VAPT Preparation Checklist
Everything your organization needs to prepare for a Vulnerability Assessment & Penetration Test — scope definition, asset inventory, prerequisites, and post-test actions.
VAPTSecurity TestingPre-Assessment
Before the VAPT
- Define scope: IP ranges, domains, applications, network segments
- Obtain written authorization from management and legal
- Notify cloud/hosting providers if infrastructure is included
- Create a complete asset inventory (servers, endpoints, IoT, APIs)
- Confirm a point-of-contact available during testing window
- Back up all critical systems before testing begins
During the VAPT
- Monitor systems for unintended disruptions in real time
- Log all tester activities with timestamps
- Maintain communication channel with the VAPT team
- Immediately report any business-critical system instability
After the VAPT
- Review the report: categorize findings by CRITICAL / HIGH / MEDIUM / LOW
- Assign owners and remediation deadlines for every finding
- Re-test all CRITICAL and HIGH findings after remediation
- Document lessons learned and update security policies accordingly
- Share executive summary with leadership and board
📩 Request a VAPT from CYBEC →
Endpoint Security Best Practices
A practical guide for IT Managers to harden every endpoint — laptops, desktops, mobile devices, and servers — against modern threats.
EndpointsEDRPatch Management
Essential Endpoint Controls
- Deploy EDR (Endpoint Detection & Response) on all devices — not just antivirus
- Enforce full-disk encryption (BitLocker / FileVault) on all laptops
- Enable automated OS and application patch management within 72 hours of release
- Restrict admin privileges — apply Least Privilege Access principle
- Block USB storage devices unless whitelisted by policy
- Enforce screen lock after 5 minutes of inactivity
Mobile Device Management
- Enroll all company and BYOD devices in MDM solution
- Enable remote wipe capability for all registered devices
- Enforce device PIN/biometric lock policies
- Separate corporate data from personal data via containerization
Monitoring
- Review EDR alerts daily — assign to security team for triage
- Generate monthly patch compliance reports
- Audit device inventory quarterly — decommission unused assets
📩 Get Endpoint Security Assessment →
ISO 27001 Implementation Roadmap
A step-by-step roadmap for IT Managers leading an ISO 27001 ISMS implementation — from initial gap assessment to certification audit readiness.
ISO 27001ISMSCertification
Phase 1 — Foundation (Month 1–2)
- Obtain top management commitment and appoint ISMS Lead
- Define ISMS scope: business units, locations, assets covered
- Conduct initial gap assessment against ISO 27001:2022 clauses
- Build project plan with milestones and resource allocation
Phase 2 — Risk Assessment (Month 2–3)
- Build complete information asset register
- Identify threats and vulnerabilities for each asset
- Calculate risk ratings: Likelihood × Impact
- Select controls from Annex A to treat identified risks
- Produce Statement of Applicability (SoA)
Phase 3 — Implementation (Month 3–6)
- Develop and approve mandatory ISMS policies and procedures
- Implement selected Annex A controls
- Conduct staff awareness training
- Run internal audit against all implemented controls
Phase 4 — Certification (Month 6–9)
- Conduct management review meeting
- Remediate all internal audit non-conformities
- Stage 1 audit: documentation review by certification body
- Stage 2 audit: on-site/remote implementation audit
- Address any non-conformities raised by auditor
📩 Get ISO 27001 Support from CYBEC →
India DPDP Act — IT Manager's Guide
Practical compliance guide for the Digital Personal Data Protection Act 2023. Understand your obligations, data processing rules, and what actions to take now.
DPDP ActIndiaData Privacy
Key Obligations Under DPDP Act
- Obtain explicit, informed consent before processing personal data
- Process data only for the purpose it was collected (purpose limitation)
- Appoint a Data Protection Officer (DPO) if you are a Significant Data Fiduciary
- Implement reasonable security safeguards to prevent breaches
- Report data breaches to the Data Protection Board promptly
- Honor data principal rights: access, correction, erasure, nomination
Immediate Actions for IT Managers
- Conduct a data mapping exercise — document all personal data flows
- Audit consent mechanisms on all customer-facing systems
- Review third-party data processor contracts for DPDP compliance clauses
- Build a data breach detection and notification workflow (72-hour target)
- Train HR, sales, and customer service teams on data handling obligations
Penalties for Non-Compliance
- Up to ₹250 crore for failure to implement security safeguards
- Up to ₹200 crore for failure to notify data breaches
- Up to ₹50 crore for non-fulfillment of data principal rights
📩 Get DPDP Compliance Help →
Cloud Security Configuration Checklist
The most critical cloud security controls for AWS, Azure, and GCP environments. Prevent the #1 cause of cloud data breaches — misconfiguration.
