Curious what a typical Cyber Security and Business Continuity Protection Insurance Policy questionnaire, looks like? Here are some examples:
An insurance company is looking to determine what Phishing awareness training is in place and what email security products and processes are protecting inbound email.
Email Security has the following measures; select all that apply:
☐ Pre-screen, and denote when source is external, emails for potentially malicious attachments and links
☐ Quarantine service for suspicious emails
☐ Ability to automatically detonate and evaluate attachments and links in a sandbox
☐ Enforce Sender Policy Framework (SPF) on incoming emails
☐ Conducts simulated phishing attacks against employees?
☐ Applicant has a document process to respond to phishing campaigns
☐ Cybersecurity awareness training conducted with all staff at least annually
☐ A process for employees to report suspicious e-mails to information security resources to investigate
User Credentials
Lax user credential and password policies are a common attack vector for threat actors and the Insurance company is trying to assess the access restrictions, password complexity, privileged access logging and most importantly Multi-Factor Authentication.
With respect to protecting privileged credentials, select all that apply with respect to the Applicant’s posture:
☐ System administrators at the Applicant have a unique, privileged credential for administrative tasks (separate from their user credentials for everyday access, email, etc.).
☐ Privileged accounts are kept in a password safe that require the user to “check out” the credential (which is rotated afterwards).
☐ There is a log of all privileged account use for at least the last thirty days.
☐ Privileged Access Workstations (workstations that do not have access to internet or e-mail) are used for the administration of critical systems (including authentication server/Domain Controllers).
☐ None of the above.
Is Multifactor authentication required for the following access and platforms, select all that apply:
☐ Administrator and privileged
☐ Critical Information
☐ Remote Access
Endpoint Security
The root cause of most breaches begin with a human being tricked to provide their credentials or entering information in a fake website. A good Endpoint product will look at the “behavior” of applications being run on the local workstation and stop suspicious activities. The insurance company is looking to assess if a next generation AV product is being used and is Enhanced Detection and Response features enabled.
With respect to the Applicant’s endpoint security of workstations (desktops and laptops), select all that apply:
☐ Applicant’s policy is that all workstations have antivirus with heuristic capabilities.
☐ Applicant uses endpoint security tools with behavioral-detection and exploit mitigation capabilities.
☐ Applicant’s workstations use a hardened baseline configuration.
☐ Applicant has an internal group which monitors the output of endpoint security tools and investigates any anomalies.
☐ Applicant has an external group which monitors the output of endpoint security tools and investigates any anomalies.
☐ Password management software is available to users on Applicant’s workstations.
☐ Applicant has a policy that all portable devices use full disk encryption.
☐ None of the above.
Please provide Endpoint Detection & Response (EDR) vendor:
Please provide the EDR product used:
What percentage of workstations and servers have endpoint protection applied:
Has the EDR been configured to “block” threats? ☐ Yes ☐ No
Has the EDR been tuned for your environment? ☐ Yes ☐ No
Network Monitoring
Network monitoring is critical to the early detection of breaches from various points on the network. Insurance companies are looking to determine if a Security Information and Event Monitoring (SIEM) product is in place such that security events are correlated from numerous sources to intelligently determine if a breach is present.
With respect to the Applicant’s network monitoring capabilities and restrictions, select all that apply:
☐ Applicant uses a security information and event monitoring (SIEM) tool to correlate the output of multiple security tools.
☐ Applicant monitors network traffic for anomalous and potentially suspicious data transfers.
☐ Applicant monitors for performance and storage capacity issues (such as high memory or processor usage, or no
free disk space).
☐ Applicant has tools to monitor for data loss (DLP) and they are in blocking mode.
☐ Applicant utilizes external parties to validate network and security monitoring tools.
☐ Applicant has host-based and network firewalls that disallow inbound connections by default.
☐ Applicant uses a protective DNS service (e.g., Quad9, OpenDNS or the public sector PDNS).
☐ None of the above.
External Facing System Security
Insurance companies want to ensure there is a Penetration Test run on the Internet facing systems (eg. Web sites, Email Gateway, SSL/VPN, etc.) to ensure there are no available exploits present. If an internet facing commerce server is present, Insurance companies want to see a Web Application Firewall (WAF) in front of it for additional protection.
With respect to the security of externally facing systems, select all that apply to the Applicant’s posture:
☐ Applicant conducts a penetration test at least annually to assess the security of its externally facing systems
☐ Applicant has a Web Application Firewall (WAF) in front of all externally facing applications, and it’s in blocking mode
☐ Applicant uses an external service to monitor its attack surface (External/internal facing systems
☐ None of the above
Backup and Recovery
Propter Backup is critical for the successful restore of an encrypted environment which means you typically do not have to pay a ransom. The backup server should not be on the domain and should have a very difficult Admin and local Admin password. Also, storing copies of backup data offsite with no WAN connection to the corporate network better ensures recovery success.
How frequently is critical information backed up, where are back-ups stored, and what data is included?
Select all that apply:
| ☐ Daily
☐ Weekly ☐ Monthly ☐ Quarterly ☐ Semi-Annually ☐ Annually |
☐ Cloud
☐ On Premises ☐ Offline storage ☐ Offsite storage ☐ Secondary data center
|
☐ Servers (file level)
☐ Servers (system state level) ☐ Endpoints (desktops, laptops, etc.) ☐ Databases ☐ Applications
|
☐ Applicant is able to test the integrity of back-ups prior to restoration to be confident that they are free from malware.
Summary
From my standpoint, I would recommend that all organizations review their Cybersecurity practices and look into obtaining business continuity insurance to decrease and/or offset some of the costs involved with the recovering from a cyber-related breach or similar event.
How safe are you? If you’re unsure, check out our Vulnerability Assessment https://www.lanworks.com/corporate-security-vulnerability/.
