The organisation has implemented all the cybersecurity requirements in the mark of cyber hygiene under “A.8 Backup: Back up essential data” to ensure that the organisation’s essential data is backed up and stored securely.

The organisation has implemented all the cybersecurity recommendations in the mark of cyber hygiene under “A.8 Backup: Back up essential data” to ensure that the organisation’s essential data is backed up and stored securely.

The organisation has established and implemented automated backup processes to ensure that the backup tasks are carried out without fail and without the need for human intervention.

The organisation has established and implemented backup plan(s) on the types, frequency and storage of backups to ensure that there is clarity of the steps to be taken to backup business-critical data in the organisation.

The organisation has established and implemented the use of technology solutions for data backup and recovery, and the solutions implemented are appropriate and recognised in the industry to ensure that it can carry out reliable data backup and restoration.

The organisation has established and implemented policies and procedures to segregate personal and work-related data in the organisation within BYOD to prevent disclosure and loss of confidential and/or sensitive data.

The organisation has implemented all the cybersecurity requirements in the mark of cyber hygiene under “A.6 Secure/Protect: Secure configuration” and “A.7 Update: Software updates” to ensure that the hardware and software use secure and updated settings.

The organisation has implemented all the cybersecurity recommendations in the mark of cyber hygiene under “A.6 Secure/Protect: Secure configuration” and “A.7 Update: Software updates” to ensure that the hardware and software use secure and updated settings.

The organisation has performed monitoring on updates and patches installed to ensure that any impact or adverse effects can be identified and rectified promptly.

The organisation has defined and applied a process to ensure secure configurations are applied across all systems, servers, operating systems and network devices.

The organisation has defined and applied a log management process to store and classify the different types of logs securely to ensure that they can be used to troubleshoot effectively.

The organisation has defined and applied a patch management process to test and install the updates and patches securely to ensure that there are no adverse effects.

The organisation has implemented all the cybersecurity requirements in the mark of cyber hygiene under “A.4 Secure/Protect: Virus and malware protection” to ensure that there is security protection against malicious software such as virus.

The organisation has implemented all the cybersecurity recommendations in the mark of cyber hygiene under “A.4 Secure/Protect: Virus and malware protection” to ensure that there is security protection against malicious software such as virus.

The organisation has established and implemented the use of virus and malware protection solution(s) that is/are appropriate and recognised in the industry with features such as real-time malware detection and email protection e.g., DMARC, to ensure that it/they can protect the organisation adequately.

The organisation has established and implemented web filtering to protect the organisation from malicious websites.

The organisation has defined and applied the process to isolate and contain the virus and/or malware upon confirmation of attack to ensure minimal spread and damage caused.

The organisation has defined and applied the process to run codes or applications of unknown origin within an isolated testing environment to test for the presence of virus and/or malware prior to their use in the working environment.

The organisation has established and implemented security guidelines and requirements in its system and/or application development. Examples include: – secure coding; – secure management of API keys; – reviewing the security posture of third-party software, including open source; and – adhering to best practices and/or standards to ensure that it adheres to the security principles. NOTE – In Singapore, the Safe App Standard provides guidance on implementing essential security controls and best practices for mobile app development.

The organisation has implemented all the cybersecurity requirements in the mark of cyber hygiene under “A.5 Secure/Protect: Access control” to ensure that there are cybersecurity measures in place over who has access to the data and assets.

The organisation has implemented all the cybersecurity recommendations in the mark of cyber hygiene under “A.5 Secure/Protect: Access control” to ensure that there are cybersecurity measures in place over who has access to the data and assets.

The organisation performs regular role matrix review at least on an annual basis on the systems to ensure that the roles commensurate with the activities the employee, contractor and/or third party is allowed to perform.

The organisation has defined and implemented a process to approve and follow up on account access and role matrix reviews to ensure that unauthorised entry is rectified and signed off.

The organisation has defined and applied a process to ensure that employees are assigned roles based on the principle of least privilege and segregation of duties.

