BASIC INFORMATION

Organization Name: *Organization Phone Number: *Organization Address: *Address Line 1Address Line 2City AlabamaAlaskaArizonaArkansasCaliforniaColoradoConnecticutDelawareDistrict of ColumbiaFloridaGeorgiaHawaiiIdahoIllinoisIndianaIowaKansasKentuckyLouisianaMaineMarylandMassachusettsMichiganMinnesotaMississippiMissouriMontanaNebraskaNevadaNew HampshireNew JerseyNew MexicoNew YorkNorth CarolinaNorth DakotaOhioOklahomaOregonPennsylvaniaRhode IslandSouth CarolinaSouth DakotaTennesseeTexasUtahVermontVirginiaWashingtonWest VirginiaWisconsinWyomingStateZip CodeTotal employees in the Organization: *

• 1-10
• 11-99
• 100-249
• 250+

What industry describes your Organization? *

• Banking
• Biotechnology
• Communications
• Construction
• Consulting
• Education
• Engineering
• Entertainment
• Finance
• Government
• Healthcare
• Hospitality
• Legal
• Manufacturing
• Not for Profit
• Retail
• Technology
• Transportation
• Other

By choosing 'Other' in the previous question, can you describe the Organization's industry? *How many locations/facilities does the Organization have? * One physical locationTwo physical locationsThree or more physical locationsWhat are the Organization's hours of operation? *Next

OPERATION POLICIES & PROCEDURES

Does the Organization employ and support remote employees? * Remote employeesRemote contractorsRemote employees and contractorsNo remote workersDoes the Organization perform background checks to examine and assess an employee/contractor's work and criminal history? * YesNoAre the Organization's employees required to sign a non-disclosure agreement (NDA)? * YesNoAre the Organization's employees required to sign the non-disclosure agreement (NDA) annually? * YesNoDoes the Organization have a formal process to manage the termination and/or transfer of employees? * YesNoDoes the Organization have a formal process to equip new employees and ensure the return of equipment from terminated/reassigned employees? * YesNoDoes the Organization staff wear ID badges? * Yes, with authorized access levels and types present on badgeYes, with only employee name and/or companyNoDoes the Organization have a Bring Your Own Device (BYOD) policy for personal devices (laptops, cellphones, ect.) utilizing organizational assets? * YesNoNext

PHYSICAL SECURITY

Does the Organization have effective physical access controls (e.g., door locks) in place to access the facilities? * YesNoAre key areas within the Organization (e.g., server rooms, personnel files, etc.) protected from unauthorized access? * YesNoWhich access control processes are in use within the Organization? *

• Manual lock with key
• RFID access control locks
• Keypad control locks
• Unlocked door with gatekeeper (e.g., receptionist)
• Other

Check all that apply.By choosing 'Other' in the previous question, can you describe the other access control process(es)? *Does the Organization have a plan in place to manage access events or circumstances (e.g., a person with the server room key is sick)? * YesNoDoes the Organization have policies and procedures in place to document repairs or modifications to physical access components? * YesNoHow are the Organization's physical access controls authorized? *Does the Organization use video surveillance technology? * YesNoBy choosing 'Yes' in the previous question, can you describe your Organization's current video surveillance system? *Are the recording from the Organization's surveillance system stored on premises or in the cloud? * On premisesCloud storageHybrid modelNext

NETWORK CONFIGURATION

Please describe the Organization's current network setup? *How many servers does the Organization have? * 01-34-910+What operating systems are the servers using? *

• Windows
• Linux
• UNIX
• MacOS
• Other

Check all that apply.By choosing 'Other' in the previous question, can you name the other server operating system(s)? *Does the Organization collect and/or store sensitive data on any server? * YesNoHow many workstations (desktops) does the Organization have? * 1-1011-5051-100100+How many laptops does the Organization have? * 1-1011-5051-100100+What operating systems are the workstations and/or laptops using? *

• Windows 11
• Windows 10
• Older Windows (Windows 7/8, Vista, XP, 2000, NT, ect.)
• MacOS
• Linux
• UNIX
• Other

Check all that apply.By choosing 'Other' in the previous question, can you name the other workstation/laptop operating system(s)? *Does the Organization collect and/or store sensitive data on any workstations/laptops? * YesNoNext

EMAIL CONFIGURATION

The Organization's corporate email provider is: * Self-hosted (Internal Exchange Server)Hybrid cloud-hosted (Cloud Exchange, Office 365)Company Gmail/ Microsoft Office/ Other Hosted Email ProviderUsers utilize personal email for company businessDoes the Organization use a third party to administer your email system? * YesNoDoes the Organization use multi-factor authentication to protect email access? * YesNoDoes the Organization have a written access plan for email? * YesNoDoes the Organization have an acceptable use policy for email? * YesNoDoes the Organization have a plan for creating new and removing terminated employees from email access? * YesNoHas the Organization recently performed an audit to optimize and validate email security features? * YesNoDoes the Organization use a system to monitor email for threats and unauthorized access? * YesNoDoes the Organization backup and archive the email system? * YesNoBy choosing 'Yes' in the previous question, briefly describe any email backup policies and plans that the Organization currently has in place. *Next

