Please enable JavaScript in your browser to complete this form. Please enable JavaScript in your browser to complete this form. BASIC INFORMATION Organization Name: * Organization Phone Number: * Organization Address: * Address Line 1 Address Line 2 City AlabamaAlaskaArizonaArkansasCaliforniaColoradoConnecticutDelawareDistrict of ColumbiaFloridaGeorgiaHawaiiIdahoIllinoisIndianaIowaKansasKentuckyLouisianaMaineMarylandMassachusettsMichiganMinnesotaMississippiMissouriMontanaNebraskaNevadaNew HampshireNew JerseyNew MexicoNew YorkNorth CarolinaNorth DakotaOhioOklahomaOregonPennsylvaniaRhode IslandSouth CarolinaSouth DakotaTennesseeTexasUtahVermontVirginiaWashingtonWest VirginiaWisconsinWyomingState Zip Code Total employees in the Organization: * 1-10 11-99 100-249 250+ What industry describes your Organization? * Banking Biotechnology Communications Construction Consulting Education Engineering Entertainment Finance Government Healthcare Hospitality Legal Manufacturing Not for Profit Retail Technology Transportation Other By choosing 'Other' in the previous question, can you describe the Organization's industry? * How many locations/facilities does the Organization have? * One physical locationTwo physical locationsThree or more physical locations What are the Organization's hours of operation? * Next OPERATION POLICIES & PROCEDURES Does the Organization employ and support remote employees? * Remote employeesRemote contractorsRemote employees and contractorsNo remote workers Does the Organization perform background checks to examine and assess an employee/contractor's work and criminal history? * YesNo Are the Organization's employees required to sign a non-disclosure agreement (NDA)? * YesNo Are the Organization's employees required to sign the non-disclosure agreement (NDA) annually? * YesNo Does the Organization have a formal process to manage the termination and/or transfer of employees? * YesNo Does the Organization have a formal process to equip new employees and ensure the return of equipment from terminated/reassigned employees? * YesNo Does the Organization staff wear ID badges? * Yes, with authorized access levels and types present on badgeYes, with only employee name and/or companyNo Does the Organization have a Bring Your Own Device (BYOD) policy for personal devices (laptops, cellphones, ect.) utilizing organizational assets? * YesNo Next PHYSICAL SECURITY Does the Organization have effective physical access controls (e.g., door locks) in place to access the facilities? * YesNo Are key areas within the Organization (e.g., server rooms, personnel files, etc.) protected from unauthorized access? * YesNo Which access control processes are in use within the Organization? * Manual lock with key RFID access control locks Keypad control locks Unlocked door with gatekeeper (e.g., receptionist) Other Check all that apply. By choosing 'Other' in the previous question, can you describe the other access control process(es)? * Does the Organization have a plan in place to manage access events or circumstances (e.g., a person with the server room key is sick)? * YesNo Does the Organization have policies and procedures in place to document repairs or modifications to physical access components? * YesNo How are the Organization's physical access controls authorized? * Does the Organization use video surveillance technology? * YesNo By choosing 'Yes' in the previous question, can you describe your Organization's current video surveillance system? * Are the recording from the Organization's surveillance system stored on premises or in the cloud? * On premisesCloud storageHybrid model Next NETWORK CONFIGURATION Please describe the Organization's current network setup? * How many servers does the Organization have? * 01-34-910+ What operating systems are the servers using? * Windows Linux UNIX MacOS Other Check all that apply. By choosing 'Other' in the previous question, can you name the other server operating system(s)? * Does the Organization collect and/or store sensitive data on any server? * YesNo How many workstations (desktops) does the Organization have? * 1-1011-5051-100100+ How many laptops does the Organization have? * 1-1011-5051-100100+ What operating systems are the workstations and/or laptops using? * Windows 11 Windows 10 Older Windows (Windows 7/8, Vista, XP, 2000, NT, ect.) MacOS Linux UNIX Other Check all that apply. By choosing 'Other' in the previous question, can you name the other workstation/laptop operating system(s)? * Does the Organization collect and/or store sensitive data on any workstations/laptops? * YesNo Next EMAIL CONFIGURATION The Organization's corporate email provider is: * Self-hosted (Internal Exchange Server)Hybrid cloud-hosted (Cloud Exchange, Office 365)Company Gmail/ Microsoft Office/ Other Hosted Email ProviderUsers utilize personal email for company business Does the Organization use a third party to administer your email system? * YesNo Does the Organization use multi-factor authentication to protect email access? * YesNo Does the Organization have a written access plan for email? * YesNo Does the Organization have an acceptable use policy for email? * YesNo Does the Organization have a plan for creating new and removing terminated employees from email access? * YesNo Has the Organization recently performed an audit to optimize and validate email security features? * YesNo Does the Organization use a system to monitor email for threats and unauthorized access? * YesNo Does the Organization backup and archive the email system? * YesNo By choosing 'Yes' in the previous question, briefly describe any email backup policies and plans