Link Search Menu Expand Document


A global assessment should be the very first step of the cybersecurity enforcement project.

For this purpose, we have developped the following assessment checklist to be used as a starting point.

Since this is a living documentation, you are welcome leaving any enhancements suggestions using the contact form.

Physical security

Item Comments Result
Screening Are people screened before accessing to the datacenter ? yes/no/partially/unsure
Physical RBAC Is physical access to the backup infrastructure limited by role based access rules ? yes/no/partially/unsure
Tailgating Are there any tailgating prevention systems in place ? yes/no/partially/unsure
Surveillance Is suspicious activity monitored inside and outside the datacenter ? yes/no/partially/unsure
Multi Factor Authentication Is MFA used to enter the premises ? yes/no/partially/unsure
Racks locking Are physical racks containing the backup infrastructure physically locked ? yes/no/partially/unsure

Recovery strategy

Item Comments Result
Recovery strategy existence Is there a recovery strategy in place ? yes/no/partially/unsure
Recovery strategy test Is the recovery strategy regularily tested ? yes/no/partially/unsure
Dedicated recovery infrastructure Is there a dedicated recovery infrastructure ? yes/no/partially/unsure

Threat detection

Item Comments Result
EDR-XDR Is an EDR or XDR deployed to detect threats ? yes/no/partially/unsure
Honeypots Are there honeypots deployed ? yes/no/partially/unsure
VeeamOne Is Veeam One deployed and monitoring threats ? yes/no/partially/unsure

3-2-1-1-0 rule

Item Comments Result
3 copies Are there 3 different copies of the data ? yes/no/partially/unsure
2 medias Are copies hosted on two different medias ? yes/no/partially/unsure
1 offsite Is one copy offsite ? yes/no/partially/unsure
1 immutable/air gapped copy Is one copy immutable or air gapped ? yes/no/partially/unsure
0 errors Are the backups regularily tested to ensure they can be restored ? yes/no/partially/unsure

Roles and users

Item Comments Result
Anonymous accounts Do account names contain reference to their roles ? yes/no/partially/unsure
Password change policy Are passwords changed on a regular basis ? yes/no/partially/unsure
Lockout policy Are users disconnected after a given inactivity period ? yes/no/partially/unsure
Role based access control Can backup infrastructure be accessed only by backup accounts ? yes/no/partially/unsure
Honeypot accounts Are there visible honeypot accounts which are monitored ? yes/no/partially/unsure
Multi Factor authentication Is MFA employed to login to backup infrastructure ? yes/no/partially/unsure


Item Comments Result
At rest Is data encrypted on the repositories ? yes/no/partially/unsure
In transit Is data encrypted in transit ? yes/no/partially/unsure

Hardening - Segmentation

Item Comments Result
Specific segmentation Is the backup infrastructure on specific segments ? yes/no/partially/unsure
MFA Is MFA enabled on the backup infrastructure segment ? yes/no/partially/unsure

Hardening - Attack surface reduction

Item Comments Result
Veeam DB Is access to the Veeam database restricted ? yes/no/partially/unsure
Console Is console uninstalled from VBR server ? yes/no/partially/unsure
Backup infrastructure servers cleanup Have the servers been cleaned-up from all unnecessary roles/components ? yes/no/partially/unsure
Patching and updates Are the servers patched/updated on a regular basis ? yes/no/partially/unsure
Remote management Are remote management tools disabled/uninstalled ? yes/no/partially/unsure

Hardening - Repository

Item Comments Result
Immutability Is the repository immutable ? yes/no/partially/unsure
HArdening Is the repository hardened ? yes/no/partially/unsure

Application processing

Item Comments Result
Domain controller credentials Is domain admin account stored in Veeam ? yes/no/partially/unsure
gMSA Is gMSA used for guest interaction ? yes/no/partially/unsure

Back to top

Copyright © 2023 Solutions Architects, Veeam Software.