We removed unsupported software

We apply application updates and patches when it's available.

We do vulnerability scans periodically.

We apply operating system patches regularly.

We replaced unsupported operating systems.

We do vulnerability scans periodically.

We deploy Multi-Factor Authentication (MFA) to online services that store sensitive data.

We educate users to use MFA to login into accounts that contain sensitive data.

We review MFA usage regularly.

There is a restriction on administrative privileges to operating systems and applications based on user duties.

We revalidate the need for privileges regularly.

We educate staff not to use privileged accounts to read emails and browse the web.

Users requiring privileged access have separate accounts for performing privileged and non-privileged actions.

There is a system to identify trusted software.

There is a policy or system implemented to control applications allowed in your organisation's network.

Prevent unauthorised applications from activating.

Disable macros from Office files received from the internet.

We only use macros from trusted locations.

Staff are educated to ignore and delete suspicious emails.

MS Office macros are disabled org-wide (exempting any user who requires to use macros).

We have disabled or removed Internet Explorer 11.

There is web browser configuration to block ads and Java on the internet.

Our web browser security settings cannot be changed by users.

We regularly backup our organisation's data.

We store backup data in a safe location.

There is restriction of unprivileged users from accessing the backups of other users.

We perform backup restore tests regularly.