First Name

Last Name

Address

Phone *

Email *

Organization Name: *

Total employees in the Organization: *

1-10

11-99

100-249

250+

By choosing 'Other' in the previous question, can you describe the Organization's industry?

How many locations/facilities does the Organization have?

What are the Organization's hours of operation? *

Does the Organization employ and support remote employees?

Does the Organization perform background checks to examine and assess an employee/contractor's work and criminal history?

Are the Organization's employees required to sign a non-disclosure agreement (NDA)?

Are the Organization's employees required to sign the non-disclosure agreement (NDA) annually?

Does the Organization have a formal process to manage the termination and/or transfer of employees?

Does the Organization have a formal process to equip new employees and ensure the return of equipment from terminated/reassigned employees?

Does the Organization staff wear ID badges?

Does the Organization have a Bring Your Own Device (BYOD) policy for personal devices (laptops, cellphones, ect.) utilizing organizational assets?

Does the Organization have effective physical access controls (e.g., door locks) in place to access the facilities?

Are key areas within the Organization (e.g., server rooms, personnel files, etc.) protected from unauthorized access?

Which access control processes are in use within the Organization? *Check all that apply.

By choosing 'Other' in the previous question, can you describe the other access control process(es)?

Does the Organization have a plan in place to manage access events or circumstances (e.g., a person with the server room key is sick)?

Does the Organization have policies and procedures in place to document repairs or modifications to physical access components?

How are the Organization's physical access controls authorized? *

Does the Organization use video surveillance technology?

By choosing 'Yes' in the previous question, can you describe your Organization's current video surveillance system? *

Are the recording from the Organization's surveillance system stored on premises or in the cloud?

Please describe the Organization's current network setup?

How many servers does the Organization have?

By choosing 'Other' in the previous question, can you name the other server operating system(s)?

Does the Organization collect and/or store sensitive data on any server?

How many workstations (desktops) does the Organization have?

How many laptops does the Organization have?

By choosing 'Other' in the previous question, can you name the other workstation/laptop operating system(s)?

Does the Organization collect and/or store sensitive data on any workstations/laptops?

The Organization's corporate email provider is:

Does the Organization use a third party to administer your email system?

Does the Organization use multi-factor authentication to protect email access?

Does the Organization have a written access plan for email?

Does the Organization have an acceptable use policy for email?

Does the Organization have a plan for creating new and removing terminated employees from email access?

Has the Organization recently performed an audit to optimize and validate email security features?

Does the Organization use a system to monitor email for threats and unauthorized access?

Does the Organization backup and archive the email system?

By choosing 'Yes' in the previous question, briefly describe any email backup policies and plans that the Organization currently has in place.

The Organization's telephone service is:

Are the Organization's telecommunication devices located in an access-restricted area?

Is the Organization's telecommunication system self-service?

Is there a member of the Organization responsible for the telecommunication system administration who can provision new users/devices and resolve basic support issues?

Does the Organization utilize a wireless network?

What type of encryption is used on the Organization's wireless network?

By choosing 'Other' in the previous question, please name the type of encryption that is used on the Organization's wireless network.

Is the wireless SSID (wireless network name) broadcasted?

Does the Organization have a segmented guest wireless network?

Does the Organization have an Acceptable Use Policy banner present on the guest network?

If known, please list the brands of wireless access devices (routers, access points, etc.) used.

Does the Organization utilize any of the following devices on the corporate network (Wired or Wireless):

Smart TVs

Personal Assistant Devices (Google Assistant Alexa, etc.)

Third Choice

Check all that apply.

Does the Organization use portable media devices? (e.g., CD/DVD drives, tablets, iPads, USB storage devices, etc.)

Does the Organization have a written security and acceptable use policy for Internet of Things (IoT) devices?

Does the Organization have a person responsible for security policies and procedures?

How does the Organization communicate security updates to needed resources?

Does the Organization have an access control system to authorize and/or restrict user activity on your assets and network devices?

Services such as Active Directory are used to set, authorize, or restrict employee access.

Does the Organization segregate the network in a way that ensures data or services are available on a need-to-know basis?

Typical techniques include network segmentation and access control lists (ACL) to delineate access rights.

Does the Organization use multi-factor authentication for access to high-sensitive data?

Does the Organization have a formal sexual harassment training policy for all employees?

Does the Organization have a formal security awareness training policy for all employees?

Does the Organization have a formal cyber security training policy for all employees?

Does the Organization have a media destruction policy for used media (CD/DVD archives, floppy disks, audio or video tape, etc.) in place?

Does the Organization track and audit the employees security training for completeness?

Does the Organization have an maintain a list of all physical devices in the company?

This include workstations, laptops, servers, networking devices, office equipment, etc.

Does the Organization have baseline configurations of IT systems established and maintained?

Does the Organization have an updated list of in-use company software such as office software suites, accounting packages, inventory management software, and software development tools?

Does the Organization have a list of all cloud-based SaaS (Software as a Service) and collaborative file sharing tools (DropBox, Google Drive, etc.) in use?

Does the Organization have a data flow map for internal and external communication?

