Security Report Card

Automated backups & tested +1,
offsite +1,
encrypted +1
versioned controlled OR immutable +1,
our data in cloud services is also backed up +2

support contract OR spare in stock +1,
redundant power supplies +1,
redundant/trunked uplinks +1,
config backed up automatically +1,
monitored by an alerting server +1,
config changes result in an alert +2

Remote Access:
RDP port forward -5,
Filtered by Country or autoupdated blocklist +1,
includes method to prevent pw guessing +1
requires 2FA for ALL users +2,

own a product that tests onsite gear +1,
we contract professionals to test us +2,
management understands the risks +5

Employees don’t list their employer on social media +1
documented employee on-boarding includes privacy expectations +1,
we do yearly security training +1,
Cross training/people backups +1,
we have a competition and give out prizes +3

Email Filter:
SPF record set to strict +1,
Outgoing email is DKIM signed +1,
3rd party filtering service +2,
external email easily identified by banner or color +1,
Accounting checks before transferring any $ +2

Workstation Sec:
Antivirus installed & centrally controlled +1,
includes User Behavioural Analysis UBA +1,
Logs are collected centrally +1,
users are NOT local admin +2,
Local admin pw is complex & different per pc +1,
executable allow-list prevents unapproved programs from running +2

secure boot + Bios pw +1,
HDD encryption +1,
remote management and updates +1,
users are NOT local admin +2,
owned by employee -1

via SMS & SIM card has a PIN +1,
via App/hw token +2,
enabled for ALL cloud services +3

supported hardware getting regular updates +1,
updates installed weekly +1,
MDM installed +5,
owned by employees -1

0-10 You are a pushover for Hack-bots and script-kiddies. You are likely already compromised.
11-20 You are a prime target for the next big vulnerability
21-30 You are outrunning your peers but not the bear, your turn will come.
31-40 Congrats, you are above average. Keep up the good work.
41-50 You are likely a cyber-security provider. Confirm results with a security assessment and embarrass your competition.

based on this