ReSeBI v1.2

Avoids clicking on unknown links or opening mail attachments and deletes them promptly

Checks elements like email domain (part after the "@" symbol), poor grammar or spelling mistakes etc

Enables spam filters on email accounts to identify and filter out phishing emails

Double checks email addresses before sending

Scans attachments with an updated antivirus software before downloading it

Enables the display of file extensions on operating system to identify potential threats

Confirms legitimacy of the attachment with the sender before opening it

Only enables macros when opening attachments from trustworthy sources

Opens attachments only with applications specifically designed to handle these file types (e.g., opens pdf document with Adobe Acrobat)

Hovers over the link to see actual URL destination before clicking on it

Can identify encrypted and unencrypted website (e.g. by looking at the https lock icon)

Check for the presence of the HTTPS lock to differentiate between encrypted (HTTPS) and unencrypted (HTTP) websites

Sticks to trusted and reputable websites by verifying them carefully (typos in the URLs etc.)

Makes credit card purchases only on trust worthy sites

Avoids clicking on suspicious pop ups/ads/links

Does not use official SSO for personal website logins

Downloads files only from reputable and official sources

Double checks buttons by hovering the mouse and checking the destination URL before initiating a download

Reads other user reviews for security vulnerabilities before downloading

Does not share personally identifiable information and excessive information about one's workplace on social platforms (e.g., location, contact details etc)

Check the accuracy of the post/message before sharing

Only connects with trusted individuals and verifies their authenticity before accepting requests

Deletes suspicious messages or links

Enforcing screen locks (e.g., PIN, fingerprint, or facial recognition), enabling encryption, and using security apps to safeguard device integrity

Downloading apps only from trusted sources (e.g., app stores), and reviewing app permissions before installation

Following workplace policies related to mobile device security

Ensure regular data backups

Ensure secure disposal of mobile devices

Adhering to computer usage policies and guidelines set by the organisation

Regularly performing system maintenance tasks such as disk cleanup, defragmentation (if applicable), and hardware checks

Protecting computers from physical theft or tampering

Changes the provided default credentials immediately after setting up an IoT device

Regularly updates the firmware and software of each IoT devices

Creates separate network segments or VLANs (Virtual Local Area Network) for IoT devices

Disables IoT devices when not in use

Regularly checks and reviews permissions granted to IoT devices

Properly researches various IoT devices available in the market before purchasing one

Avoids connecting to open or unsecured networks

Employs a strong and unique WiFi password for own networks

Uses a trusted VPN service

Connects to a VPN while using an unfamiliar network

Double checks the participant list to verify that only intended participants are being invited to the meeting

Reviews participants using the waiting room feature before adding them to the meeting

Restricts file transfers, chat capabilities as necessary during meetings

Asks for consent before recording meetings

Does not copy and paste information as it is from AI/LLM platforms

Is careful enough to not divulge highly confidential business information/ personally identifiable information to AI/LLM platforms

Regularly review permissions

Removes personally identifiable information or sensitive data from documents before uploading them to the AI/LLM platforms

Creates complex passwords with or without enforcement

Does not write down passwords or store in a soft copy

Creates separate passwords across accounts

Pro-actively uses a password manager

Changes password diligently when prompted by the system or application

Using encryption measures for data protection (TLS, SSL, etc.)

Opts for MFA even when it is only an option

Selects the most secure MFA option (e.g., OTP generated by app rather than SMS)

Select the SSO option for signing-in for all work-related accounts

Keeps up-to-date with SSO best practices and guidelines

Stores physical access cards in secure places when not in use

Does not share own or use others' access cards

Promptly reports lost or stolen access cards

Makes use of the appropriate channel to report lost or stolen cards

Use secure and authorized methods (such as biometrics, PINs, or access cards) to authenticate identity before gaining physical access

Adhere to the escort policy, ensuring that authorized personnel accompany visitors within secure areas for compliance

A systematic approach is followed to register all visitors and issue temporary access credentials when entering secure areas

Prioritise safety by not misusing emergency exits for unauthorized access or exit, enhancing safety protocols

Lock office doors, filing cabinets, or other secure areas when they are not in use, especially in shared or open spaces

Ensure that all security cameras and surveilance systems are operational and avoids tampering with it

Classify information based on its sensitivity

Sets appropriate file permissions and access levels for documents and folders

Double-checks to ensure that the correct file permissions are enabled before sharing the files or folders with others

Checks recipient addresses before sending files

Uses strong passwords to secure the file sharing account

Uses only company approved information sharing channels

Evaluating and assessing potential vendors

Ensuring that vendors adhere to security and compliance standards

Avoids downloading software from third party websites or unverified sources

Reads permissions or privileges requested by software to asses whether it aligns with its intended functionality

