2025年-資訊安全稽核後改善計畫

CY-IT101 Identify Governance Do you currently have a Chief Information Security Officer (CISO) and an associated organization defined within your entity? Defined 3
CY-IT102 Identify Dedicated cybersecurity budget Do you have an annual budget dedicated to cybersecurity within your entity? Defined 3
CY-IT103 Identify Assets Inventory Do you maintain a regularly updated list of all physical assets (servers, workstations, smartphones, firewalls, switches, VPN concentrators, etc.) and application assets (software, applications, etc.) with an evaluation of the criticality of each of these assets in your entity? Defined 3
CY-IT104 Identify Risk Management Do you have a recent risk analysis (last update within the last year) and an associated action plan? Defined 3
CY-IT105 Identify Dashboard Are you using the Compliance Dashboard or a Dashboard with relevant cybersecurity KPIs to monitor and communicate your level of cybersecurity? Defined 3
CY-IT106 Identify Third Party Management Do you apply a cybersecurity due diligence process to validate the cybersecurity maturity of your partners/third parties before any interconnection? Ad-hoc 2
CY-IT201 Protect Secure management of the information system Do you apply a patch management process and do you manage the obsolescence of your equipment (servers, workstations, firewalls, switches, VPN concentrators, mobile devices, etc.) and your applications? Defined 3
CY-IT202 Protect Logins and passwords management Do you have a dedicated process for account and password management? Do you prevent the use of weak passwords? Is this policy enforced across your entire perimeter? Defined 3
CY-IT203 Protect Access Control and Authentication Regarding the services exposed on the Internet, does the authentication take place with the Google account and only with a strong authentication process? Defined 3
CY-IT204 Protect Access Control and Authentication Do you use an authentication directory for the IT perimeter and run regular audits with the AD Analyzer tool? Defined 3
CY-IT205 Protect Access Control and Authentication Do you use the AD's three-tier model? Defined 3
CY-IT206 Protect Network Do you have an inventory of Internet access points (IAPs)? Have you implemented a secure exit architecture to the Internet? Defined 3
CY-IT207 Protect Network "Do you have a network architecture document presenting your information system?
Have you segmented your information system by setting up a separation between each zone?
Are there interconnections between the IT and the OT if there is an industrial information system in your area?
" Defined 3
CY-IT208 Protect Network "Do you have a list of assets exposed on the Internet?
Do you patch these assets on a regular basis? Do you have the VMDR agent (Qualys) installed on these assets?
Do you have a dedicated security watch on these assets?
Do you assess the criticality of assets exposed on the Internet? " Defined 3
CY-IT209 Protect Integration of security in projects Is cybersecurity integrated at each key stage of IT projects (expression of needs, definition of the architecture, validation before going into production) ? Ad-hoc 2
CY-IT210 Protect Awareness and training Do you have an awareness program and do you conduct regular cybersecurity awareness training for your employees? Defined 3
CY-IT211 Protect Server hardening Do you put in place a hardening of the domain controllers and servers? Defined 3
CY-IT212 Protect Dedicated accounts for administration Are administration tasks only performed from a dedicated account? Defined 3
CY-IT213 Protect Mobile devices Is a mobile device security policy implemented? Ad-hoc 2
CY-IT214 Protect Classification and data protection Is there a policy for classification and protection of data and associated processes? Do you apply a different level of security for different types of data (more or less sensitive)? Ad-hoc 2
CY-IT215 Protect Device encryption Are your laptops and mobile devices (phones, tablets, etc.) encrypted? (A Chromebook is encrypted by default). Ad-hoc 2
CY-IT301 Detect Deployment of detection tools "Are the following tools deployed throughout your perimeter?
- Antivirus,
- Endpoint Detection Response (EDR),
- Compliance,
- Qualys Agent,
- AD Blacklist.

Specify in the comments if other tools have been deployed." Defined 3
CY-IT302 Detect Audits, tests, and vulnerability detection Do you perform vulnerability scans on a regular basis (at least every month) and do you apply the remediation actions identified as a result? Defined 3
CY-IT303 Detect Audits, tests, and vulnerability detection Do you regularly (at least every 3 years) perform intrusion tests, audits and/or red teams and do you carry out the identified remediation actions resulting from them? Defined 3
CY-IT304 Detect Log management Is a log management policy applied and updated regularly (every 2 years)? Are the logs sent to a central container (log well, etc.) ? Ad-hoc 2
CY-IT401 Respond Incident Management Do you apply the group cybersecurity incident management procedure? Do you have a local cybersecurity incident management procedure? Is this procedure updated and tested at least every 3 years during exercises? Ad-hoc 2
CY-IT402 Respond Crisis Management Do you use the group alert and crisis management procedure? Do you have a local crisis management procedure? Is this procedure regularly updated and tested during exercises? Defined 3
CY-IT501 Recover Backup and recovery Are you able to quickly restore an application, a system or data within your entity, whether on premise or in the cloud? Ad-hoc 2