H.O.P. GAP - Rsecure

Step 1 of 15 - Information

Company name*

Name*

First Last

Email*

HOP-001 What is the total headcount of your company?

Maturity*

Comment

HOP-002 Do you manage your IT infrastructure internally ?

Maturity*

Comment

HOP-003 Do you have someone at your company dedicated to security (CISO) ?

Maturity*

Comment

HOP-004 Do you carry out awareness security campaigns to make your users aware of the various IT risks?

Your users must follow awareness campaigns on the many risks present in IT, they must be regularly trained on new risks.

Maturity*

Comment

HOP-004.b How often are these campaigns done?

Indicate the frequency of campaigns.

Maturity*

Comment

HOP-005 Do your employees receive security awareness training on their first day ?

New users must complete IT security training on their first day.

Maturity*

Comment

HOP-006 Do you have a centralized inventory of your hardware assets in place ?

Maintain a centralized and regularly updated inventory of all physical assets containing information. This inventory must contain all the elements necessary to identify the assets and their owners.

Maturity*

Comment

HOP-007 Do you control the devices you provide to your employees?

When you provide devices to your employees, it is necessary to manage them to avoid data leaks and other problems.

Maturity*

Comment

HOP-008 Do you encrypt your company’s systems?

All of your company’s systems containing data must be encrypted to limit data theft or loss.

Maturity*

Comment

HOP-009 Can your employees access data from your company on their personal devices?

Control and manage all devices that connect to your network and have access to data.

Maturity*

Comment

HOP-010 Do you use an Asset Discovery Tool within your company?

Use an Asset Discovery tool on your network to identify connected devices and automatically update the inventory of hardware assets.

Maturity*

Comment

HOP-011 Do you have a centralized inventory of your software assets?

Maintain a centralized and regularly updated inventory of your software assets. This inventory allows to have a global vision of the softwares used within the company and allows managing them more easily.

Maturity*

Comment

HOP-012 Do you use a tool that tracks the installed software on company provided devices ?

Use a tool that allows you to track software installed and used in your company and to have an exhaustive list of the software used.

Maturity*

Comment

HOP-013 Are you blocking the installation of applications on company provided devices?

Employees must not have the right to install software and only network administrators have the right to install software.

Maturity*

Comment

HOP-014 How do you update the software installed on workstations?

Update your workstation software automatically and regularly.

Maturity*

Comment

HOP-014.b How often do you install updates?

Indicate the frequency of updates.

Maturity*

Comment

HOP-015 Do you use a secure configuration for hardware and software?

Maintain standard secure configuration documentation for all systems and softwares used.

Maturity*

Comment

HOP-016 Do you securely store your Master Images?

Company images and templates must be on a secure server to avoid changes and transfers.

Maturity*

Comment

HOP-017 Do you deploy System Configuration Management tools?

Deploy a System Configuration Management tool that will allow you to redeploy configuration parameters at regular intervals.

Maturity*

Comment

HOP-018 Do you protect your corporate email with email protection?

Use an email solution that protects your corporate email by filtering emails and blocking malicious emails.

Maturity*

Comment

HOP-019 Do you encrypt the communication of emails and attachments sent from your network?

Encrypt the communication of emails and attachments sent from your network so malicious people do not have access to this data.

Maturity*

Comment

HOP-020 Do you have installed an antivirus software on your company’s workstations and servers?

Use antivirus software on workstations and servers to prevent and block potential attacks.

Maturity*

Comment

HOP-020.b How is your antivirus solution managed ?

Maturity*

Comment

HOP-021 Have you configured a firewall to protect your network boundaries?

A firewall is a network security device that controls the incoming and outgoing network of your infrastructure. He can decide to authorize or block traffic according to the rules you set for him.

Maturity*

Comment

HOP-022 Do you install the latest stable version of any security-related updates on all network devices?

Install the latest stable updates on devices connected to your computer.

Maturity*

Comment

HOP-023 Have you implemented a monitoring tool in your network?

Use a network monitoring tool to detect security vulnerabilities and slowdowns in your network systems.

Maturity*

Comment

HOP-024 Do you segment your network based on sensitivity?

Segment your IT infrastructure into several sub-networks called VLAN (Virtual Local Area Network), which improve the speed and security of a network.

Maturity*

Comment

HOP-025 Have you deployed intrusion detection systems on your network?

Use an Intrusion Detection System (IDS) on your network to identify and block inappropriate connections.

Maturity*

Comment

HOP-026 In the case of telework, how do your users access your computer network?

Use a secure connection when making a remote connection to the company’s network, such as a Virtual Private Network (VPN).

Maturity*

Comment

HOP-027 Have you created a separate wireless network for personal and guest devices?

Create a separate network for personal connections and guest devices so as not to use the company’s local network.

