IT Security Risk Assessment

Please enable JavaScript in your browser to complete this form.

BASIC INFORMATION

Organization Name: *

Organization Phone Number: *

Organization Address: *

Address Line 1

Address Line 2

City

State

Zip Code

Total employees in the Organization: *

1-10
11-99
100-249
250+

What industry describes your Organization? *

Banking
Biotechnology
Communications
Construction
Consulting
Education
Engineering
Entertainment
Finance
Government
Healthcare
Hospitality
Legal
Manufacturing
Not for Profit
Retail
Technology
Transportation
Other

By choosing 'Other' in the previous question, can you describe the Organization's industry? *

How many locations/facilities does the Organization have? *

What are the Organization's hours of operation? *

OPERATION POLICIES & PROCEDURES

Does the Organization employ and support remote employees? *

Does the Organization perform background checks to examine and assess an employee/contractor's work and criminal history? *

Are the Organization's employees required to sign a non-disclosure agreement (NDA)? *

Are the Organization's employees required to sign the non-disclosure agreement (NDA) annually? *

Does the Organization have a formal process to manage the termination and/or transfer of employees? *

Does the Organization have a formal process to equip new employees and ensure the return of equipment from terminated/reassigned employees? *

Does the Organization staff wear ID badges? *

Does the Organization have a Bring Your Own Device (BYOD) policy for personal devices (laptops, cellphones, ect.) utilizing organizational assets? *

PHYSICAL SECURITY

Does the Organization have effective physical access controls (e.g., door locks) in place to access the facilities? *

Are key areas within the Organization (e.g., server rooms, personnel files, etc.) protected from unauthorized access? *

Which access control processes are in use within the Organization? *

Manual lock with key
RFID access control locks
Keypad control locks
Unlocked door with gatekeeper (e.g., receptionist)
Other

Check all that apply.

By choosing 'Other' in the previous question, can you describe the other access control process(es)? *

Does the Organization have a plan in place to manage access events or circumstances (e.g., a person with the server room key is sick)? *

Does the Organization have policies and procedures in place to document repairs or modifications to physical access components? *

How are the Organization's physical access controls authorized? *

Does the Organization use video surveillance technology? *

By choosing 'Yes' in the previous question, can you describe your Organization's current video surveillance system? *

Are the recording from the Organization's surveillance system stored on premises or in the cloud? *

NETWORK CONFIGURATION

Please describe the Organization's current network setup? *

How many servers does the Organization have? *

What operating systems are the servers using? *

Windows
Linux
UNIX
MacOS
Other

Check all that apply.

By choosing 'Other' in the previous question, can you name the other server operating system(s)? *

Does the Organization collect and/or store sensitive data on any server? *

How many workstations (desktops) does the Organization have? *

How many laptops does the Organization have? *

What operating systems are the workstations and/or laptops using? *

Windows 11
Windows 10
Older Windows (Windows 7/8, Vista, XP, 2000, NT, ect.)
MacOS
Linux
UNIX
Other

Check all that apply.

By choosing 'Other' in the previous question, can you name the other workstation/laptop operating system(s)? *

Does the Organization collect and/or store sensitive data on any workstations/laptops? *

EMAIL CONFIGURATION

The Organization's corporate email provider is: *

Does the Organization use a third party to administer your email system? *

Does the Organization use multi-factor authentication to protect email access? *

Does the Organization have a written access plan for email? *

Does the Organization have an acceptable use policy for email? *

Does the Organization have a plan for creating new and removing terminated employees from email access? *

Has the Organization recently performed an audit to optimize and validate email security features? *

Does the Organization use a system to monitor email for threats and unauthorized access? *

Does the Organization backup and archive the email system? *

By choosing 'Yes' in the previous question, briefly describe any email backup policies and plans that the Organization currently has in place. *

TELECOMMUNICATION CONFIGURATION

The Organization's telephone service is: *

Are the Organization's telecommunication devices located in an access-restricted area? *

Is the Organization's telecommunication system self-service? *

Is there a member of the Organization responsible for the telecommunication system administration who can provision new users/devices and resolve basic support issues? *

WIRELESS NETWORK CONFIGURATION

Does the Organization utilize a wireless network? *

What type of encryption is used on the Organization's wireless network? *

By choosing 'Other' in the previous question, please name the type of encryption that is used on the Organization's wireless network.

Is the wireless SSID (wireless network name) broadcasted? *

Does the Organization have a segmented guest wireless network? *

Does the Organization have an Acceptable Use Policy banner present on the guest network? *

If known, please list the brands of wireless access devices (routers, access points, etc.) used. *

INTERNET OF THINGS (IOT) CONFIGURATION

Does the Organization utilize any of the following devices on the corporate network (Wired or Wireless): *

Smart TVs
Personal Assistant Devices (Google Assistant Alexa, etc.)
Third Choice

Check all that apply.

Does the Organization use portable media devices? (e.g., CD/DVD drives, tablets, iPads, USB storage devices, etc.) *

Does the Organization have a written security and acceptable use policy for Internet of Things (IoT) devices? *

EMPLOYEE ROLES

Does the Organization have a person responsible for security policies and procedures? *

How does the Organization communicate security updates to needed resources? *

DATA ACCESS POLICIES

Does the Organization have an access control system to authorize and/or restrict user activity on your assets and network devices? *

Services such as Active Directory are used to set, authorize, or restrict employee access.

Does the Organization segregate the network in a way that ensures data or services are available on a need-to-know basis? *

Typical techniques include network segmentation and access control lists (ACL) to delineate access rights.

