | High | VMware, Hyper-V, Proxmox, Nutanix, KVM, other, none, not sure |
||
| Servers & Virtualization | Hypervisors | How many hypervisor hosts are being managed? | Text response | High | Number of hosts, cluster details, versions |
||
| Servers & Virtualization | Virtual machines | How many virtual machines are managed? | Text response | High | Approximate VM count and critical workloads |
||
| Servers & Virtualization | Critical applications | Which servers or applications are business-critical? | Text response | High | ERP, EMR, accounting, file server, SQL, domain controllers, line-of-business apps |
||
| Servers & Virtualization | Redundancy | Is redundancy configured for critical servers, storage, internet, firewall, or cloud systems? | High | Technology used for redundancy and systems covered |
|||
| Servers & Virtualization | Failover | Is there tested failover for critical systems? | High | Failover method, RTO/RPO, last test date |
|||
| Servers & Virtualization | Server patching | Is there a documented server patching system and schedule? | High | WSUS, Intune, SCCM/MECM, RMM, manual, third-party tool |
|||
| Servers & Virtualization | Performance monitoring | Are server performance, storage, CPU, memory, and availability monitored? | Medium | Monitoring platform, alert recipients, escalation process |
|||
| Servers & Virtualization | End-of-life systems | Are any servers, operating systems, hypervisors, or applications end-of-life? | High | List known unsupported systems or “Not sure” |
|||
| Cloud Services, Microsoft Azure, AWS, Google Cloud & SaaS | |||||||
| Cloud Services | Microsoft Azure | Does the company use Microsoft Azure? | High | Subscriptions, tenants, workloads, virtual machines, storage, networking, identity |
|||
| Cloud Services | AWS | Does the company use Amazon Web Services? | Medium | Accounts, workloads, EC2, S3, RDS, IAM, networking |
|||
| Cloud Services | Google Cloud | Does the company use Google Cloud Platform? | Medium | Projects, workloads, storage, IAM, networking |
|||
| Cloud Services | Other cloud providers | Are other cloud platforms or hosted services used? | Medium | Oracle Cloud, DigitalOcean, Linode, private cloud, hosted ERP, SaaS platforms |
|||
| Cloud Services | Cloud admin access | Are cloud administrator roles reviewed and protected with MFA? | High | Admin users, role review frequency, emergency accounts |
|||
| Cloud Services | Cloud logging | Are cloud logs enabled, retained, and monitored? | High | Azure Monitor, Defender, AWS CloudTrail, GuardDuty, GCP logs, SIEM forwarding |
|||
| Cloud Services | Cloud backups | Are cloud workloads and cloud data backed up? | High | Backup method, retention, restore testing, responsible party |
|||
| Cloud Services | SaaS inventory | Is there a documented list of SaaS applications used by the business? | Medium | CRM, HR, accounting, file sharing, ticketing, project management, etc. |
|||
| Email, Microsoft 365, Spam Filtering & Email Backup | |||||||
| Email Security | Email hosting provider | Who hosts the company email system? | Text response | High | Microsoft 365, Google Workspace, Exchange, hosted provider, other |
||
| Email Security | Microsoft 365 tenant | Does the company use Microsoft 365 for email, Teams, SharePoint, or OneDrive? | High | Tenant details, license types, admin owner, or unknown |
|||
| Email Security | Google Workspace | Does the company use Google Workspace? | Medium | Admin owner, license types, security settings, or unknown |
|||
| Email Security | Spam filtering | What spam filtering, phishing protection, or secure email gateway is used? | Text response | High | Microsoft Defender, Proofpoint, Mimecast, Barracuda, Avanan, Ironscales, etc. |
||
| Email Security | SPF, DKIM, DMARC | Are SPF, DKIM, and DMARC configured for the domain? | High | Policy status, reject/quarantine/none, reporting, or unknown |
|||
| Email Security | Email MFA | Is MFA enforced for email and cloud accounts? | High | All users, admins only, conditional access, exceptions |
|||
| Email Security | Mailbox auditing | Is mailbox auditing, forwarding review, and suspicious rule monitoring enabled? | High | Audit settings, alerting, reviewed by whom |
|||
| Email Security | Email backup | Are Microsoft 365, Google Workspace, or Exchange mailboxes backed up separately? | High | Backup provider, retention, restore testing |
|||
| Email Security | External email warning | Are external sender banners, anti-impersonation, or phishing warnings enabled? | Medium | Tools and coverage |
|||
| Email Security | Public DNS email records | Who manages DNS records related to email security? | Text response | Medium | SPF, DKIM, DMARC, MX, autodiscover, MTA-STS, TLS-RPT, DNS host |
||
| Active Directory, Microsoft Entra ID, Users, Devices & Group Policy | |||||||
| Identity & Access | Active Directory | Does the company use on-premises Active Directory? | High | Forest/domain names, version, sites, or unknown |
|||
| Identity & Access | Domain controllers | How many domain controllers are in use? | Text response | High | Number, physical/virtual, locations, OS versions |