Carefully reviews installation prompts and deselects the optional software

Conduct a thorough assessment of the vendor's reputation, security practices, and track record

Ensure that vendor contracts include clear security obligations and service level agreements (SLAs)

Updating, maintaining, and upgrading software to ensure it functions correctly

Establishes baseline behaviors and uses anomaly detection mechanisms to identify deviations

Conducts periodic vulnerability assesments and addresses the identified vulnerabilities promptly

Identify signs of threats like deepfake, vishing, smishing etc

Categorise incidents based on their impact and potential harm

Inform IT, security team, and management, about the incident's classification and severity

Establishes a well-defined process for reporting security incidents within the organisation

Promptly report security incidents to the IT/Security team

Opens multiple incident reporting channels

Isolating affected systems or networks to prevent further spread of the threat

Address vulnerabilities that may have been exploited by the attacker to prevent reinfection

Handle data according to the organisational policies

Ensure data subject rights such as the right to access correct or delete their personal data

Consistently adheres to data protection laws and regulations, including GDPR, PDPA, and other relevant legislation

Adhere to regulatory guidelines for complaint resolution

Regularly conducts privacy impact assessments and updates data protection policies

Proactively identify, report, and address any potential legal compliance issues or violations to the appropriate authority or compliance officer as required by law

Complies to data privacy rules and regulations of the land when working with sensitive data

Follow organization protocol for software installation, pilot test, etc.

Avoids introducing biases into data processing, ensuring fairness and objectivity in decision-making.

Is transparent about how data is used and ensures the data use aligns with ethical standards.

Cross checks multiple reliable sources to verify information credibility

Contacts official channels for information related to organisations or government entities to verify its authenticity

Looks for verifiable data, credible research and reliable sources cited within the information

Pays attention to timestamps of articles, posts , videos to ensure the information is relevant

Collects data in accordance with data privacy laws and takes appropriate measures to protect personally identifiable data (masking, anonymization)

Maintains up-to-date antivirus software, firewalls and other security measures to protect data

Performs checks for missing values, outliers or inconsistencies in data

Works solely with necessary variables relevant to current analysis or modeling

Communicates clearly the purpose of testing, data collected and any potential risks that might be involved

Stores data in encrypted databases or file systems

Uses cryptographic techniques such as digital signature or hash functions to identify unauthorised tampering of data

Minimises the collection of sensitive or unnecessary information to reduce potential risks

Collects only absolutely necessary information required for the selection process

Stores candidate data securely through the lawful retention period

Limits candidate data access to authorised personnel only

Transmits recruitment data as password protected documents

Use strict access controls and encryption

Classifies candidate data based on organisational guidelines

Explains data retention and obtains consent from the departing employee

Adheres to privacy laws for data retention, storage, or deletion

Uses secure data deletion methods to permanently erase candidate data

Ensures candidate data removal to prevent unintended restoration or duplication

Ensure the signing of confidentiality agreements

Conduct background verification

Secures employee data backups on cloud platforms and regularly tests restoration

Standardizes record-keeping practices across the organisation

Verifies up-to-date and lawful employee record maintenance

Ensures that all employees have attended mandatory cyber security training

Sends reminders to employees to complete mandatory cyber security trainings on time

Initiate disciplinary actions for cyber security violation

Promptly revokes access for an employee upon their exit

Retreives company issued devices, access cards etc from the departing employee

Reminds exiting employees of sticking to their confidentiality and non-disclosure obligations

Conveys key details on departure, access termination, and data-handling instructions for knowledge transfer (Exit interview)

Follows a regular back up schedule for all financial records, including electronic files and paper documents

Stores or deletes records in accordance with organisation's record keeping policy

Implements record integrity checks to detect and prevent unauthorized record alterations

Limits access to the record preparation and storage software to authorized personnel only

Uses only trusted data sources for obtaining prospect information (e.g., reading online reviews, checking whether these sources adhere to privacy laws, exploring data from industry specific associations, asking for refferals from trusted contacts who have experience with using data sources for prospect information etc)

Communicate with prospects using secure communication channels that use end to end encryption (e.g., encrypted emails, secure communication channels like Microsoft Teams, Cisco Webex etc)

Obtains consent from prospects before collecting data and handles them in a compliant manner

Uses mock data or anonymizes information whenever possible during presentation

Avoids showing sensitive or confidential business data during presentations or demos

Uses strong protection methods to secure devices used for presentations or demos (e.g., disk encryption, strong passwords, anti malware software etc)

Ensures that non-disclosure agreements are signed by both parties (organisation and prospects) involved in the negotiation before sharing confidential data

Uses file sharing platforms that helps control who can access, download and modify negotiation related data (e.g., Intralinks, Onehub, Box etc)

Avoids including sensitive or personal data that is not required for the sales or customer relationship management process