that the Organization currently has in place. * Next TELECOMMUNICATION CONFIGURATION The Organization's telephone service is: * VoIP solution (Ring Central, Google Voice, etc.)Hardline solutionCompany-managed mobile phonesPersonal mobile phones Are the Organization's telecommunication devices located in an access-restricted area? * YesNo Is the Organization's telecommunication system self-service? * YesNo Is there a member of the Organization responsible for the telecommunication system administration who can provision new users/devices and resolve basic support issues? * YesNo Next WIRELESS NETWORK CONFIGURATION Does the Organization utilize a wireless network? * YesNo What type of encryption is used on the Organization's wireless network? * WEPWPAWPA2RADIUSOther By choosing 'Other' in the previous question, please name the type of encryption that is used on the Organization's wireless network. Is the wireless SSID (wireless network name) broadcasted? * YesNo Does the Organization have a segmented guest wireless network? * YesNo Does the Organization have an Acceptable Use Policy banner present on the guest network? * YesNo If known, please list the brands of wireless access devices (routers, access points, etc.) used. * Next INTERNET OF THINGS (IOT) CONFIGURATION Does the Organization utilize any of the following devices on the corporate network (Wired or Wireless): * Smart TVs Personal Assistant Devices (Google Assistant Alexa, etc.) Third Choice Check all that apply. Does the Organization use portable media devices? (e.g., CD/DVD drives, tablets, iPads, USB storage devices, etc.) * YesNo Does the Organization have a written security and acceptable use policy for Internet of Things (IoT) devices? * YesNo Next EMPLOYEE ROLES Does the Organization have a person responsible for security policies and procedures? * Yes – DedicatedYes – A member of our staff handles it along with other responsibilitiesYes – We use an outside resourceNo How does the Organization communicate security updates to needed resources? * Next DATA ACCESS POLICIES Does the Organization have an access control system to authorize and/or restrict user activity on your assets and network devices? * YesNoNot Applicable Services such as Active Directory are used to set, authorize, or restrict employee access. Does the Organization segregate the network in a way that ensures data or services are available on a need-to-know basis? * YesNoNot Applicable Typical techniques include network segmentation and access control lists (ACL) to delineate access rights. Does the Organization use multi-factor authentication for access to high-sensitive data? * YesNo Next EMPLOYEE TRAINING Does the Organization have a formal sexual harassment training policy for all employees? * YesNo Does the Organization have a formal security awareness training policy for all employees? * YesNo Does the Organization have a formal cyber security training policy for all employees? * YesNo Does the Organization have a media destruction policy for used media (CD/DVD archives, floppy disks, audio or video tape, etc.) in place? * YesNo Does the Organization track and audit the employees security training for completeness? * YesNo Next ASSET MANAGEMENT Does the Organization have an maintain a list of all physical devices in the company? * YesNo This include workstations, laptops, servers, networking devices, office equipment, etc. Does the Organization have baseline configurations of IT systems established and maintained? * YesNo Does the Organization have an updated list of in-use company software such as office software suites, accounting packages, inventory management software, and software development tools? * YesNo Does the Organization have a list of all cloud-based SaaS (Software as a Service) and collaborative file sharing tools (DropBox, Google Drive, etc.) in use? * YesNo Does the Organization have a data flow map for internal and external communication? * YesNo By choosing 'Yes' for the previous question, is there an updated diagram available of the path that data travels into or out of your network, through which devices, and how the data is stored? * YesNo Next CYBERSECURITY & REGULATORY POLICIES AND PROCEDURES Is the Organization required by local, state, federal, or international agencies to comply with their specific cybersecurity regulations or policies? * YesNo This includes PCI, FINRA, HIPAA, GDPR, state banking department, etc. Does the Organization have a Cybersecurity Roles and Responsibilities Policy for employees and third-party vendors? * YesNo Does the Organization have a Written Information Security Policy (WISP)? * YesNo A WISP outlines employee requirements or best practices regarding sensitive data. Does the Organization have an Information Security Roles and Responsibilities Policy for employees and third-party vendors? * YesNo This policy governs the handling of Personally Identifiable Information (PII) by employees and contractors. Next RISK MANAGEMENT Has the Organization performed a risk assessment? * YesNo This includes the Organization identifying and analyzing potential events that may negatively impact individuals, assets, and/or the environment and making judgments on the Organization’s tolerability. Does the Organization have a list of business products and services, prioritized from critical to low impact risks or vulnerabilities? * YesNo Have the Organization's management team, employees, and vendors agreed to policies for managing risk tolerance? * YesNo Has the Organization performed a Breach Impact Analysis? * YesNo This included categorizing threats and vulnerabilities with the potential to