||
| Identity & Access | Microsoft Entra ID | Does the company use Microsoft Entra ID / Azure AD? | High | Hybrid sync, cloud-only, identity provider, or unknown |
|||
| Identity & Access | Client computers | How many desktops, laptops, and workstations are managed? | Text response | High | Approximate number, Windows/Mac/Linux split |
||
| Identity & Access | Domain-joined devices | How many devices are domain-joined, Azure AD joined, or hybrid joined? | Text response | Medium | Approximate counts and join type |
||
| Identity & Access | Group Policy | Are Group Policy Objects used to manage security settings? | High | Password policy, lockout, firewall, drive mapping, security baselines |
|||
| Identity & Access | Admin accounts | Are administrator accounts separate from standard user accounts? | High | Privileged access model, local admin controls, emergency accounts |
|||
| Identity & Access | Password policy | Is there a documented password and account lockout policy? | Medium | Length, complexity, expiration, lockout, MFA, passphrases |
|||
| Identity & Access | User access reviews | Are user accounts and permissions reviewed regularly? | High | Frequency, owners, privileged users, disabled accounts |
|||
| Identity & Access | Onboarding / offboarding | Is there a documented onboarding and offboarding procedure? | High | HR/IT workflow, access requests, termination process, checklist |
|||
| Identity & Access | Service accounts | Are service accounts documented and reviewed? | High | Owners, purpose, password rotation, privileges, interactive login restrictions |
|||
| Endpoint Security, Antivirus, EDR, XDR, MDR & Device Management | |||||||
| Endpoint Security | Antivirus / endpoint protection | What antivirus or endpoint security platform is used? | Text response | High | Microsoft Defender, SentinelOne, CrowdStrike, Sophos, Bitdefender, ESET, etc. |
||
| Endpoint Security | EDR | Is EDR deployed on servers and endpoints? | High | Tool name, coverage percentage, alert owner |
|||
| Endpoint Security | XDR | Is XDR used across endpoint, email, cloud, identity, or network data? | Medium | Tool name, integrations, monitoring owner |
|||
| Endpoint Security | MDR / SOC | Is MDR, SOC, or outsourced alert monitoring used? | High | Provider, hours of coverage, escalation process |
|||
| Endpoint Security | Device management | Are endpoints centrally managed? | High | Intune, RMM, SCCM/MECM, Jamf, NinjaOne, ConnectWise, Kaseya, etc. |
|||
| Endpoint Security | Disk encryption | Are laptops and mobile devices encrypted? | High | BitLocker, FileVault, MDM enforcement, recovery key storage |
|||
| Endpoint Security | Local admin rights | Are users restricted from local administrator rights? | High | Exceptions, approval process, privilege management tools |
|||
| Endpoint Security | Patch management | Is workstation and third-party application patching centrally managed? | High | Tool, cadence, reporting, exceptions |
|||
| Backup, Restore Testing, Disaster Recovery & Business Continuity | |||||||
| Backup & DR | Server backups | Are all critical servers backed up? | High | Backup platform, frequency, systems covered |
|||
| Backup & DR | Endpoint backups | Are critical workstations or executive laptops backed up? | Medium | Tool, coverage, retention |
|||
| Backup & DR | Cloud/SaaS backups | Are Microsoft 365, Google Workspace, cloud storage, and SaaS data backed up? | High | Backup provider, covered services, retention |
|||
| Backup & DR | Offsite backups | Are backups stored offsite, immutable, or in a separate cloud/account? | High | Offsite location, immutable storage, air gap, separate credentials |
|||
| Backup & DR | Restore testing | Are test restores performed and documented? | High | Last restore test, systems tested, success/failure notes |
|||
| Backup & DR | Backup retention | What are the backup retention policies? | Text response | High | Daily/weekly/monthly/yearly retention, legal retention, compliance needs |
||
| Backup & DR | RTO / RPO | Are recovery time objectives and recovery point objectives defined? | High | Target downtime and acceptable data loss by system |
|||
| Backup & DR | Disaster recovery plan | Is there a documented disaster recovery plan? | High | Plan owner, last update, last test, critical dependencies |
|||
| Backup & DR | Business continuity plan | Is there a business continuity plan for operations during an outage? | Medium | Manual workarounds, alternate locations, communication process |
|||
| Monitoring, Logging, SIEM, Alerting & Performance Visibility | |||||||
| Monitoring & Logging | Monitoring platform | What platform monitors servers, network devices, cloud, or endpoints? | Text response | Medium | PRTG, SolarWinds, Datadog, Zabbix, RMM, Azure Monitor, CloudWatch, etc. |
||
| Monitoring & Logging | SIEM | Is a SIEM or centralized logging platform used? | High | Microsoft Sentinel, Splunk, QRadar, Elastic, LogRhythm, Wazuh, etc. |
|||
| Monitoring & Logging | Log retention | How long are security and system logs retained? | Text response | High | 30 days, 90 days, 1 year, compliance requirement, unknown |
