Small Business Cybersecurity Implementation Checklist
- Keith Pachulski
- Aug 29
- 8 min read
90-Day Roadmap with NIST Cybersecurity Framework Maturity Assessment
Company Name: _____________________Assessment Date: ___________________Completed By: ______________________
How to Use This Checklist
This checklist follows a 90-day implementation timeline and maps to the NIST Cybersecurity Framework (CSF) functions: Identify, Protect, Detect, Respond, and Recover.
NIST CSF Maturity Levels:
Level 1 - Partial: Ad hoc, reactive security practices
Level 2 - Risk Informed: Risk-aware practices beginning to be implemented
Level 3 - Repeatable: Consistent, documented security practices
Level 4 - Adaptive: Proactive security management with continuous improvement
Level 5 - Optimizing: Advanced, innovative security practices with industry leadership
Instructions:
Check completion date when each item is implemented
Rate your current maturity level (1-5) for each section
Add notes about implementation challenges or customizations
Review and update quarterly
Phase 1: Foundation (Days 1-30)
Week 1: Identity and Access Management
NIST CSF: PROTECT (PR.AC) - Access Control
Task | Completion Date | Notes |
Deploy password manager company-wide | _______ | ________________ |
- Research and select password manager solution | _______ | ________________ |
- Purchase licenses for all employees | _______ | ________________ |
- Install and configure on all devices | _______ | ________________ |
- Train all employees on password manager use | _______ | ________________ |
- Migrate existing passwords to manager | _______ | ________________ |
Enable MFA on all critical accounts | _______ | ________________ |
- Enable MFA on Microsoft 365/Google Workspace | _______ | ________________ |
- Enable MFA on banking and financial accounts | _______ | ________________ |
- Enable MFA on business applications (CRM, etc.) | _______ | ________________ |
- Document MFA recovery procedures | _______ | ________________ |
- Train employees on MFA usage | _______ | ________________ |
Audit admin account access | _______ | ________________ |
- Inventory all admin accounts | _______ | ________________ |
- Remove unnecessary admin privileges | _______ | ________________ |
- Create dedicated admin accounts (separate from daily use) | _______ | ________________ |
- Document admin access procedures | _______ | ________________ |
Create standard user accounts | _______ | ________________ |
- Configure standard user permissions | _______ | ________________ |
- Test user access to necessary resources | _______ | ________________ |
- Document account creation procedures | _______ | ________________ |
Current Maturity Level for Access Control (1-5): _____
Week 2: Backup and Recovery
NIST CSF: RECOVER (RC.RP) - Recovery Planning
Task | Completion Date | Notes |
Implement 3-2-1-1 backup strategy | _______ | ________________ |
- Identify critical business data | _______ | ________________ |
- Set up automated daily backups | _______ | ________________ |
- Configure cloud backup solution | _______ | ________________ |
- Implement air-gapped backup copy | _______ | ________________ |
- Test backup integrity | _______ | ________________ |
Test backup restoration procedures | _______ | ________________ |
- Perform test restore of email data | _______ | ________________ |
- Perform test restore of file data | _______ | ________________ |
- Perform test restore of application data | _______ | ________________ |
- Document restore procedures | _______ | ________________ |
- Measure restore time objectives | _______ | ________________ |
Document recovery procedures | _______ | ________________ |
- Create data recovery playbook | _______ | ________________ |
- Define Recovery Time Objectives (RTO) | _______ | ________________ |
- Define Recovery Point Objectives (RPO) | _______ | ________________ |
- Assign recovery team roles | _______ | ________________ |
Current Maturity Level for Recovery Planning (1-5): _____
Week 3: Email Security
NIST CSF: PROTECT (PR.DS) - Data Security
Task | Completion Date | Notes |
Configure email security controls | _______ | ________________ |
- Enable Advanced Threat Protection (ATP) | _______ | ________________ |
- Configure safe links scanning | _______ | ________________ |
- Configure safe attachments scanning | _______ | ________________ |
- Set up email encryption policies | _______ | ________________ |