cause a security breach and giving a severity and priority based on the likelihood of occurrence? Has the Organization completed a vulnerability assessment that identifies and documents weaknesses in your IT systems and network? * YesNo Next POLICIES & PROCEDURES Does the Organization have a breach response and disaster recovery plan in place? * YesNo Ares the Organization's breach response and disaster recovery plans tested periodically? * YesNo Does the Organization have a backup plan for workstations and servers? * Yes, Backup Services (SaaS solution)Yes, Local Backups (NAS, USB drives, DVD/Tape)Yes, Hybrid (mix of SaaS and local devicesNo Are the Organization's backup plans maintained and tested periodically? * YesNo For data systems, has the Organization determined uptime requirements to ensure business continuity? * YesNo Next CYBERSECURITY HISTORY List the Organization's known cybersecurity assets: Antivirus/Host Protection Firewall – Physical Device Firewall – Application Based DNS Filtering Data Exfiltration System IDS/IPS System Email Phishing Protection Multifactor Authentication Access Dedicated Cybersecurity Employee or Department Check all that apply. Has the Organization ever experienced a cyber breach/attack? * YesNo By choosing 'Yes' in the previous question, please describe the cyber breach/attack. Has the Organization undergone breach remediation processes? * YesNo By choosing 'Yes' in the previous question, please describe the details of the remediation. Next DATA PROTECTION PROCESSES AND PROCEDURES Does the Organization have a System Development Life Cycle (SDLC) in place to manage software software/hardware development or configuration? * YesNo Does the Organization have an audit trail system in place to monitor network or system configuration changes? * YesNo Does the Organization have a mandatory written data destruction policy? * YesNo Are the Organization's data protection processes being continuously improved? * YesNo Is Organizational data-at-rest protected? * YesNo This data includes Personally Identifiable Information (PII) stored on servers locally or in cloud storage. Is Organizational data-in-transit protected? * YesNo This includes data transmitted within a private network, or externally to vendors and customers. Does the Organization audit the protection technologies that are employed on a regular basis? * YesNo Does the Organization have a formal process to remove, transfer, or dispose of assets? * YesNo This process includes electronic waste, archived materials, and printed materials. Does the Organization implement protections against data leaks, such as exfiltration? * YesNo Does the Organization have systems in place to verify software, firmware, and information integrity? * YesNo Are the Organization's development and testing environment(s) separate from the production environment? * YesNoNot Applicable Next PROTECTIVE TECHNOLOGY Has the Organization implemented a system or process to detect malicious code operating on the internal network? * YesNo Does the Organization have IT mechanisms (e.g., fail-safe, load balancing, hot swap) in place to achieve network resilience requirements in normal and adverse situations? * YesNo Are the Organization's audit log records being determined, documented, implemented and reviewed in accordance with regulatory policy? * YesNo Next AWARENESS TRAINING Are the Organization's employees required to complete cybersecurity awareness training and acknowledge their responsibilities? * YesNo Are the Organization's senior executives made aware of their roles and responsibilities regarding company data? * YesNo Are the Organization's administrators or privileged users, who have access sensitive data, required to acknowledge their increased roles and responsibilities? * YesNo Does the Organization provide periodic security reminders or updates to its employees, contractors, or stakeholders? * YesNo Are the Organization's employees regularly sent simulated phishing email to gauge their response to a potential phishing attack? * YesNo Phishing is the act of sending a seemingly official email to maliciously harvest credentials. Are the Organization's employees activities being monitored to detect potential cybersecurity events? * YesNo Next NETWORK MONITORING Has the Organization established and managed a baseline of network operations and expected data flows for users and systems? * YesNo Has the Organization tested the implemented network detection processes? * YesNo Penetration tests are used to exploit or discover network weaknesses, and phishing campaigns are used to test user behavior. Is the Organization's physical network environment being monitored to detect potential cybersecurity events? * YesNo This includes reviews of access logs, and removable media usage policies. Does the Organization use a SIEM or other monitoring tools to aggregate and correlate event data from multiple sources and sensors to discern potential attack targets and methods? * YesNo Has the Organization established incident alert thresholds? * YesNo These thresholds are based on network activity baselines. The Organization complies with the time frame to report an incident (successful or unsuccessful) to the appropriate authorities (internal or external). Next PATCHING/UPDATES Are the Organization's servers and workstations (desktop/laptop) being patched on a regular basis? * YesNo Which patching method does the Organization use? Manual Automated software to install patches (i.e., an RMM tool) Through a third party IT organization Not currently doing patching Numbers Single Line Text Single Line Text Single Line Text Submit
