130 Cybersecurity Commandments

Introduction

Technology has transformed the way we all do business for the better. However, to keep your data and business from being at risk, you must ensure your tech is secure and continuously monitored. We're providing this detailed checklist as a reference tool to help you verify that comprehensive cybersecurity and physical security policies are in place throughout your organization.

Be Ready. Plan Ahead. Take Action. Follow Up.

Personal & Physical Security

Answer Yes or No to each of the following:

• Do you have procedures in place to prevent unauthorized physical access to computers and other electronic information systems?
• Do you have solutions in place to prevent physical access to your secure areas, such as door locks, access control systems, security offices, or video surveillance monitoring?
• Do you have security desks, and sign-in/sign-out logs for users accessing these areas?
• Do you physically escort visitors out of secure areas?
• Can you ensure users always log out of their computers when leaving them?
• Are all computers set to lock automatically after 10 minutes if left idle?
• Can you remotely wipe computers, laptops, and mobile devices that are lost or stolen?
• Is there a policy in place to protect data during equipment repairs?
• Do you have security policies in place for all of your computers, laptops, tablets, and smartphones?
• Do you have a "Bring Your Own Device" policy in place for employee mobile devices?
• Do you have emergency evacuation plans in place for employees?
• Do all employees have emergency shelter-in-place kits for emergencies where they can't leave your facility? (canned food and a can opener, bottled water, a blanket, prescription medicines, sanitary wipes, a garbage bag with ties and toilet paper for personal sanitation)
• Do key employees know how to seal off designated areas in your facility if necessary?

Access Control Policies

Answer Yes or No to each of the following:

• Do you adhere to the NIST Digital Guidelines?
• Do only authorized personnel have password access to computer devices?
• Do you require users adopt secure password standards (NIST) and then enforce them?
• Are passwords updated every three months?
• Do administrators have separate accounts for network management?
• Do you use MFA everywhere you can?
• Do you enforce MFA on remote access email and sensitive documents?
• Do you use secure methods (VPN) for remote systems access?
• Do you maintain a "zero-trust" security culture?

Data Privacy Policies

Answer Yes or No to each of the following:

• Is your data stored in a secure offsite facility?
• Is all data at rest and in transit encrypted?
• Do you have procedures in place to identify and secure the location of confidential information – whether as digital or hard copies?
• Do you have procedures in place to identify and secure the location of personal private information?
• Do you continually create retrievable backup and archival copies of critical information?
• Do you have procedures in place for shredding and securely disposing of paper documents?
• Do you lock your shredding and recycling bins?
• Do you have policies in place for secure disposal of electronic/computer equipment?
• Do you have policies in place for secure disposal of electronic media such as thumb drives, tapes, CDs and DVDs, etc.?
• Do you have procedures in place to regularly assess IT compliance with required regulations (HIPAA, PCI, FINRA, GDPR, CCPA, etc.)?
• Do you conduct regular reviews of users with physical access to protected facilities or electronic access to information technology systems?
• Do you deploy systems in a hardened/secure state?
• Do you have a vulnerability management system that detects and fixes vulnerabilities on all devices (workstations, network equipment, server equipment, etc.)?
• Do you have a third-party company that runs an annual penetration test?
• Do you enforce a "Clear Desk and Screen" policy to keep all confidential information hidden?

Business Continuity & Disaster Recovery

Answer Yes or No to each of the following:

• Do you have an up-to-date business continuity and disaster recovery plan in place?
• Do you create retrievable backups of critical data?
• Are your backups stored offline in a secure cloud and are those backups immutable from ransomware or a similar event?
• Does your backup, continuity, and recovery plan include a method for accessing critical passwords for equipment, systems, and servers when needed?
• Does your backup, continuity, and recovery plan include a method for accessing encryption keys in an emergency?
• Do you have an up-to-date crisis communications plan?
• Does your crisis communications plan identify who should be contacted, how to contact them, contact information, and who initiates the contacting?
• Do you have a PR representative who will communicate to the press and community in an emergency?
• Does your crisis communications plan detail how employees can contact their family members?
• Have you identified recovery time objectives for each system, and tested for achievability?
• Do you regularly test your business continuity, disaster, and crisis communications plans?
• Do you receive alerts if backups are turned off?
• Do you receive alerts when there is a change in backup size or retention status?
• Do you regularly review backup settings to know if anyone has maliciously adjusted them?
• Do you regularly review your cyber insurance policy to be sure it provides the right coverage?
• Do you manually review your backups to ensure reliability?

Cybersecurity Training

Answer Yes or No to each of the following:

• Do you provide staff training from an IT expert on cybersecurity?
• Do you provide this training on a regular basis?
• Does your staff know how to recognize phishing attempts in emails?
• Does your staff know how to recognize phishing attempts that arrive via text, social media, or phone calls?
• Are your employees trained on reporting phishing emails to the security team?
• Are your employees being taught about using secure passwords?
• Are your employees trained to identify and protect classified data, as well as hard copies of documents and removable media?
• Is your staff trained on secure management of credit card data (PCI standards) and private personal information?