AWSAzureGCPMisconfiguration
Identity & Access
- Enable MFA on all cloud console accounts — especially root/admin
- Apply Least Privilege IAM — no wildcard (*) permissions in production
- Rotate access keys every 90 days; delete unused keys immediately
- Enable AWS CloudTrail / Azure Activity Log / GCP Cloud Audit Logs
Storage & Data
- Audit all S3/Blob/GCS buckets — block ALL public access by default
- Enable server-side encryption on all storage buckets and databases
- Enable versioning and delete protection on critical data buckets
- Scan for exposed secrets in cloud configs using automated tools
Network Security
- Restrict Security Groups / NSGs — no 0.0.0.0/0 on SSH (22) or RDP (3389)
- Use VPC/VNet for all production workloads — never expose directly to internet
- Enable DDoS protection on all public-facing services
- Deploy WAF in front of all web applications
📩 Request a Cloud Security Review →
Backup & Disaster Recovery Planning Guide
Design a resilient backup and DR strategy. Understand RPO, RTO, backup tiers, testing schedules, and how to protect against ransomware-driven data loss.
BackupDR PlanningRPO/RTORansomware
Define Your Recovery Objectives
- RPO (Recovery Point Objective): Maximum acceptable data loss — how old can your backup be?
- RTO (Recovery Time Objective): Maximum acceptable downtime — how fast must you recover?
- Classify systems: Tier 1 (mission-critical), Tier 2 (important), Tier 3 (non-critical)
The 3-2-1 Backup Rule
- 3 copies of data (production + 2 backups)
- 2 different storage media types (e.g. disk + cloud)
- 1 copy offsite or air-gapped (critical for ransomware protection)
Ransomware-Proof Backup Strategy
- Immutable backups: write-once, cannot be encrypted or deleted by ransomware
- Isolate backup infrastructure from production network
- Test restoration monthly — a backup never tested is not a backup
- Store offline/air-gapped copy for critical systems
DR Testing Schedule
- Restoration test: Monthly — restore a random file or VM
- Partial DR drill: Quarterly — test recovery of a non-critical system
- Full DR exercise: Annually — simulate complete site failure
📩 Get Commvault Backup Solutions →
Acceptable Use Policy (AUP) Template
A ready-to-use Acceptable Use Policy framework covering internet, email, device, and data usage rules for all employees. Customise with your company name and deploy.
AUPPolicyTemplate
Core Sections to Include
- Purpose: Define why the policy exists and who it applies to
- Internet Usage: Permitted and prohibited websites; bandwidth usage rules
- Email Usage: Professional communication standards; prohibited attachments and forwarding rules
- Device Usage: Company devices, BYOD rules, storage of company data on personal devices
- Data Handling: Classification levels, sharing restrictions, external transfer approval
- Social Media: What employees may/may not share about the company
- Passwords: Complexity requirements, sharing prohibition, MFA mandate
- Consequences: Disciplinary actions for policy violations
Deployment Steps
- Get HR and legal review before rollout
- Require all employees to sign acknowledgement (digital or physical)
- Include in new employee onboarding pack
- Review and update annually or after any major security incident
📩 Get Policy Development Help →
Password & MFA Policy Guide
Modern password policy framework aligned with NIST 2024 guidelines. Covers password complexity, length requirements, MFA enforcement, and privileged account controls.
PasswordsMFANIST 2024
NIST 2024 Password Recommendations
- Minimum length: 12 characters (NIST recommends up to 64 characters)
- No mandatory complexity rules (uppercase/symbols) — length beats complexity
- No forced periodic rotation unless compromise is suspected
- Check passwords against known breached password databases
- Ban common passwords: "Password1", "Welcome123", company name etc.
MFA Enforcement
- Mandatory MFA for: email, VPN, cloud consoles, Active Directory, financial systems
- Preferred MFA types: Authenticator app (TOTP) or hardware key (FIDO2)
- Avoid SMS OTP where possible — susceptible to SIM-swapping attacks
- Privileged accounts (admin): hardware security key mandatory
Privileged Account Rules
- Separate admin accounts from daily-use accounts for all IT staff
- Privileged access must be time-limited and require justification
- Log all privileged activity — review monthly
📩 Get IAM & MFA Implementation Help →
Cyber Incident Response Playbook
A step-by-step incident response playbook for IT teams. Covers detection, containment, eradication, recovery, and post-incident review for the most common attack scenarios.