Implement external email warnings | _______ | ________________ |
- Configure external email banner | _______ | ________________ |
- Test banner display on external emails | _______ | ________________ |
- Train employees on external email identification | _______ | ________________ |
Begin phishing simulation program | _______ | ________________ |
- Select phishing simulation platform | _______ | ________________ |
- Create baseline phishing test | _______ | ________________ |
- Send initial test to all employees | _______ | ________________ |
- Analyze results and provide training | _______ | ________________ |
- Schedule monthly phishing tests | _______ | ________________ |
Current Maturity Level for Data Security (1-5): _____
Week 4: Endpoint Protection
NIST CSF: PROTECT (PR.PT) - Protective Technology
Task | Completion Date | Notes |
Deploy next-generation antivirus | _______ | ________________ |
- Research and select NGAV solution | _______ | ________________ |
- Install on all company devices | _______ | ________________ |
- Configure centralized management | _______ | ________________ |
- Set up automated reporting | _______ | ________________ |
Enable device encryption | _______ | ________________ |
- Enable BitLocker on Windows devices | _______ | ________________ |
- Enable FileVault on Mac devices | _______ | ________________ |
- Document encryption recovery keys | _______ | ________________ |
- Test encryption functionality | _______ | ________________ |
Implement device management | _______ | ________________ |
- Deploy Microsoft Intune or Google Workspace management | _______ | ________________ |
- Configure automatic updates | _______ | ________________ |
- Set up remote wipe capabilities | _______ | ________________ |
- Create device compliance policies | _______ | ________________ |
Create BYOD policies | _______ | ________________ |
- Draft BYOD policy document | _______ | ________________ |
- Define acceptable use guidelines | _______ | ________________ |
- Implement mobile app management | _______ | ________________ |
- Train employees on BYOD policies | _______ | ________________ |
Current Maturity Level for Protective Technology (1-5): _____
Phase 2: Enhancement (Days 31-60)
Week 5-6: Network Security
NIST CSF: PROTECT (PR.AC) - Access Control
Task | Completion Date | Notes |
Implement network segmentation | _______ | ________________ |
- Create employee device VLAN | _______ | ________________ |
- Create IoT device VLAN | _______ | ________________ |
- Create guest network | _______ | ________________ |
- Configure inter-VLAN firewall rules | _______ | ________________ |
- Test network segmentation | _______ | ________________ |
Secure remote access solutions | _______ | ________________ |
- Evaluate current remote access methods | _______ | ________________ |
- Implement secure remote access solution | _______ | ________________ |
- Configure access logging and monitoring | _______ | ________________ |
- Train employees on secure remote access | _______ | ________________ |
IoT device inventory and security | _______ | ________________ |
- Inventory all connected devices | _______ | ________________ |
- Change default passwords on IoT devices | _______ | ________________ |
- Update firmware on all IoT devices | _______ | ________________ |
- Isolate IoT devices on separate network | _______ | ________________ |
Current Maturity Level for Network Access Control (1-5): _____
Week 7-8: Compliance and Documentation
NIST CSF: IDENTIFY (ID.GV) - Governance
Task | Completion Date | Notes |
Data inventory and classification | _______ | ________________ |
- Catalog all data types collected | _______ | ________________ |
- Classify data by sensitivity level | _______ | ________________ |
- Map data storage locations | _______ | ________________ |
- Document data retention requirements | _______ | ________________ |
Privacy policy updates | _______ | ________________ |
- Review current privacy policy | _______ | ________________ |
- Update for CCPA/GDPR compliance | _______ | ________________ |
- Add data breach notification procedures | _______ | ________________ |
- Publish updated privacy policy | _______ | ________________ |
Security policy development | _______ | ________________ |
- Create acceptable use policy | _______ | ________________ |
- Create incident response policy | _______ | ________________ |
- Create password policy | _______ | ________________ |