||
| Monitoring & Logging | Alert response | Who receives and responds to security and performance alerts? | Text response | High | Internal IT, MSP, SOC/MDR, manager, after-hours process |
||
| Monitoring & Logging | Firewall log monitoring | Are firewall logs reviewed or monitored for suspicious activity? | High | Frequency, SIEM forwarding, alerting, owner |
|||
| Monitoring & Logging | Authentication logs | Are failed logins, risky sign-ins, MFA failures, and admin activity monitored? | High | Entra ID, AD, VPN, firewall, SIEM |
|||
| Monitoring & Logging | Performance issues | Are recurring performance, storage, internet, or availability issues tracked? | Medium | Known issues, ticketing system, monitoring reports |
|||
| Phone System, Voice, Collaboration & Communication Services | |||||||
| Voice & Collaboration | Phone provider | Who provides the business phone system? | Text response | Medium | RingCentral, Zoom Phone, Teams Phone, 8x8, Vonage, Comcast, Spectrum, on-prem PBX |
||
| Voice & Collaboration | Phone system type | Is the phone system cloud-hosted, on-premises, or hybrid? | Text response | Medium | Cloud VoIP, PBX, SIP trunk, Teams Phone, other |
||
| Voice & Collaboration | Voice network separation | Is voice traffic separated from data traffic? | Medium | Voice VLAN, QoS, separate circuits, or unknown |
|||
| Voice & Collaboration | Phone admin security | Are phone system administrator accounts protected with MFA and limited access? | Medium | Admin users, MFA, audit logs |
|||
| Voice & Collaboration | Communication continuity | Is there a plan if phones, internet, or collaboration systems are unavailable? | Medium | Call forwarding, alternate numbers, backup internet, mobile workflow |
|||
| Policies, Documentation, Compliance Readiness & Data Security | |||||||
| Governance & Compliance | Cybersecurity policies | Does the company have written cybersecurity policies? | High | Acceptable use, password, remote access, incident response, backup, data handling |
|||
| Governance & Compliance | Data classification | Is sensitive data classified or labeled? | Medium | Customer, patient, financial, employee, intellectual property, regulated data |
|||
| Governance & Compliance | Sensitive data locations | Where is sensitive business data stored? | Text response | High | File shares, SharePoint, OneDrive, Google Drive, ERP, database, SaaS, laptops |
||
| Governance & Compliance | Compliance requirements | Which compliance, audit, or client security requirements apply? | Text response | High | HIPAA, PCI-DSS, SOC 2, NIST, ISO 27001, CMMC, cyber insurance, vendor questionnaire |
||
| Governance & Compliance | Vendor security questionnaires | Do customers, vendors, or insurance providers ask for security questionnaires? | Medium | Frequency, responsible person, common requests |
|||
| Governance & Compliance | Security awareness training | Do employees receive cybersecurity awareness or phishing training? | Medium | Provider, frequency, completion tracking |
|||
| Governance & Compliance | Asset inventory | Is there a current inventory of devices, servers, software, cloud services, and users? | High | Tool, owner, last updated |
|||
| Governance & Compliance | Change management | Is there a process for approving and documenting IT/security changes? | Medium | Ticketing system, approvals, emergency changes |
|||
| Incident Response, Cyber Insurance & Business Impact | |||||||
| Incident Response | Incident response plan | Is there a documented cybersecurity incident response plan? | High | Plan owner, steps, roles, last tested |
|||
| Incident Response | Incident escalation | Do employees know who to contact during a suspected cybersecurity incident? | High | Helpdesk, IT manager, executive, MSP, security provider |
|||
| Incident Response | Prior incidents | Has the company experienced ransomware, business email compromise, malware, data loss, or unauthorized access? | High | High-level summary, date, impact, response actions |
|||
| Incident Response | Cyber insurance | Does the company have cyber insurance? | Medium | Carrier, renewal date, security requirements, questionnaire status |
|||
| Incident Response | Forensics readiness | Are logs, backups, endpoint data, and access records available for investigation if needed? | High | Retention, tools, owners, gaps |
|||
| Incident Response | Business downtime impact | What would happen if critical systems were unavailable for one business day? | Text response | High | Revenue, operations, client impact, patient/customer impact, contractual impact |
||
| Incident Response | Data loss impact | What would be the impact of losing or exposing sensitive data? | Text response | High | Legal, financial, customer, patient, reputation, compliance, operational impact |
||
| Incident Response | Top security concern | What is the company’s biggest cybersecurity concern right now? | Text response | High | Ransomware, email compromise, compliance, cloud security, insider risk, remote access, unknown |
||