Maturity*

Comment

HOP-028 Do you monitor unauthorized connections across trusted network boundaries?

Perform a regular scan from outside each boundary of your trusted network to detect unauthorized connections.

Maturity*

Comment

HOP-029 Have you implemented Access Control within your company?

Define access control in your company to secure and manage physical access to your buildings and logical access to your information systems.

Maturity*

Comment

HOP-030 Have you set up Conditional Access Control (blocking access from certain geolocation, certain hours, etc…)?

Set up a conditional access in place to control the devices connecting to your network, managing working hours, locations, etc…

Maturity*

Comment

HOP-031 Do you define Access Control based on "need to know" principle?

Define an access control based on the principle of "need to know" according to which the user of an information system only access information that is necessary for his work.

Maturity*

Comment

HOP-032 To connect to your IT asset are your collaborators using a Multi-Factor Authentication?

Use Multi-Factor Authentication (MFA) when connecting remotely, accessing assets or infrastructure.

Maturity*

Comment

HOP-033 Do you maintain an inventory of administrative accounts?

Maintain an inventory of your network administrator accounts.

Maturity*

Comment

HOP-034 Do you ensure the use of dedicated administrative accounts?

Each administrator must have an administrator account assigned to them and must only use the native account in an emergency.

Maturity*

Comment

HOP-035 Do you disable unassociated accounts?

Deactivate user accounts not associated with a person in order to have a better traceability.

Maturity*

Comment

HOP-036 Do you review all access regularly?

Review your users' accesses on a regular basis to avoid privilege elevations, improperly associated privileges, and party access.

Maturity*

Comment

HOP-036.b How often is the access review done?

Indicate the frequency of the review.

Maturity*

Comment

HOP-037 Do you perform vulnerability scan within your network?

Establish a vulnerability analysis of your IT infrastructure in order to learn about the vulnerabilities present and subsequently reduce these security vulnerabilities.

Maturity*

Comment

HOP-037.b How often are the scans done?

Indicate the scan frequency you are performing.

Maturity*

Comment

HOP-038 Do you perform a penetration test to verify the security of your network?

Set up a full penetration test of your infrastructure in order to learn about vulnerabilities in your network and to remedy them during an action plan.

Maturity*

Comment

HOP-038.b How often are the penetration tests done?

Indicate the penetration test frequency you are performing.

Maturity*

Comment

HOP-039 Do you conduct a regular safety cybersecurity audit of your network?

The cybersecurity audit allows you to identify risks and potential vulnerabilities in your company’s security system.

Maturity*

Comment

HOP-039.b How often are the audit done?

Indicate the audit frequency you are performing.

Maturity*

Comment

HOP-040 Do you scan the open and closed ports of your network?

Scan open and closed ports in your network frequently to detect infiltration access points and identify devices running on the network.

Maturity*

Comment

HOP-041 How often are the scan done?

Indicate the scan frequency you are performing.

Maturity*

Comment

HOP-042 Do you have a data backup system in place?

Set up a backup system to restore your systems in the event of a cyber incident.

Maturity*

Comment

HOP-042.b What system are backed up?

Maturity*

Comment

HOP-042.c How often do these backups occur?

Set the frequency of your file backups.

Maturity*

Comment

HOP-047 Are you completely testing your backups systems?

When performing backups of your systems, it is necessary to test those backups to see if they are working properly and can be deployed later.

Maturity*

Comment

HOP-047.b How often do these test occur?

Maturity*

Comment

HOP-048 Are the backups of your systems stored securely?

Ensure that your backup files are always at least an offline destination inaccessible by your network.

Maturity*

Comment

HOP-049 Do you keep logs of all system events?

Keep your systems logs and events to understand how your infrastructure and components work, analyze and diagnose them to respond accordingly.

Maturity*

Comment

HOP-050 Are the logs stored securely?

Securely store your log and event files.

Maturity*

Comment

HOP-051 Have you centralized log management?

It is recommended to centralize your logs and event files in a single interface in order to have a global view.

Maturity*

Comment

HOP-052 Do you develop applications?

If you are developing applications within your company, it is necessary to answer the following questions.

Maturity*

Comment

HOP-053 Do you establish secure coding practices?

Develop applications using secure coding best practices to reduce vulnerabilities and better protect against attacks.

Maturity*

Comment

HOP-054 Do you only use up to date and trusted third-party components?

Use only trusted, updated third-party components when developing applications.

Maturity*

Comment

HOP-055 Do you only use standardized and extensively reviewed encryption algorithms?

Use only standardized encryption algorithms and avoid using company-specific encryption algorithms. Non-standardized algorithms can introduce risks of being decrypted.

Maturity*

Comment

HOP-056 Do you use a production system separate from the non-production system?