- Create remote work policy | _______ | ________________ |
- Train employees on all policies | _______ | ________________ |
Current Maturity Level for Governance (1-5): _____
Phase 3: Maturation (Days 61-90)
Week 9-10: Vendor Risk Management
NIST CSF: IDENTIFY (ID.SC) - Supply Chain Risk Management
Task | Completion Date | Notes |
Vendor security assessments | _______ | ________________ |
- Inventory all third-party vendors | _______ | ________________ |
- Assess vendor cybersecurity practices | _______ | ________________ |
- Review vendor security certifications | _______ | ________________ |
- Document vendor risk ratings | _______ | ________________ |
Third-party access reviews | _______ | ________________ |
- Audit all vendor system access | _______ | ________________ |
- Review vendor access permissions | _______ | ________________ |
- Implement vendor access monitoring | _______ | ________________ |
- Create vendor access removal procedures | _______ | ________________ |
Contract security requirements | _______ | ________________ |
- Add cybersecurity clauses to vendor contracts | _______ | ________________ |
- Require vendor breach notifications | _______ | ________________ |
- Define vendor security standards | _______ | ________________ |
- Implement vendor security reviews | _______ | ________________ |
Current Maturity Level for Supply Chain Risk Management (1-5): _____
Week 11-12: Incident Response and Culture
NIST CSF: RESPOND (RS.RP) - Response Planning
Task | Completion Date | Notes |
Incident response plan development | _______ | ________________ |
- Create incident response team | _______ | ________________ |
- Define incident classification levels | _______ | ________________ |
- Document incident response procedures | _______ | ________________ |
- Create incident communication templates | _______ | ________________ |
- Establish external incident response contacts | _______ | ________________ |
Business continuity planning | _______ | ________________ |
- Identify critical business processes | _______ | ________________ |
- Create alternative work procedures | _______ | ________________ |
- Document emergency contact information | _______ | ________________ |
- Test business continuity procedures | _______ | ________________ |
Security awareness program launch | _______ | ________________ |
- Develop security awareness training materials | _______ | ________________ |
- Schedule monthly security training sessions | _______ | ________________ |
- Create security awareness communication plan | _______ | ________________ |
- Implement security incident reporting system | _______ | ________________ |
Cyber insurance policy review | _______ | ________________ |
- Review current cyber insurance coverage | _______ | ________________ |
- Assess coverage limits and deductibles | _______ | ________________ |
- Understand policy requirements and exclusions | _______ | ________________ |
- Document insurance claim procedures | _______ | ________________ |
Current Maturity Level for Response Planning (1-5): _____
Ongoing Monitoring and Detection
NIST CSF: DETECT (DE.AE) - Anomalies and Events
Task | Frequency | Last Completed | Notes |
Security Monitoring | |||
- Review security alerts and logs | Daily | _______ | ________________ |
- Monitor failed login attempts | Daily | _______ | ________________ |
- Check for unusual network activity | Weekly | _______ | ________________ |
- Review system performance metrics | Weekly | _______ | ________________ |
Threat Intelligence Updates | |||
- Review security threat reports | Weekly | _______ | ________________ |
- Update threat indicators | Monthly | _______ | ________________ |
- Assess industry-specific threats | Monthly | _______ | ________________ |
- Share threat information with team | Monthly | _______ | ________________ |
Current Maturity Level for Anomalies and Events Detection (1-5): _____
Ongoing Maintenance Schedule
Monthly Tasks
[ ] Conduct security awareness training
[ ] Test backup restoration procedures
[ ] Review user access permissions
[ ] Update threat intelligence
[ ] Review security incident reports
[ ] Send phishing simulation tests
[ ] Update security documentation
Monthly Review Date: _______Completed By: _____________
Quarterly Tasks
[ ] Conduct incident response tabletop exercise
[ ] Review and update vendor risk assessments
[ ] Review and update security policies