The organisation has established and implemented a secure log-on policy and procedure outlining the requirements, guidelines and detailed steps for gaining access to sensitive and/or business-critical data, as well as privileged access to ensure that the access is controlled and restricted.

The organisation has established and implemented service-level agreements with its third parties to ensure that the third party meets the commitments and expectations on cybersecurity while providing services.

The organisation has established a vulnerability assessment plan with objectives, scope and requirements to review and perform vulnerability assessments on its systems.

The organisation performs regular vulnerability assessments, at least annually, to conduct non-intrusive scans on its systems to ensure that vulnerabilities are discovered.

The organisation has identified the physical/environmental risks in its environment and implemented detective measures to be alerted to threats to ensure that they are addressed promptly.

The organisation has taken measures to protect its physical assets against internal and external threats, e.g., using cable locks to prevent theft or tampering.

The organisation has implemented physical security measures on its perimeters, e.g., fences and gates, to deter unauthorised access to the premises.

The organisation has defined and implemented a process to ensure that visitors are registered and authorised before accessing the premises.

The organisation has defined and implemented a process to monitor its premises 24/7, e.g., using CCTV, to deter and investigate physical/ environmental threats.

The organisation has defined and applied a process to store and transport physical media containing business-critical data securely within and outside its premises to ensure that confidential and/or sensitive data are protected.

The organisation has implemented practices to regularly communicate and update its employees on the cybersecurity processes, industry best practices and standards adopted to manage cybersecurity risks and measures to be taken to protect its information assets.

The organisation has configured and implemented access controls, e.g., whitelisting, blacklisting, on its network to enforce network security policy and ensure that unauthorised users and/or devices are kept out.

The organisation has established and implemented the use of stateful firewall over a basic packet-filtering firewall to ensure that packets are filtered with more context for greater effectiveness.

The network architecture and devices have been reviewed regularly, at least annually, to ensure they are up-to-date, without obsolete rules and protocols.

The organisation has defined and implemented a process to configure both wired and wireless networks securely, minimally using secure network authentication and encryption protocols and disabling Wi-Fi Protected Setup (WPS) to ensure that the network is secured and data is not lost or breached through the network.

The organisation has defined and implemented a process to carry out network segmentation to segregate networks into private and public networks, with the private network holding business-critical data and having no connection to the internet to ensure that it is isolated from external threats.

The organisation has implemented all the cybersecurity requirements in the mark of cyber hygiene under “A.9 Respond: Incident response” to ensure it is ready to detect, respond to and recover from cybersecurity incidents.

The organisation has implemented all the cybersecurity recommendations in the mark of cyber hygiene under “A.9 Respond: Incident response” to ensure it is ready to detect, respond to and recover from cyber incidents.

The organisation has defined and applied measures to verify contact details and ensure that employees involved in the cybersecurity incident response plan are contactable to ensure a prompt response. Functional groups that are typically involved include: – senior management; – incident response and/or cybersecurity team; – legal team; and – communications team.

The organisation has defined and applied the process to perform cyber exercises to ensure that stakeholders are involved and know what to do when an incident occurs to ensure that they are well prepared.

The organisation has identified the critical assets requiring high availability and implemented measures to ensure redundancies for them.

The organisation has defined and implemented a business impact analysis to identify critical processes and expected recovery time objectives (RTOs) and recovery point objectives (RPOs) for business resumption.

The organisation has defined and implemented a process to perform redundancy on systems to ensure the cyber resilience of its systems.

The organisation has identified the cybersecurity risks in the environment, including risks on-premises, and where applicable, remote risks, to ensure that all the identified cybersecurity risks can be addressed.

The organisation performs steps to analyse and prioritise the critical cybersecurity risks in its business environment to ensure that the more critical cybersecurity risks are addressed first.

The organisation has established and implemented a risk treatment plan with the guidelines and/or requirements to accept, remediate or mitigate the identified cybersecurity risks to ensure that cybersecurity risks are treated.

The organisation performs regular cybersecurity risk identification at least on an annual basis or whenever there are changes to the environment and tracks them to maintain a record of the cybersecurity risks in the environment.