IR PlaybookRansomwareBreach Response
Phase 1 — Identification
- Confirm the incident is real — rule out false positives
- Classify severity: P1 (Critical), P2 (High), P3 (Medium)
- Assemble the Incident Response Team (IRT)
- Document the timeline — first sign of compromise, systems affected
Phase 2 — Containment
- Isolate affected systems from the network immediately (but do NOT power off — preserve evidence)
- Disable compromised user accounts
- Block malicious IPs/domains at firewall and DNS level
- Preserve forensic evidence: memory dumps, logs, disk images
Phase 3 — Eradication
- Identify root cause and attack vector
- Remove malware and all attacker footholds
- Patch the exploited vulnerability
- Reset all credentials for affected accounts and systems
Phase 4 — Recovery
- Restore from clean, verified backups only
- Monitor restored systems intensively for 72 hours
- Gradually return to normal operations in phases
Phase 5 — Post-Incident Review
- Conduct post-mortem within 5 business days
- Document: what happened, how, impact, response timeline
- Update security controls, policies, and training based on findings
- Brief leadership with executive summary
📩 Get Incident Response Support →
Annual IT Security Audit Checklist
A comprehensive annual IT security audit checklist covering all major control domains. Use this to assess your security posture before an external audit or as a self-assessment tool.
Security AuditSelf-AssessmentControls
Access Control
- User access reviews completed (quarterly minimum)
- Terminated employee accounts disabled within 24 hours of exit
- MFA enabled for all privileged and remote access accounts
- Service/shared accounts inventory documented and reviewed
Network Security
- Firewall rules reviewed and redundant rules removed
- Network segmentation in place for critical systems
- IDS/IPS active and alert thresholds reviewed
- Wi-Fi networks: guest network isolated from corporate
Data Protection
- Data classification policy in place and communicated
- Encryption enabled for data at rest and in transit
- DLP solution active on email and endpoint
- Backup restore tested successfully within last 30 days
Vendor & Third Party
- All vendors with data access reviewed for security posture
- NDAs and data processing agreements signed and current
- Third-party access reviewed and time-limited where possible
📩 Book a Security Audit with CYBEC →
Anti-Phishing Awareness Guide
Equip your employees to identify and report phishing, spear-phishing, smishing, and vishing attacks. Includes red flags, reporting procedures, and training tips.
PhishingAwarenessTraining
Phishing Red Flags — Train Your Team to Spot
- Urgency language: "Act immediately", "Your account will be suspended"
- Sender address doesn't match display name — check the actual email domain
- Hovering over links reveals a different URL than displayed text
- Unexpected attachments — even from known senders (account may be compromised)
- Generic greetings: "Dear Customer" instead of your name
- Requests for credentials, OTPs, or financial transfers via email
- Grammar errors or unusual formatting (less common now with AI-generated phishing)
2026 Alert: AI-Powered Phishing
- AI now generates grammatically perfect, personalized phishing emails
- Deepfake audio calls impersonating executives are being used for wire fraud
- QR codes in emails (quishing) are bypassing email security filters
- Always verify unusual requests via a separate phone call to a known number
Reporting Procedure
- Do NOT click links or reply — report via your IT helpdesk immediately
- Use "Report Phishing" button in email client where available
- Preserve the email as evidence — do not delete
- If you clicked a link: disconnect from network, notify IT immediately
📩 Get Security Awareness Training →
Vendor & Third-Party Risk Assessment Framework
Assess the security posture of vendors, suppliers, and technology partners who have access to your data or systems before granting them access.
Vendor RiskThird PartySupply Chain
Vendor Classification
- Tier 1 (Critical): Access to sensitive data or core systems — full assessment required
- Tier 2 (Standard): Access to non-sensitive systems — standard questionnaire
- Tier 3 (Low Risk): No data access — basic contractual controls only
Security Assessment Questions — Tier 1
- Do you hold ISO 27001, SOC 2 Type II, or equivalent certification?
- Have you had a data breach in the last 3 years? If yes, describe controls implemented
- Is our data stored in India or offshore? What jurisdiction applies?
- Do you conduct annual penetration testing? Can we review findings?
- What is your incident notification timeline if our data is compromised?
- Do you have cyber insurance? What is the coverage amount?
Contractual Must-Haves
- Data Processing Agreement (DPA) aligned with DPDP Act
- Right to audit clause — ability to conduct security reviews
- Breach notification within 24-72 hours
- Data deletion certificate upon contract termination
📩 Get Vendor Risk Assessment Help →