Compliance Review

Answer Yes or No to each of the following:

• Do you regularly review and update your cybersecurity requirements, strategies, plans, and practices?
• Do you conduct regular audits of your security requirements, strategies, plans, and practices?
• Are you testing your backup and disaster recovery plans regularly?
• Do you conduct regular reviews of who in your organization has access to sensitive information and data?
• Do you have an inventory of your authorized devices and software?
• Do you regularly test all your systems for vulnerabilities?
• Are you following the best practices established by the Center for Internet Security (CIS) in their CIS Controls?
• Do you regularly review your vendors' security practices?

Identification Procedures

Answer Yes or No to each of the following:

• Do all your staff members have photo ID badges?
• Do they wear them at all times when in your facility?
• Do you provide temporary ID badges for visitors?
• Do you check the credentials of visitors?
• Is a policy in place for conducting background checks for employees and visitors?
• Can you cut off access to employees and visitors if necessary?

Artificial Intelligence (AI)

Data Privacy & Security

• Is AI tool use limited to non-sensitive, anonymized, or masked data only?
• Is data encrypted at rest and in transit within all AI-enabled tools?
• Have data policies been updated to reflect how AI may collect, store, or process data?
• Are least-privilege access controls applied for AI features and data access?
• Are user permissions for AI tools audited every quarter?
• Is multi-factor authentication (MFA) required for all AI-accessing accounts?
• Are unapproved AI tools blocked on company devices and browsers?
• Is AI-generated code scanned for misconfigurations before use?
• Are all AI tools required to pass a basic security review before deployment?
• Are there established channels and a clear process to report any suspected violations or incidents related to AI or ML use?

Transparency & Accountability

• Are employees required to disclose when AI helped create content, code, or output?
• Is AI-generated content or chatbot interaction clearly labeled within internal tools?
• Are records of AI-generated outputs and prompts logged and retained?
• Is there an internal AI point-of-contact for questions, feedback, or escalation?
• Is a company-wide list of approved AI tools and their intended use published?
• Are tasks that must be reviewed or approved by a human clearly defined, even if AI is used?
• Are the limitations of each AI tool communicated to relevant users or departments?
• Is there an internal form or email to flag inaccurate or biased AI outputs?
• Are significant business decisions involving AI assistance reviewed and documented?
• Is a changelog maintained for all company AI policy or tool updates?

Compliance with Laws & Ethics

• Is personally identifiable or regulated data avoided when using external AI tools?
• Are vendor terms of service reviewed to ensure they don't retain or resell your data?
• Are AI regulations regularly checked and policies updated accordingly?
• Are employees trained to avoid plagiarism and copyright violations when using generative AI?
• Is bias and fairness assessed before using AI for hiring, performance, or strategic decisions?
• Are AI considerations included in the privacy policy and risk assessments?
• Are only AI vendors with proper certifications (e.g., SOC 2, ISO 27001) used?
• Are AI tools that train on proprietary data avoided unless explicitly allowed?
• Is the rationale for deploying AI in sensitive or high-impact business areas documented?
• Is evidence kept of efforts to monitor and mitigate AI-related risks?
• Is human sign-off required on AI-generated decisions that affect people, money, or strategy?

Human-AI Collaboration

• Are users encouraged to verify all AI-generated data before acting on it?
• Is AI restricted from making final decisions on hiring, firing, or performance?
• Are staff trained to review AI-generated emails, code, or summaries for tone and accuracy?
• Is AI used to assist, not replace, domain expertise in complex problem-solving?
• Are approval steps built into workflows that rely on AI tools?
• Is a warning or disclaimer included when distributing internal AI-generated reports?
• Are the boundaries of AI usage per department defined and documented?
• Is peer review required for AI outputs used in client-facing or leadership decisions?
• Is there a feedback loop so users can improve or correct AI responses?

Training & Education

• Is AI policy training included in the employee onboarding process?
• Are refreshers on safe and appropriate AI use hosted periodically?
• Are staff taught to recognize biased, inaccurate, or hallucinated AI output?
• Is there a one-pager outlining approved AI tools and key dos/don'ts?
• Is deeper technical AI training offered for developers and power users?
• Is ethical AI use emphasized during all training sessions?
• Are users trained to avoid storing company data in personal AI accounts?
• Is there an internal FAQ or wiki for common AI use questions?
• Is it reinforced that employees are still responsible for anything AI generates?
• Is an "AI champion" designated to manage training, updates, and guidance?

Third-Party Services

• Is a security and compliance review performed before adopting any third-party AI?
• Are DPAs (Data Processing Agreements) signed with external AI vendors when needed?
• Is the amount of data sent to external AI tools limited to the bare minimum?
• Are external AI tools regularly reviewed for policy, access, or security changes?
• Are AI tools that fail to meet updated security or compliance standards canceled or blocked?

Next Steps

For each question where you answered "No," you should implement activities to correct the deficits or vulnerabilities to the security of your data, facility, or personnel. Unless you take action, the ability for your business to thrive/survive will be negatively impacted. Be sure to also follow up and reassess by completing this survey again in six months' time. After that, we advise that you continue to review these questions on an annual basis.