By choosing 'Yes' for the previous question, is there an updated diagram available of the path that data travels into or out of your network, through which devices, and how the data is stored?

Is the Organization required by local, state, federal, or international agencies to comply with their specific cybersecurity regulations or policies?

This includes PCI, FINRA, HIPAA, GDPR, state banking department, etc.

Does the Organization have baseline configurations of IT systems established and maintained?

Does the Organization have an updated list of in-use company software such as office software suites, accounting packages, inventory management software, and software development tools?

Does the Organization have a list of all cloud-based SaaS (Software as a Service) and collaborative file sharing tools (DropBox, Google Drive, etc.) in use?

Does the Organization have a data flow map for internal and external communication?

By choosing 'Yes' for the previous question, is there an updated diagram available of the path that data travels into or out of your network, through which devices, and how the data is stored?

Is the Organization required by local, state, federal, or international agencies to comply with their specific cybersecurity regulations or policies?

This includes PCI, FINRA, HIPAA, GDPR, state banking department, etc.

Does the Organization have a Cybersecurity Roles and Responsibilities Policy for employees and third-party vendors?

Does the Organization have a Written Information Security Policy (WISP)?

A WISP outlines employee requirements or best practices regarding sensitive data.

Has the Organization performed a risk assessment?

This includes the Organization identifying and analyzing potential events that may negatively impact individuals, assets, and/or the environment and making judgments on the Organization's tolerability.

Does the Organization have a list of business products and services, prioritized from critical to low impact risks or vulnerabilities?

Have the Organization's management team, employees, and vendors agreed to policies for managing risk tolerance?

Has the Organization performed a Breach Impact Analysis?

This included categorizing threats and vulnerabilities with the potential to cause a security breach and giving a severity and priority based on the likelihood of occurrence?

Has the Organization completed a vulnerability assessment that identifies and documents weaknesses in your IT systems and network?

Does the Organization have a breach response and disaster recovery plan in place?

Ares the Organization's breach response and disaster recovery plans tested periodically?

Does the Organization have a backup plan for workstations and servers?

Are the Organization's backup plans maintained and tested periodically?

For data systems, has the Organization determined uptime requirements to ensure business continuity?

List the Organization's known cybersecurity assets: Check all that apply.

Has the Organization ever experienced a cyber breach/attack?

By choosing 'Yes' in the previous question, please describe the cyber breach/attack.

Has the Organization undergone breach remediation processes?

By choosing 'Yes' in the previous question, please describe the details of the remediation.

Does the Organization have a System Development Life Cycle (SDLC) in place to manage software software/hardware development or configuration?

Does the Organization have an audit trail system in place to monitor network or system configuration changes?

Does the Organization have a mandatory written data destruction policy?

Are the Organization's data protection processes being continuously improved?

Is Organizational data-at-rest protected?

This data includes Personally Identifiable Information (PII) stored on servers locally or in cloud storage.

Is Organizational data-in-transit protected?

This includes data transmitted within a private network, or externally to vendors and customers.

Does the Organization audit the protection technologies that are employed on a regular basis?

Does the Organization have a formal process to remove, transfer, or dispose of assets?

This process includes electronic waste, archived materials, and printed materials.

Does the Organization implement protections against data leaks, such as exfiltration?

Does the Organization have systems in place to verify software, firmware, and information integrity?

Are the Organization's development and testing environment(s) separate from the production environment?

Has the Organization implemented a system or process to detect malicious code operating on the internal network?

Does the Organization have IT mechanisms (e.g., fail-safe, load balancing, hot swap) in place to achieve network resilience requirements in normal and adverse situations?

Are the Organization's audit log records being determined, documented, implemented and reviewed in accordance with regulatory policy?

Are the Organization's employees required to complete cybersecurity awareness training and acknowledge their responsibilities?

Are the Organization's senior executives made aware of their roles and responsibilities regarding company data?

Are the Organization's administrators or privileged users, who have access sensitive data, required to acknowledge their increased roles and responsibilities?

Does the Organization provide periodic security reminders or updates to its employees, contractors, or stakeholders?

Are the Organization's employees regularly sent simulated phishing email to gauge their response to a potential phishing attack?

Phishing is the act of sending a seemingly official email to maliciously harvest credentials.

Are the Organization's employees activities being monitored to detect potential cybersecurity events?

Has the Organization established and managed a baseline of network operations and expected data flows for users and systems?

Has the Organization tested the implemented network detection processes?

Penetration tests are used to exploit or discover network weaknesses, and phishing campaigns are used to test user behavior.

Is the Organization's physical network environment being monitored to detect potential cybersecurity events?

Does the Organization use a SIEM or other monitoring tools to aggregate and correlate event data from multiple sources and sensors to discern potential attack targets and methods?

Has the Organization established incident alert thresholds?

These thresholds are based on network activity baselines. The Organization complies with the time frame to report an incident (successful or unsuccessful) to the appropriate authorities (internal or external).

Are the Organization's servers and workstations (desktop/laptop) being patched on a regular basis?

Which patching method does the Organization use?

Manual

Automated software to install patches (i.e., an RMM tool)

Through a third party IT organization

Not currently doing patching