The organisation has defined and applied a cybersecurity risk assessment process to identify risks, assess the dependencies and evaluate the current measures in place to ensure that the organisation is clear on how to assess the cybersecurity risks.

The organisation has established, implemented and maintained a cybersecurity risk register containing the risks identified with their priority, the treatment plan, timeline, the employee(s) assigned the task of tracking and monitoring.

The organisation has identified the cybersecurity-related laws, regulations and/or guidelines (e.g., sector-specific) applicable in its area of business in order to comply with them.

The organisation has established and implemented measures to ensure compliance with the applicable cybersecurity-related laws, regulations and/or guidelines, e.g., sector-specific.

The organisation has communicated cybersecurity-related laws, regulations and/or guidelines, (e.g., sector-specific) to employees to ensure that they are aware of them when performing their tasks.

The organisation has defined and applied a process to ensure that they stay compliant and up to date with the latest cybersecurity-related laws, regulations and/or guidelines (e.g., sector-specific) applicable to the organisation.

The organisation has implemented all the cybersecurity requirements in the mark of cyber hygiene, under “A.1 Assets: People”, to ensure that employees are equipped with the security knowledge and awareness to identify and mitigate against cyber threats.

The organisation has implemented all the cybersecurity recommendations in the mark of cyber hygiene under “A.1 Assets: People” to ensure that employees are equipped with the security knowledge and awareness to identify and mitigate against cyber threats.

The organisation takes measures to track the relevant metrics (e.g., attendance) to ensure that employees have completed the cybersecurity awareness and training programmes.

The organisation takes measures to ensure that employees are assessed at the end of the awareness and training programmes, and are required to pass the programmes so that they demonstrate what they have learnt.

The organisation has appointed a cybersecurity champion to promote cybersecurity awareness and launch cybersecurity initiatives.

The organisation has implemented all the cybersecurity requirements in the mark of cyber hygiene under A.2 Assets: Hardware and software to ensure that hardware and software present in the environment are identified and protected against common cyber threats.

The organisation has implemented all the cybersecurity recommendations in the mark of cyber hygiene under A.2 Assets: Hardware and software to ensure that hardware and software present in the environment are identified and protected against common cyber threats.

The organisation has established and implemented policies and procedures on the security requirements, guidelines and detailed steps to classify, handle and dispose of hardware and software assets in the environment securely to ensure that employees have clear direction and guidance.

The organisation has established and implemented a process to classify and handle hardware and software according to their confidentiality and/or sensitivity levels to ensure that they receive adequate security and protection.

The organisation has defined and allocated roles and responsibilities to ensure that it is clear who is responsible to maintain, support and manage the hardware and software assets in the inventory list.

The organisation has implemented all the cybersecurity requirements in the mark of cyber hygiene under “A.3 Assets: Data” to ensure that business-critical data (including personal data, company secrets, intellectual property) can be identified, located and secured.

The organisation has defined and applied a process to report any business-critical data (including personal data, company secrets, intellectual property) breach and to ensure that stakeholders such as the management, relevant authorities and relevant individuals are kept informed.

The organisation using encryption has defined and applied a process on the use of recommended protocol and algorithm and minimum key length to ensure that it is secure and in alignment to industry best practices.

The organisation has implemented all the cybersecurity recommendations in the mark of cyber hygiene under “A.3 Assets: Data” to ensure that business-critical data (including personal data, company secrets, intellectual property, etc.) can be identified, located and secured.

The organisation has established and implemented policies and procedures to carry out risk classification and handle business-critical data (including personal data, company secrets, intellectual property, etc.) according to their confidentiality and/or sensitivity levels to ensure that they receive adequate security and protection.

The organisation has established and implemented policies and procedures to document the data flow diagram of business-critical data (including personal data, company secrets, intellectual property) through information systems and programs in the organisation and implement relevant enforcement measures to ensure that they stay within the environment.

The organisation has established and implemented policies and procedures to handle business-critical data (including personal data, company secrets, intellectual property, etc.) securely and to protect business-critical data according to their classifications and requirements (e.g., collect, use, protect, dispose).