TELECOMMUNICATION CONFIGURATION

The Organization's telephone service is: * VoIP solution (Ring Central, Google Voice, etc.)Hardline solutionCompany-managed mobile phonesPersonal mobile phonesAre the Organization's telecommunication devices located in an access-restricted area? * YesNoIs the Organization's telecommunication system self-service? * YesNoIs there a member of the Organization responsible for the telecommunication system administration who can provision new users/devices and resolve basic support issues? * YesNoNext

WIRELESS NETWORK CONFIGURATION

Does the Organization utilize a wireless network? * YesNoWhat type of encryption is used on the Organization's wireless network? * WEPWPAWPA2RADIUSOtherBy choosing 'Other' in the previous question, please name the type of encryption that is used on the Organization's wireless network.Is the wireless SSID (wireless network name) broadcasted? * YesNoDoes the Organization have a segmented guest wireless network? * YesNoDoes the Organization have an Acceptable Use Policy banner present on the guest network? * YesNoIf known, please list the brands of wireless access devices (routers, access points, etc.) used. *Next

INTERNET OF THINGS (IOT) CONFIGURATION

Does the Organization utilize any of the following devices on the corporate network (Wired or Wireless): *

• Smart TVs
• Personal Assistant Devices (Google Assistant Alexa, etc.)
• Third Choice

Check all that apply. Does the Organization use portable media devices? (e.g., CD/DVD drives, tablets, iPads, USB storage devices, etc.) * YesNoDoes the Organization have a written security and acceptable use policy for Internet of Things (IoT) devices? * YesNoNext

EMPLOYEE ROLES

Does the Organization have a person responsible for security policies and procedures? * Yes – DedicatedYes – A member of our staff handles it along with other responsibilitiesYes – We use an outside resourceNoHow does the Organization communicate security updates to needed resources? *Next

DATA ACCESS POLICIES

Does the Organization have an access control system to authorize and/or restrict user activity on your assets and network devices? * YesNoNot ApplicableServices such as Active Directory are used to set, authorize, or restrict employee access.Does the Organization segregate the network in a way that ensures data or services are available on a need-to-know basis? * YesNoNot ApplicableTypical techniques include network segmentation and access control lists (ACL) to delineate access rights.Does the Organization use multi-factor authentication for access to high-sensitive data? * YesNoNext

EMPLOYEE TRAINING

Does the Organization have a formal sexual harassment training policy for all employees? * YesNoDoes the Organization have a formal security awareness training policy for all employees? * YesNoDoes the Organization have a formal cyber security training policy for all employees? * YesNoDoes the Organization have a media destruction policy for used media (CD/DVD archives, floppy disks, audio or video tape, etc.) in place? * YesNoDoes the Organization track and audit the employees security training for completeness? * YesNoNext

ASSET MANAGEMENT

Does the Organization have an maintain a list of all physical devices in the company? * YesNoThis include workstations, laptops, servers, networking devices, office equipment, etc.Does the Organization have baseline configurations of IT systems established and maintained? * YesNoDoes the Organization have an updated list of in-use company software such as office software suites, accounting packages, inventory management software, and software development tools? * YesNoDoes the Organization have a list of all cloud-based SaaS (Software as a Service) and collaborative file sharing tools (DropBox, Google Drive, etc.) in use? * YesNoDoes the Organization have a data flow map for internal and external communication? * YesNoBy choosing 'Yes' for the previous question, is there an updated diagram available of the path that data travels into or out of your network, through which devices, and how the data is stored? * YesNoNext

CYBERSECURITY & REGULATORY POLICIES AND PROCEDURES

Is the Organization required by local, state, federal, or international agencies to comply with their specific cybersecurity regulations or policies? * YesNoThis includes PCI, FINRA, HIPAA, GDPR, state banking department, etc.Does the Organization have a Cybersecurity Roles and Responsibilities Policy for employees and third-party vendors? * YesNoDoes the Organization have a Written Information Security Policy (WISP)? * YesNoA WISP outlines employee requirements or best practices regarding sensitive data.Does the Organization have an Information Security Roles and Responsibilities Policy for employees and third-party vendors? * YesNoThis policy governs the handling of Personally Identifiable Information (PII) by employees and contractors.Next

