Checklist · 30 Points

Ransomware Readiness Checklist

A practitioner-grade checklist used in Dephiant readiness reviews. Mapped to NIST CSF 2.0, CISA's #StopRansomware guidance, and CIS Controls v8. No email required.

Identity & Access

  • Phishing-resistant MFA (FIDO2 / Passkeys) enforced for all admin and remote access.
  • Separate privileged accounts (no daily-driver admin); just-in-time elevation where possible.
  • Disabled legacy auth (basic/IMAP/POP/SMTP) on Microsoft 365 / Google Workspace.
  • Service accounts inventoried, password-rotated, and excluded from interactive logon.
  • Conditional access / device compliance gating sensitive apps and admin tooling.

Endpoints & Email

  • Modern EDR/XDR deployed on 100% of endpoints and servers, with tamper protection.
  • Application allow-listing or attack-surface reduction enabled where supported.
  • Email gateway with SPF, DKIM, DMARC at p=reject; safe-link / attachment detonation on.
  • Macros blocked from internet-sourced Office files; PowerShell constrained or logged.
  • Vulnerability management with SLAs: critical ≤ 7 days, high ≤ 30 days, internet-exposed ≤ 48 hours.

Network & Segmentation

  • Crown-jewel systems (AD, backups, ERP, OT) on isolated VLANs with explicit allow-list rules.
  • No flat network: client → server traffic restricted by application, not just subnet.
  • RDP / SMB never exposed to the internet; admin protocols behind ZTNA or VPN + MFA.
  • DNS filtering / secure web gateway blocks known C2 and newly-registered domains.
  • External attack surface scanned monthly; shadow IT and forgotten services tracked to closure.

Backups & Recovery

  • 3-2-1-1-0 backups: 3 copies, 2 media, 1 offsite, 1 immutable/air-gapped, 0 errors on test.
  • Backup system credentials separate from production AD; MFA on backup console.
  • Documented RTO/RPO per system tier; quarterly restore tests for tier-1 workloads.
  • Golden images / IaC for rapid rebuild of domain controllers and key servers.
  • Offline copy of recovery runbooks, contact tree, and break-glass credentials.

Detection & Response

  • Central log collection (SIEM or managed XDR) with ≥ 90 days hot retention.
  • 24/7 monitoring coverage — in-house SOC, MDR provider, or hybrid — with documented escalation.
  • Tested playbooks for ransomware, BEC, and data-exfiltration scenarios.
  • Incident response retainer in place with a vetted IR firm before you need them.
  • Legal, comms, and cyber-insurance contacts in the IR plan; breach-counsel relationship established.

Governance & People

  • Executive sponsor and accountable owner named for ransomware readiness program.
  • Annual tabletop exercise including exec, legal, comms, IT, and key business owners.
  • Security awareness training with phishing simulation; results tracked over time.
  • Vendor / third-party risk reviewed for top-20 critical suppliers.
  • Cyber insurance application questions reviewed against actual controls (no overstatement).

Want this scored against your environment?

A Dephiant principal will walk this checklist with your team, score each control, and prioritize the three highest-leverage fixes.

Book a readiness reviewBack to resources