Does your organization have contractual requirements for cyber-security standards, incident notification, and data protection with its critical vendors and managed service or other 3rd party providers?

Does your organization assess the cyber-security posture of critical third-party vendors and service providers before engagement and on an ongoing basis?

Does your organization have a documented process for revoking all physical and digital access immediately upon employee termination or role change?

Does your organization conduct cyber-security awareness training that includes phishing simulations for all employees at least annually, with acknowledgment required?

Does your organization have a documented business continuity/disaster recovery plan that is integrated with your Emergency Management Plan, has been tested within the past 12 months, including cyber-attack scenarios?

Does your organization maintain immutable, encrypted, off-site backups of critical systems and data, with recovery tested at least annually?

Immutable + encrypted + off-site + tested

Encrypted + off-site + tested

Partial — backups exist but not offsite or encrypted

Off-site but not tested

On-site only

No backups or Don't Know

Does your organization maintain and regularly review centralized security logs from firewalls, endpoints, authentication systems, and cloud services?

Does your organization have continuous security monitoring (SIEM, EDR/MDR, or managed SOC) that provides 24/7 alerting on suspicious activity, not simply IT support?

Does your organization segment its network to separate critical systems, user workstations, IoT/OT devices, and guest/BYOD traffic?

How quickly does your organization apply critical security patches after they are released?

Does your organization follow the principles of Zero Trust/Least Privilege, ensuring users only have access to the systems and data required for their role, with regular access reviews?

Does your organization enforce multi-factor authentication for all of the following: remote access, email, privileged accounts, and cloud services?

Does your organization classify its data by sensitivity level (e.g., public, internal, confidential, restricted) and apply appropriate protections based on classification?

Does your organization maintain a current inventory of all hardware assets, software applications, and cloud services, including those managed by third parties?

Do you require all staff to acknowledge their acceptance of, understanding, and role in key cyber-security policies via signature during each required review?

Yes

No

Don't Know

Does your organization maintain documented, reviewed, and updated cyber-security policies (acceptable use, access control, incident response, data protection) that are reviewed at least annually?