A global assessment should be the very first step of the cybersecurity enforcement project.
For this purpose, we have developed the following assessment checklist to be used as a starting point.
Item Comments Result Screening Are people screened before accessing to the datacenter ? yes/no/partially/unsure Physical RBAC Is physical access to the backup infrastructure limited by role based access rules ? yes/no/partially/unsure Tailgating Are there any tailgating prevention systems in place ? yes/no/partially/unsure Surveillance Is suspicious activity monitored inside and outside the datacenter ? yes/no/partially/unsure Multi Factor Authentication Is MFA used to enter the premises ? yes/no/partially/unsure Racks locking Are physical racks containing the backup infrastructure physically locked ? yes/no/partially/unsure
Item Comments Result Recovery strategy existence Is there a recovery strategy in place ? yes/no/partially/unsure Recovery strategy test Is the recovery strategy regularily tested ? yes/no/partially/unsure Dedicated recovery infrastructure Is there a dedicated recovery infrastructure ? yes/no/partially/unsure Applications assessment Are critical applications defined ? yes/no/partially/unsure
Item Comments Result EDR-XDR Is an EDR or XDR deployed to detect threats ? yes/no/partially/unsure Honeypots Are there honeypots deployed ? yes/no/partially/unsure VeeamOne Is Veeam One deployed and monitoring threats ? yes/no/partially/unsure Veeam Threat detection Is Veeam Threat Center in use ? yes/no/partially/unsure
Item Comments Result 3 copies Are there 3 different copies of the data ? yes/no/partially/unsure 2 medias Are copies hosted on two different medias ? yes/no/partially/unsure 1 offsite Is one copy offsite ? yes/no/partially/unsure 1 immutable/air gapped copy Is one copy immutable or air gapped ? yes/no/partially/unsure 0 errors Are the backups regularily tested to ensure they can be restored ? yes/no/partially/unsure
Item Comments Result Anonymous accounts Do account names contain reference to their roles ? yes/no/partially/unsure Password change policy Are passwords changed on a regular basis ? yes/no/partially/unsure Lockout policy Are users disconnected after a given inactivity period ? yes/no/partially/unsure Role based access control Can backup infrastructure be accessed only by backup accounts ? yes/no/partially/unsure Honeypot accounts Are there visible honeypot accounts which are monitored ? yes/no/partially/unsure Multi Factor authentication Is MFA employed to login to backup infrastructure ? yes/no/partially/unsure
Item Comments Result At rest Is data encrypted on the repositories ? yes/no/partially/unsure In transit Is data encrypted in transit ? yes/no/partially/unsure
Item Comments Result Specific segmentation Is the backup infrastructure on specific segments ? yes/no/partially/unsure MFA Is MFA enabled on the backup infrastructure segment ? yes/no/partially/unsure
Item Comments Result Veeam DB Is access to the Veeam database restricted ? yes/no/partially/unsure Backup infrastructure servers cleanup Have the servers been cleaned-up from all unnecessary roles/components ? yes/no/partially/unsure Patching and updates Are the servers patched/updated on a regular basis ? yes/no/partially/unsure Remote management Are remote management tools disabled/uninstalled ? yes/no/partially/unsure
Item Comments Result Immutability Is the repository immutable ? yes/no/partially/unsure Hardening Is the repository hardened ? yes/no/partially/unsure
Item Comments Result Domain controller credentials Is domain admin account stored in Veeam ? yes/no/partially/unsure gMSA Is gMSA used for guest interaction ? yes/no/partially/unsure
Back to top
Copyright © 2019 - 2025 Solutions Architects, Veeam Software.