Double checks the accuracy of data entered into the CRM platform

Always logs out of the CRM platform when data entry tasks have been finished

Restricts access to reporting and analysis features only to authorised personnel

Implements data encryption during transit to prevent unauthorized access or interception

Uses secure protocols to encrypt online survey forms

Removes direct identifiers and combines data in such a way that individuals cannot be identified

Conducts thorough due diligence to assess the cyber security practices of third-party vendors

Protects brand assets by implementing measures like strong access controls, watermarking etc

Implements SSL/TLS certificates in websites to encrypt communication between users and the site

Regularly updates and patches website's software and plugins to address vulnerabilities

Enables domain locking and uses strong registrar account passwords

Regularly reviews and renews domain registrations to avoid expiration and potential unauthorized acquistions

Uses strongly secured ad platforms to manage campaign data

Implements strong , unique passwords and enables two factor authentication wherever possible

Shares information with media outlets only after verifying authenticity of media contacts

Clearly defines and sets internal protocols for media engagement to ensure that only authorized personnel communicate with media

Establishes a streamlined process to verify the identities of customers before disclosing sensitive information

Establishes customer portals that uses strong encryption methods to protect customer data

Regularly reviews and revokes remote access privileges when they are no longer needed

Ensures that employees only have access to customer records required for their specific roles

Implements monitoring mechanisms to track access to customer records

Maintains a secure record of the invention's development process, iterations, details of all contributors and any other relevant information

Ensures that external parties such as patent agents or attorneys sign non disclosure agreements when sharing invention details with them

Avoids public disclosures of the invention before filing a patent application

Uses only trusted research tools and services

Ensures that all devices used for research are equipped with up-to-date antivirus software

Discusses sensitive research matters only through secure and organisation approved communication channels

Accurately records all inventory transactions in the tracking system

Secures inventory storage areas with physical security measures, including access controls, surveillance cameras and alarms

Implements audit logs to monitor and track who acesses inventory data and when

Ensure that the digital signature for contracts, purchase orders and delivery confirmations comes from the authorised person

Checks for any signs of the document being altered after the signature was applied

Ensures there is a trusted timestamp on the digital signature to ensure it was applied at a specific, verifiable time

Check that the digital certificate used to sign the document is currently valid and has not expired or been revoked

The signed document is transmitted over secure, encrypted channels (such as HTTPS) to prevent interception or tampering during transit.

The recipient verifies that the signed document is the latest version and checks for any subsequent changes.

Validates inputs against a defined set of allowed values (using whitelists).

Applies length restrictions on input fields to prevent buffer overflows and excessive data submission.

Consistently uses trusted input validation libraries and frameworks rather than writing custom validation code.

Ensures that all input is validated on the server side and not just the client side.

Ensures that the application handles invalid or malicious input gracefully, without crashing or revealing sensitive system information.

When integrating with external systems or third-party services, input data is validated to ensure it meets internal security requirements.

Regularly reviews logs for patterns of invalid input attempts.

Validates each step for multi-step or dependent inputs to ensure data integrity at every stage.

Ensures that error messages do not include detailed technical information that reveals internal logic or infrastructure details.

Ensures that detailed error information logged internally for debugging purposes is stored in a secure, access-controlled environment.

Implement checks to sanitize error logs to avoid capturing sensitive data.

Uses a centralized error handling mechanism to ensure consistent behavior across the application when errors occur.

Limits the amount of information provided in production error logs compared to development environments.

Logs errors related to security events with detailed information and flags them for further investigation.

Actively checks for common security vulnerabilities such as those listed in the OWASP Top 10

Ensures that the code adheres to proper business logic.

Ensures that all inputs are properly validated and sanitized.

Ensure that the code follows the principle of least privilege.

Checks whether unnecessary or untrusted libraries are included in the project to minimize the attack surface.

Ensures code simplicity to reduce the chances of introducing vulnerabilities due to complexity or unclear logic.

Ensures that critical sections of code are well-documented and contain comments that explain the security considerations involved.

Ensures that the code is reviewed against a predefined security checklist or framework.

Engage multiple reviewers to review critical code sections to ensure no vulnerabilities are overlooked.

Routinely check for and apply updates to dependencies.

Specifies dependency versions in configuration files to avoid unintended updates that might introduce vulnerabilities.

Only downloads dependencies from reputable sources.

Configures builds to fail or raise alerts when vulnerabilities are detected in dependencies.

Checks the license of dependencies to ensure compliance with legal and organizational policies.

Maintains documentation of all dependency updates.

Conducts routine scans of third-party libraries to ensure that libraries’ licenses have not changed.

Maintain an up-to-date list of all third-party libraries used in the project, along with their versions and security status.

Has a contingency plan for quickly patching or replacing vulnerable libraries.