Cybersecurity

This is a self-assessment and the more accurate the supplied information is, the more helpful the findings and recommendations will be for your organization. 

Organization

1

Organization Name

Survey

2

Risk Assessment & Threat Modeling

Our organization has performed a basic risk assessment that includes threat modeling. 

?

A cybersecurity risk assessment looks at threats to confidentiality, integrity and availability of information managed by the organization, and compares these threats against the in-place safeguards to determine which risks to expend effort on mitigating. Threat modeling looks at specific threats to the organization that may be unique based on culture, nature of work, or other criteria. 

Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
3

Cybersecurity Plan

Our organization has an active cybersecurity plan.

?

An effective cybersecurity plan is done annually, at a minimum, and includes a timeline for implementation of any changes, a plan for communicating and supporting the change and support for new security measures. 

Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
N/A
 
4

Vulnerability Scanning

Our organization performs annual vulnerability scanning to detect internal and external network and system vulnerabilities.

?

Vulnerability scanning is software which scans computers, networks and applications for weaknesses. Note that this is question is only applicable to organizations with offices, and with networks within those offices. Organizations that work out of co-working environments or are completely distributed do not require vulnerability scanning at the network level and should choose the N/A option for their response.

Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
N/A
 
5

Sensitive information

Our organization periodically reviews the accounts and access controls in place for sensitive information.

?

An access control is a restriction of access to a resource or system. Active system, application and service accounts are reviewed monthly or quarterly and updated to reflect current state. Permissions to restricted information are checked to verify accuracy. 

Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
6

Breach Identification

The organization has processes in place to aid in identification of breaches of systems and/or information. 

?

Examples can include policies for staff about what to do if they suspect a breach and working with vendor tools to setup notifications about anomalous events that may indicate a breach. Can also include data loss prevention (DLP) measures.

Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
7

Notes (Current Practices)

Please provide any additional comments you have in regard to this section. 

8

Firewalls

Firewall(s) are installed with active subscriptions for Unified Threat Management (UTM).

?

Unified Threat Management (UTM) monitors inbound and outbound network traffic for malware and signs of intrusion or attempted intrusion. Only applies to organizations with networks used by multiple staff. Not applicable to organizations that are completely distributed. 

Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
N/A
 
9

Wireless Access

Wireless Access to our organization's network (Wi-Fi) is configured with strong encryption.

?

WPA2, at a minimum. 

Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
10

Cloud Providers

Our organizations understands the privacy and data sharing policies of cloud service providers.

?

If, for example, our organization uses Salesforce for CRM and Google for Email and Document Management, we have read and understood the privacy and data protection policies of Salesforce and Google. 

Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
11

Malware Protection

The organization has a centralized Antivirus solution running on all Windows workstations and servers. 

?

The Antivirus solution should provide notifications of malware detection on any device and also notifications on update failures or Antivirus service stoppage. 

Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
N/A
 
12

Patch Management

The organization uses a patch management system to keep endpoints patched with current software versions. 

?

Ideally, a patch management solution that addresses Windows and Macs, servers, desktops and laptops and also handles third-party applications such as Adobe, Java & MS Office. 

Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
13

Replacing critical hardware and software

Critical hardware/software is replaced before end of warranty, service contracts, or end-of-life.

?

Especially important for mission-critical hardware such as servers, firewalls and mission-critical software. 

Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
14

Restore Tests

Our organization's important information is backed up securely and restore tests are performed on a schedule. 

?

Backup systems should be both physically and logically distinct from primary systems. For example, if sensitive data exists on an in-house server, the backup should be offsite and on a separate system (such as a cloud-based backup). Restores should also be performed, at a minimum, once every three months (quarterly). 

Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
15

Notes (Network & Systems Security)

Please provide any additional comments you have regarding network & systems security here.

16

Two-Factor Authentication (2FA)

Two-Factor Authentication (2FA) is required for access to all systems, services and applications that support 2FA and contain sensitive information.

?

For example, two-factor authentication (2FA) is required for access to organizational email. Two-factor authentication applies two security steps to login processes.

Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
17

Shadow Information Technology

Our organization works to limit "shadow" IT by ensuring staff have the tools they need to collaborate and work effectively, 

?

Shadow IT is when staff use personal versions of tools like Dropbox, Google Drive and Slack without involvement or knowledge or organizational IT to work remotely and/or collaborate with colleagues in the manner that best supports their work.

Organizations can reduce shadow IT through policy and communication but most of all by leveraging cloud-based applications to provide staff with a high degree of flexibility to collaborate, work remotely and with various devices. 

Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
18

Password Management

The organization provides staff with a password manager and/or Single Sign-On (SSO) tool. 

?

Examples of Password Management/SSO systems include LastPass, KeePass, 1Password & Okta. 

Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
19

Process for Getting Support

Staff, interns and volunteers have a clear process for getting effective technology support in a timely fashion.

?

Having access to reliable technology support is important to cybersecurity because without this access, staff may allow risks to perpetuate or engage, unknowingly, in risky digital behavior. 

Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
20

Cybersecurity Awareness Training

All staff at our organization have attended cybersecurity awareness training within the past year. 

?

There is an ongoing security awareness training program in place for staff to help them with best practices for information security.

Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
21

New Staff Orientation

New staff, interns and volunteers receive training on the organization's systems as part of new hire orientation.

?

This is important because if staff, interns and volunteers do not know how to use the systems, they may use their own tools instead or may misuse organization technology in ways that compromise security. 

Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
22

Phish Testing

The organization periodically "phishes" its staff to determine vulnerability to common phishing tactics. 

?

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. 

Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
23

Notes (Staff Training & Support)

Please provide any additional comments you have in regard to the training and support section here.

24

IT Documentation Exists

Appropriate IT documentation exists for the organization.

?

Example: A current network diagram, server roles, documentation of vendors, SaaS, etc. Optimally IT staff verify and update the documentation periodically. 

Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
25

Documented Access Controls

The organization has documented access controls in place for sensitive information.

?

An access control is a restriction of access to a resource or system. Having documentation of who has access to sensitive information within the organization is important to ensure that access controls are properly managed. 

Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
26

Cybersecurity Insurance

Our organization has reviewed options for cybersecurity insurance and considered whether appropriate for our organization.

?

Cybersecurity insurance may help mitigate financial risk should your organization suffer a breach or other cybersecurity-related incident. 

Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
27

Policies for Sensitive Information

Our organization has clear and effective policies in place that help protect sensitive information and provide legal protection. 

?
These policies must address, at a minimum, the following areas:
  • Bring Your Own Device (BYOD) policy

  • Remote and travel policy

  • Data sharing policy

  • Acceptable Use policy

  • Onboarding/Offboarding (Provisioning and Deprovisioning)
Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
28

Staff onboarding and offboarding

There is a documented process and policy in place regarding the onboading/offboarding of staff.

?

For example, which accounts are created when new staff come in, how access is revoked and how information is protected when staff leave.

Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
29

Incident Response Plan

The organization has a complete incident response plan in place. 

?

An effective incident response plan includes, at a minimum:

  1. Guidelines for declaration of an incident and activation of the incident response
  2. A defined incident response team with contact information
  3. A communications plan
  4. A recovery plan
  5. Lessons learned and changes 
Strongly Disagree
1
 
2
 
3
 
4
 
5
 
Strongly Agree
30

Notes (Documentation & Policies)

Please provide any additional comments you have regarding the documentation & policies section here.

31

Cybersecurity Additional Comments

Please add any additional comments or thoughts you wish to share about cybersecurity at your organization.

* Answer required