Cybersecurity Readiness Checklist

This is a quick self-assessment to help you understand your organization's level of cybersecurity readiness. This is a self-assessment and the more accurate the supplied information is, the more helpful the findings and recommendations will be for your organization. After you complete the Checklist, an Executive Summary will be emailed to you.

Organization

1

Organization Name

Survey

2

Name

What is your name?

4

Phone Number

What is your phone number? (optional)

5

Organization

What is the name of your organization?

6

Chief Information Security Officer

Has your organization appointed or designated a person to function in the role of Chief Information Security Officer?

?

To answer, consider the following:

  • Is there a person that your organization has designated as being responsible for the administration and management of your cybersecurity program? Note: this does not need to be a full-time internal employee with this title, but it does require a person with this skillset.
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
7

Risk Assessment

Has your organization conducted a risk assessment that identifies reasonably foreseeable internal and external risks?

?

To answer this question, consider your responses to the following questions:

  • Has your organization identified threats to security and information and attempted to assess the likelihood and potential impact of these threats? 
  • Has your organization performed a rigorous assessment of potential risks to security and data?
  • Does your organization have documented plan identifying areas for improving cybersecurity? 
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
8

Controlling Risk

Does your organization have an ongoing process to continuously assess the sufficiency of the safeguards that you have in place?

?

To answer this question, consider the following:

  • Does your organization have a Data Security Policy or Data Breach Policy in place?
  • Have cybersecurity and data security policies been adequately socialized with your staff?
  • Are staff aware of the implications and consequences of violating such policies?
  • Does your organization have a process for onboarding new staff that includes training on cybersecurity and data policies?
  • Are there established intervals (e.g. quarterly) for reassessment of risk, modifying policy and re-training staff?
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
9

Cyber Awareness Training

Does your organization provide Cyber Awareness training to all employees at least annually?

?

To answer this question, consider your responses to the following questions:

  • Do you provide cybersecurity awareness to all staff, at least annually
  • Do you provide ongoing awareness training in the form of videos or other content? 
  • Do you test employees on their cybersecurity awareness? 
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
10

Phish Testing

Does your organization regularly "phish" your staff to determine vulnerability to common phishing tactics?

?

To answer this question, consider your responses to the following questions:

  • Does your organization have a mechanism for sending periodic phishing simulations to your staff?
  • Do the simulations include remedial training for staff who engage with the phishing simulations? 
  • Does your organization review data on staff engagement with phishing simulations? 
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
11

Vendor Safeguards

Does your organization have a process for selecting and contracting with service providers who also maintain reasonable safeguards?

?

To answer this question, consider your responses to the following questions:

  • Does your organization perform a standard vetting process for establishing the security posture of third party vendors and other service providers? 
  • Does your organization include in its contracts requirements that third parties provide reasonable safeguards to protect private information? 
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
12

Cyber Liability Insurance

Our organization has reviewed options for cyber liability insurance and is confident the appropriate coverage is in place. 

?

To answer this question, consider the following:

  • Does your organization have a cyber liability insurance policy, or is that unknown?
  • Is your cyber liability policy reviewed least annually to determine whether coverage is adequate?
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
13

Review Process

Does your organization have an established, documented process for regularly reviewing your cybersecurity program?

?

To answer this question, consider the following:

  • Does your organization have a process for regularly evaluating your security program?
  • When business practices change, such as new programs are added or staff are expended, do you evaluate how this affects your cybersecurity and data security programs?
  • When adopting new software programs, do you evaluate these in light of your organizational security requirements?
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
14

Network and Software Design

Does your organization have a process for regularly assessing risks in your network or software systems?

?

To answer this question, consider the following questions:

  • Does your organization conduct regular, ongoing risks assessments of systems and software?
  • Does your organization perform vulnerability scans on websites, networks and other systems that store or transmit private information?
  • Are policies in place that prevent staff from access private information from unsecured networks, such as public wifi?
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
15

Information Processing

Does your organization have a process for regularly assessing and addressing risks in information processing, transmission and storage?

?

To answer this question, consider your responses to the following questions:

  • Does your organization perform a regular data inventory?
  • Do you know where all data (even informal sources) exist at your organization? 
  • Is it standard practice to encrypt data and also maintain secure backups? 
  • If most of your data systems are cloud-based, are those systems secure? 
  • Is there a process for ensuring that Private Information can not be dowloaded by staff?
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
16

Response Plan

Does your organization maintain a process for detecting, preventing or responding to an attack or system failure?

?

To answer this question, consider your responses to the following questions:

  • Does your organization maintain a practice of ensuring that anti-malware is installed on all systems that interact with its networks? That includes personal computers when people are working from home.
  • Does your organization have a way of monitoring suspicious traffic?
  • Do you have a documented plan for responding in the event of an attack—this is also commonly referred to as an Incident Response Plan? The NY SHIELD Act requires notification within 72 hours—would you organization be able to do that? 
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
17

Testing and Monitoring

Does your organization have a defined process for regularly testing and monitoring all key controls, systems and procedures?

?

To answer this question, consider the following:

  • Does your organization implement regular penetration testing to test the effectiveness of your systems to protect against attack?
  • How does leadership at your organization know if your current systems are capable of protecting private information?
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
18

Information Storage and Disposal

Does your organization have a process in place for assessing risks associated with information storage and disposal?

?

To answer this question, consider whether your organization:

  • Conducts an ongoing risk assessment that includes the physical security of all systems on your network
  • Manages a system for securing devices in locked cabinets or requiring that staff lock their computers when they are away from them
  • Maintains a process to ensure that only authorized people have access to your physical premises
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
19

Intrusions

Does your organization have a system for detecting, preventing and responding to intrusions?

?

To answer this question, consider your responses to the following questions:

  • Does your organization prevent unauthorized access, through requiring staff to use keycards and securing all access points? 
  • Do you have systems in place to detect network and other systems intrusions?
  • Do you monitor alerts for hosted and cloud services? 
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
20

Unauthorized Access

Does your organization have a process in place to protect against unauthorized access to or use of private information during or after the collection, transportation and destruction or disposal of information?

?

To answer this question, consider whether your organization has:

  • Data governance in place and administrators fully understand the lifecycle of data/information when it is being collected, transported, destroyed or disposed of
  • Defined and documented safeguards in place at each of these stages that would ensure against unauthorized access
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
21

Disposal

Does your organization have a process for disposing of private information within a reasonable amount of time, after it is no longer needed for business purposes?

?

To answer this question, consider the following:

  • Does your organization have a Data Retention Policy? 
  • Is there an end of life built into your organization's data life cycle? 
  • Does your organization have a secure process for destroying or purging data when it is no longer needed? 
  • When data is no longer needed, is it removed in a way that ensure it can not be read or reconstructed?
Not at all
1
 
2
 
3
 
4
 
5
 
Completely
22

Notifying

Does your organization's Incident Response Plan include protocols for notifying affected persons in the event of a breach?

?

To answer this question, consider the following:

  • Does your organization have an Incident Response Plan that articulates what you would do -- and who is responsible -- in the event of a breach?
  • If there was a breach at your organization, would you be able to notify all affected persons within a reasonable timeframe?
Not at all
1
 
2
 
3
 
4
 
5
 
Completely