It is necessary to maintain distinct environments for production and non-production systems when developing. Developers should not have access to production environments without being monitored.

Maturity*

Comment

HOP-057 Do you use standard reinforcement configuration models for databases?

When developing applications based on a database, use standard reinforcement configuration templates.

Maturity*

Comment

HOP-058 Have you defined an IT charter defining what employees are entitled to do with IT assets?

Defining an IT charter makes it possible to set the rules for the use of IT tools made available by employees, and to provide for sanctions in case of violation of these rules.

Maturity*

Comment

Document name

Document last validation date

HOP-059 Have you defined an Information Security Management policy?

Define a Information Security Management Policy that explains how IT assets and resources should be used, managed or protected.

Maturity*

Comment

Document name

Document last validation date

HOP-060 Have you defined an Asset Management policy?

Define an Asset Management policy that identifies the roles and responsibilities of the assets.

Maturity*

Comment

Document name

Document last validation date

HOP-061 Have you defined an Acceptable Use policy?

Define an Acceptable Use policy explaining the constraints and practices a user must accept to access an enterprise network.

Maturity*

Comment

Document name

Document last validation date

HOP-062 Have you defined an Identify and Access Control policy?

Define a Identify and Access Control policy describing the types of electronic identities used for systems and applications.

Maturity*

Comment

Document name

Document last validation date

HOP-063 Have you defined a password policy?

Define a password policy that includes a set of rules to improve the difficulty of passwords and thus improve the security of the IS.

Maturity*

Comment

Document name

Document last validation date

HOP-064 Have you defined a cryptography policy?

Defining a cryptographic policy ensures the security of data in information and communication systems.

Maturity*

Comment

Document name

Document last validation date

HOP-065 Have you defined a Physical Access Security policy?

Define a Physical Access Control policy explaining your employees' restrictions and access to areas or buildings.

Maturity*

Comment

Document name

Document last validation date

HOP-066 Have you defined a Personnel Security policy?

Define a Personnel Security policy describing how to protect your company’s network.

Maturity*

Comment

Document name

Document last validation date

HOP-067 Have you defined a Secure Development policy?

Define a Secure Development policy describing the best practices to be implemented when developing applications in a secure manner and thus security vulnerabilities.

Maturity*

Comment

Document name

Document last validation date

HOP-068 Have you defined a Change Management policy?

Define a Change Management policy explaining the practices to be implemented to minimize the risk associated with the changes.

Maturity*

Comment

Document name

Document last validation date

HOP-069 Have you defined a Patch Managment policy?

Define a Patch Management policy explaining the steps and procedures to manage and mitigate vulnerabilities in your infrastructure through a documented patch process.

Maturity*

Comment

Document name

Document last validation date

HOP-070 Have you defined a Business Continuity Plan?

Define a Business Continuity Plan (BCP) describing the processes to be implemented during an incident in the company and the recovery processes.

Maturity*

Comment

Document name

Document last validation date

HOP-071 Have you defined an Information Backup policy?

Define a Data Backup policy describing the rules and procedures to be implemented during backup copies.

Maturity*

Comment

Document name

Document last validation date

HOP-072 Have you defined a Security Incident Response policy?

Define a Security Response policy to the incident explaining the steps to be taken in the event of an incident.

Maturity*

Comment

Document name

Document last validation date

HOP-073 Have you defined a Third-Party Security policy?

Define a Third-Party Security policy expressing the security of the use of third-party products and services.

Maturity*

Comment

Document name

Document last validation date

HOP-074 Have you defined an Homeworking policy?

Define an Homeworking policy to bring together the procedures to oversee the delivery of work by your employees outside the usual places of work.

Maturity*

Comment

Document name

Document last validation date

HOP-075 Have you defined a Data Loss Prevention policy?

Setting a Data Loss Prevention (DLP) policy helps protect your organization’s data.

Maturity*

Comment

Document name

Document last validation date

HOP-076 Have your employees signed off on these policies?

All of your employees must be aware of your company’s policies, and must read and approve each of them.

Maturity*

Comment

HOP-077 Have you defined an Incident Response plan?

Establishing an Incident Response plan ensures that, in the event of a security breach, appropriate personnel and procedures are in place to effectively defend against the threat.

Maturity*

Comment

Document name

Document last validation date

HOP-077.b How often do you test it?

Indicate the test frequency.

Maturity*

Comment

HOP-078 Have you defined an Information Classification?

Define a Classification of Information in which you assess the data you hold and the level of protection that must be granted to it.

Maturity*

Comment

Document name

Document last validation date

HOP-079 Have you defined a Risk Assessment Process?

Define a Risk Assessment process to identify and prepare for potential risks and thereby reduce the consequences and ensure the security of information systems.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.