Readiness Action Plan – Help

– Would this assessment cover the whole of your organisation?

“Yes, this assessment would cover the whole of the organisation”	The whole organisation in this instance is not Thresholds but your entity as a facilitator, be it Sole Trader or Limited Company

– Does the scope of your evaluation include end user devices? ( e.g. pcs, laptops, tablets and mobile devices that have interfaces used by people)?

“Yes”

– Has someone in your organisation a list of all hardware devices that you use. For instance types of laptops, smart phones, firewalls, routers?

“Yes – I have a list of all devices“	For a typical domestic set-up this list would only really consist of Laptops/PCs, phones, internet router.

– Do you use thin clients?

“I don’t know what a thin client is”	Almost certainly not. A thin client is just a very basic computer/laptop that only functions when connected to a network. If you are saving files to your device it is not a thin client. What is a thin client?

– Do you own or rent servers ?

“No“	Unless of course you do, in which case you’d know about it due the effort and money involved!

– Do you have a list of all software / firmware used on devices within your organisation?

“Yes, I hold a list of all software / firmware used on devices within the organisation.”	Software being the apps and firmware being the specific software that makes a bit of hardware run.

– Do you have any virtualisation infrastructure within your organisation?

“I don’t know“	Most likely No. Virtualization is when you run an operation system within another operation system, for instance running a copy of Windows on your Mac.

– Do you have automatic update enabled on all your software?

“Yes”	To double check you can now use the search function on most devices (Command key and space bar on a Mac, Windows key and “S” on a Windows machine, search within the settings app on Android) and enter “Automatic Update”. For an iPhone it can be found in “Settings” -> “General” -> “Software Update”.

– Do you use software that is no longer in support?

“No”	Hopefully not, if automatic updates are installed

– Do you have a firewall (or router with a firewall) between your business network and the internet?

“Yes I have some form of protection between the internet and my network”	Almost all routers provided by Internet Service Providers come with firewalls enabled. If you have your own router please consult the person who connected it.

– On your firewalls and internet gateways – have you changed all the passwords away from the default passwords and are they difficult to guess and more than 8 characters?

“Yes, I have changed all my passwords to something that is not default and hard to guess”	Routers more recently provided by ISPs come with unique passwords that are at least 8 characters long. You usually find them printed on a sticker on the router. If the password is “password”, “admin” or similar it will need updating

– If you thought the passwords were known (someone left and knew the password or something happened like the same password used elsewhere was discovered) would you know when and how to change it ?

“Yes, we have a password changing process in place”	Not a particularly common occurrence in a WFH/domestic setting, but stating you have a policy in place will be enough.

– Do you have services enabled that are accessible externally ?

“Probably not”

What’s meant by “services enabled” is an open “port” on your router that will allow a connection into your home network. This has to be specifically configured and is not usually the case in a normal domestic setting. You can use this website to scan your network for open ports. You will need to enter your IP address, which you can find at the bottom of this page, into the “IP or Hostname” box and then click “scan target”. If it states that you have an open port please download the report and email it to me at sam.white@limito.co.uk

– Can you configure your internet routers or hardware firewalls over the internet ? This might be in place if you have a third party IT company managing those devices on your behalf.

“No they are not accessible”	Most domestic routers will not be configurable over the internet. If you have set up your own router not supplied by your ISP please consult the person who connected it.

– Have you configured your internet routers or your hardware firewalls to block all other services being advertised to the internet ?

“I would not know how to”	As with the previous questions if you or someone else has set up your own router with specific settings you will either know, or will need to consult the someone else as to what has been configured. However most domestic routers will come configured with all firewall rules and blocks in place.

– Do you have a list of all the cloud services you use in your organisation?

“Yes”	These will consist of Microsoft365, Google Drive, Dropbox and any other software-like services you access on the internet.

– Have you enabled MFA on all accounts to access all the cloud services that you use?

“Yes”	MFA, Multi Factor Authentication is when you are required to provide more than 1 type of proof of who you are when logging onto a service. This includes, a password, fingerprint, face scanning, providing a code to a device/phone number or email address.

– Have you located and understood the ‘shared responsibility’ security arrangement for each of the cloud services you use?

“Where do I find that?”	In its simplest terms, the Shared Responsibility Model dictates that the cloud provider—such as Amazon Web Service (AWS), Microsoft Azure, or Google Cloud Platform (GCP)—must monitor and respond to security threats related to the cloud itself and its underlying infrastructure. You can pretty much just say “yes” to this.

– Have you been through the devices that you have and disabled the software that you don’t use?

“Yes we have disabled the software we don’t use”	This can involve either uninstalling or disabling the app. A more detailed guide can be found here

– Have you ensured that all the accounts on your devices and cloud services are only those that are used as part of your day to day business ?

“Yes we only have accounts on there, which help us with our jobs”	This will not be checked and you simply have to respond with a yes, because Facebook is a totally valid business tool 🙂

– Is “AutoRun” or “AutoPlay” disabled on all of your systems ?

“I really don’t know”	To check on Windows press the windows key + “S”, in the search bar type “autoplay” and select “Autoplay Settings”. On mac, System Preferences > CDs & DVDs will allow you to change what happens when media is inserted in to the optical drive (if you have one!)

– For mobile devices, do you set a locking mechanism on your devices to access the software and services installed? This might be a pin number, a password, face-scan or fingerprint.

“Yes”

– Do you ensure that all default passwords on all devices are changed ?

“Yes we change all default passwords”

– Do you have something written down to advise all users how important it is to use different passwords for different systems?

“Yes”	I have drafted a rough Password Policy. Please contact Liza with regards to this.

– Do you make sure that each user requires their own username and password and there are no shared username / passwords?*

“Yes, all users require a separate username and password to log onto the systems”	Please see the policy mentioned above

– Do you have something written down to advise all users about creating good passwords? Does your policy specify the technical controls to manage the quality of passwords used within your organisation? Does the policy include a process for when you believe that a password or an account has been compromised?

“Yes“	Please see the policy mentioned above

– Is there support in place to help employees choose unique passwords for their work accounts?

“Yes”	Please see the policy mentioned above

– Have you put measures in place to protect accounts against brute-force password guessing?

“What does brute force mean”	Brute force is when someone or a bot attempts to log into your account by trying a different password each time (much like someone attempting to get cash out of an ATM with your card and having to try every combination of numbers until they get it right). If MFA has been enabled and you have created a secure password in accordance with the above policy you can answer yes to this.

– Are all of your computers, your laptops, and your mobile phones protected against malware by using one of these options? (Select the ones that apply.)

“Yes, I have anti-virus software installed”

– Is there a process you follow in order to create a new user account?

“Yes we have a process which approves creation”	You are not administering your IT on behalf of anyone else so can answer yes to this

– Have you a process for tracking user accounts of people who join or leave ?

“Yes, there is a process to record all the user accounts we have”	You are not administering your IT on behalf of anyone else so can answer yes to this

– Is there a process that is followed before a member of staff is given an administrator account?

“Yes, we have rules in place for how administrator accounts are created and how they are used”	You are not administering your IT on behalf of anyone else so can answer yes to this

– Do you have a process for ensuring that employees do not use administrator accounts for day to day activities such as browsing the internet and checking emails?

“Yes”	You are not administering your IT on behalf of anyone else so can answer yes to this

– Do you have a system for backing up your organisational data?

“Yes”