[ ] Analyze security metrics and trends
[ ] Update business continuity plans
[ ] Review cyber insurance coverage
[ ] Conduct vulnerability assessments
Quarterly Review Date: _______Completed By: _____________
Annual Tasks
[ ] Comprehensive security risk assessment
[ ] Cyber insurance policy renewal
[ ] Strategic security planning review
[ ] Regulatory compliance audit
[ ] Security awareness program evaluation
[ ] Incident response plan full testing
[ ] Complete security architecture review
Annual Review Date: _______Completed By: _____________
NIST Cybersecurity Framework Maturity Assessment Summary
Overall Maturity Scoring:
NIST CSF Function | Current Score (1-5) | Target Score | Gap Analysis |
IDENTIFY - Asset Management, Risk Assessment, Governance | _____ | _____ | _____________ |
PROTECT - Access Control, Data Security, Protective Technology | _____ | _____ | _____________ |
DETECT - Anomalies Detection, Security Monitoring | _____ | _____ | _____________ |
RESPOND - Response Planning, Communications, Analysis | _____ | _____ | _____________ |
RECOVER - Recovery Planning, Improvements, Communications | _____ | _____ | _____________ |
Overall Average Maturity Score: _____
Maturity Level Definitions:
Level 1 - Partial (Score 1.0-1.9)
Cybersecurity practices are not formalized
Risk management is reactive and ad hoc
Limited awareness of cybersecurity risk
Cybersecurity is viewed as a technical problem
Level 2 - Risk Informed (Score 2.0-2.9)
Risk management practices are emerging
Awareness of cybersecurity risk exists
Some cybersecurity practices are in place
Cybersecurity information is shared informally
Level 3 - Repeatable (Score 3.0-3.9)
Organization-wide approach to cybersecurity
Risk management practices are documented
Cybersecurity practices are regularly updated
Personnel are trained on cybersecurity
Level 4 - Adaptive (Score 4.0-4.9)
Adaptive approach based on lessons learned
Risk management is part of business decisions
Cybersecurity practices are improved through lessons learned
Cybersecurity information is shared with stakeholders
Level 5 - Optimizing (Score 5.0)
Continuous improvement through technology advancement
Risk management is institutionalized
Cybersecurity practices are continuously improved
Organization serves as a source of best practices
Priority Action Items
Based on your maturity assessment, list the top 5 priority items to address:
Priority Item: _________________________________ Target Completion Date: _______ Assigned To: _____________
Priority Item: _________________________________ Target Completion Date: _______ Assigned To: _____________
Priority Item: _________________________________ Target Completion Date: _______ Assigned To: _____________
Priority Item: _________________________________ Target Completion Date: _______ Assigned To: _____________
Priority Item: _________________________________ Target Completion Date: _______ Assigned To: _____________
Budget Planning Worksheet
Security Domain | Estimated Investment | Actual Cost | Variance |
Password Management | $_______ | $_______ | $_______ |
Multi-Factor Authentication | $_______ | $_______ | $_______ |
Backup Solutions | $_______ | $_______ | $_______ |
Email Security | $_______ | $_______ | $_______ |
Endpoint Protection | $_______ | $_______ | $_______ |
Network Security | $_______ | $_______ | $_______ |
Security Training | $_______ | $_______ | $_______ |
Incident Response | $_______ | $_______ | $_______ |
Cyber Insurance | $_______ | $_______ | $_______ |
Professional Services | $_______ | $_______ | $_______ |
TOTAL | $_______ | $_______ | $_______ |
Implementation Notes and Lessons Learned
Challenges Encountered:
Solutions That Worked Well:
Recommendations for Other Small Businesses:
Next Steps for Continued Improvement:
Certification
I certify that this cybersecurity implementation checklist has been completed to the best of my knowledge and that the security measures described have been implemented as documented.
Name: ______________________Title: ______________________Signature: __________________Date: ______________________
This checklist is based on the NIST Cybersecurity Framework and should be reviewed and updated quarterly. For assistance with implementation or to discuss specific security challenges, contact Red Cell Security, LLC.
Keith PachulskiRed Cell Security, LLC
📅 Book time with me: https://outlook.office365.com/book/redcellsecurity@redcellsecurity.org/
Comments