RISK MANAGEMENT

Has the Organization performed a risk assessment? * YesNoThis includes the Organization identifying and analyzing potential events that may negatively impact individuals, assets, and/or the environment and making judgments on the Organization’s tolerability.Does the Organization have a list of business products and services, prioritized from critical to low impact risks or vulnerabilities? * YesNoHave the Organization's management team, employees, and vendors agreed to policies for managing risk tolerance? * YesNoHas the Organization performed a Breach Impact Analysis? * YesNoThis included categorizing threats and vulnerabilities with the potential to cause a security breach and giving a severity and priority based on the likelihood of occurrence?Has the Organization completed a vulnerability assessment that identifies and documents weaknesses in your IT systems and network? * YesNoNext

POLICIES & PROCEDURES

Does the Organization have a breach response and disaster recovery plan in place? * YesNoAres the Organization's breach response and disaster recovery plans tested periodically? * YesNoDoes the Organization have a backup plan for workstations and servers? * Yes, Backup Services (SaaS solution)Yes, Local Backups (NAS, USB drives, DVD/Tape)Yes, Hybrid (mix of SaaS and local devicesNoAre the Organization's backup plans maintained and tested periodically? * YesNoFor data systems, has the Organization determined uptime requirements to ensure business continuity? * YesNoNext

CYBERSECURITY HISTORY

List the Organization's known cybersecurity assets:

• Antivirus/Host Protection
• Firewall – Physical Device
• Firewall – Application Based
• DNS Filtering
• Data Exfiltration System
• IDS/IPS System
• Email Phishing Protection
• Multifactor Authentication Access
• Dedicated Cybersecurity Employee or Department

Check all that apply.Has the Organization ever experienced a cyber breach/attack? * YesNoBy choosing 'Yes' in the previous question, please describe the cyber breach/attack.Has the Organization undergone breach remediation processes? * YesNoBy choosing 'Yes' in the previous question, please describe the details of the remediation.Next

DATA PROTECTION PROCESSES AND PROCEDURES

Does the Organization have a System Development Life Cycle (SDLC) in place to manage software software/hardware development or configuration? * YesNoDoes the Organization have an audit trail system in place to monitor network or system configuration changes? * YesNoDoes the Organization have a mandatory written data destruction policy? * YesNoAre the Organization's data protection processes being continuously improved? * YesNoIs Organizational data-at-rest protected? * YesNoThis data includes Personally Identifiable Information (PII) stored on servers locally or in cloud storage.Is Organizational data-in-transit protected? * YesNoThis includes data transmitted within a private network, or externally to vendors and customers.Does the Organization audit the protection technologies that are employed on a regular basis? * YesNoDoes the Organization have a formal process to remove, transfer, or dispose of assets? * YesNoThis process includes electronic waste, archived materials, and printed materials.Does the Organization implement protections against data leaks, such as exfiltration? * YesNoDoes the Organization have systems in place to verify software, firmware, and information integrity? * YesNoAre the Organization's development and testing environment(s) separate from the production environment? * YesNoNot ApplicableNext

PROTECTIVE TECHNOLOGY

Has the Organization implemented a system or process to detect malicious code operating on the internal network? * YesNoDoes the Organization have IT mechanisms (e.g., fail-safe, load balancing, hot swap) in place to achieve network resilience requirements in normal and adverse situations? * YesNoAre the Organization's audit log records being determined, documented, implemented and reviewed in accordance with regulatory policy? * YesNoNext

AWARENESS TRAINING

Are the Organization's employees required to complete cybersecurity awareness training and acknowledge their responsibilities? * YesNoAre the Organization's senior executives made aware of their roles and responsibilities regarding company data? * YesNoAre the Organization's administrators or privileged users, who have access sensitive data, required to acknowledge their increased roles and responsibilities? * YesNoDoes the Organization provide periodic security reminders or updates to its employees, contractors, or stakeholders? * YesNoAre the Organization's employees regularly sent simulated phishing email to gauge their response to a potential phishing attack? * YesNoPhishing is the act of sending a seemingly official email to maliciously harvest credentials.Are the Organization's employees activities being monitored to detect potential cybersecurity events? * YesNoNext

NETWORK MONITORING

Has the Organization established and managed a baseline of network operations and expected data flows for users and systems? * YesNoHas the Organization tested the implemented network detection processes? * YesNoPenetration tests are used to exploit or discover network weaknesses, and phishing campaigns are used to test user behavior.Is the Organization's physical network environment being monitored to detect potential cybersecurity events? * YesNoThis includes reviews of access logs, and removable media usage policies.Does the Organization use a SIEM or other monitoring tools to aggregate and correlate event data from multiple sources and sensors to discern potential attack targets and methods? * YesNoHas the Organization established incident alert thresholds? * YesNoThese thresholds are based on network activity baselines. The Organization complies with the time frame to report an incident (successful or unsuccessful) to the appropriate authorities (internal or external).Next

PATCHING/UPDATES

Are the Organization's servers and workstations (desktop/laptop) being patched on a regular basis? * YesNoWhich patching method does the Organization use?

• Manual
• Automated software to install patches (i.e., an RMM tool)
• Through a third party IT organization
• Not currently doing patching

Submit