Does the Organization use multi-factor authentication for access to high-sensitive data? *

EMPLOYEE TRAINING

Does the Organization have a formal sexual harassment training policy for all employees? *

Does the Organization have a formal security awareness training policy for all employees? *

Does the Organization have a formal cyber security training policy for all employees? *

Does the Organization have a media destruction policy for used media (CD/DVD archives, floppy disks, audio or video tape, etc.) in place? *

Does the Organization track and audit the employees security training for completeness? *

ASSET MANAGEMENT

Does the Organization have an maintain a list of all physical devices in the company? *

This include workstations, laptops, servers, networking devices, office equipment, etc.

Does the Organization have baseline configurations of IT systems established and maintained? *

Does the Organization have an updated list of in-use company software such as office software suites, accounting packages, inventory management software, and software development tools? *

Does the Organization have a list of all cloud-based SaaS (Software as a Service) and collaborative file sharing tools (DropBox, Google Drive, etc.) in use? *

Does the Organization have a data flow map for internal and external communication? *

By choosing 'Yes' for the previous question, is there an updated diagram available of the path that data travels into or out of your network, through which devices, and how the data is stored? *

CYBERSECURITY & REGULATORY POLICIES AND PROCEDURES

Is the Organization required by local, state, federal, or international agencies to comply with their specific cybersecurity regulations or policies? *

This includes PCI, FINRA, HIPAA, GDPR, state banking department, etc.

Does the Organization have a Cybersecurity Roles and Responsibilities Policy for employees and third-party vendors? *

Does the Organization have a Written Information Security Policy (WISP)? *

A WISP outlines employee requirements or best practices regarding sensitive data.

Does the Organization have an Information Security Roles and Responsibilities Policy for employees and third-party vendors? *

This policy governs the handling of Personally Identifiable Information (PII) by employees and contractors.

RISK MANAGEMENT

Has the Organization performed a risk assessment? *

This includes the Organization identifying and analyzing potential events that may negatively impact individuals, assets, and/or the environment and making judgments on the Organization’s tolerability.

Does the Organization have a list of business products and services, prioritized from critical to low impact risks or vulnerabilities? *

Have the Organization's management team, employees, and vendors agreed to policies for managing risk tolerance? *

Has the Organization performed a Breach Impact Analysis? *

This included categorizing threats and vulnerabilities with the potential to cause a security breach and giving a severity and priority based on the likelihood of occurrence?

Has the Organization completed a vulnerability assessment that identifies and documents weaknesses in your IT systems and network? *

POLICIES & PROCEDURES

Does the Organization have a breach response and disaster recovery plan in place? *

Ares the Organization's breach response and disaster recovery plans tested periodically? *

Does the Organization have a backup plan for workstations and servers? *

Are the Organization's backup plans maintained and tested periodically? *

For data systems, has the Organization determined uptime requirements to ensure business continuity? *

CYBERSECURITY HISTORY

List the Organization's known cybersecurity assets:

Antivirus/Host Protection
Firewall – Physical Device
Firewall – Application Based
DNS Filtering
Data Exfiltration System
IDS/IPS System
Email Phishing Protection
Multifactor Authentication Access
Dedicated Cybersecurity Employee or Department

Check all that apply.

Has the Organization ever experienced a cyber breach/attack? *

By choosing 'Yes' in the previous question, please describe the cyber breach/attack.

Has the Organization undergone breach remediation processes? *

By choosing 'Yes' in the previous question, please describe the details of the remediation.

DATA PROTECTION PROCESSES AND PROCEDURES

Does the Organization have a System Development Life Cycle (SDLC) in place to manage software software/hardware development or configuration? *

Does the Organization have an audit trail system in place to monitor network or system configuration changes? *

Does the Organization have a mandatory written data destruction policy? *

Are the Organization's data protection processes being continuously improved? *

Is Organizational data-at-rest protected? *

This data includes Personally Identifiable Information (PII) stored on servers locally or in cloud storage.

Is Organizational data-in-transit protected? *

This includes data transmitted within a private network, or externally to vendors and customers.

Does the Organization audit the protection technologies that are employed on a regular basis? *

Does the Organization have a formal process to remove, transfer, or dispose of assets? *

This process includes electronic waste, archived materials, and printed materials.

Does the Organization implement protections against data leaks, such as exfiltration? *

Does the Organization have systems in place to verify software, firmware, and information integrity? *

Are the Organization's development and testing environment(s) separate from the production environment? *

PROTECTIVE TECHNOLOGY

Has the Organization implemented a system or process to detect malicious code operating on the internal network? *

Does the Organization have IT mechanisms (e.g., fail-safe, load balancing, hot swap) in place to achieve network resilience requirements in normal and adverse situations? *

Are the Organization's audit log records being determined, documented, implemented and reviewed in accordance with regulatory policy? *

AWARENESS TRAINING

Are the Organization's employees required to complete cybersecurity awareness training and acknowledge their responsibilities? *

Are the Organization's senior executives made aware of their roles and responsibilities regarding company data? *

Are the Organization's administrators or privileged users, who have access sensitive data, required to acknowledge their increased roles and responsibilities? *

Does the Organization provide periodic security reminders or updates to its employees, contractors, or stakeholders? *

Are the Organization's employees regularly sent simulated phishing email to gauge their response to a potential phishing attack? *

Phishing is the act of sending a seemingly official email to maliciously harvest credentials.

Are the Organization's employees activities being monitored to detect potential cybersecurity events? *

NETWORK MONITORING

Has the Organization established and managed a baseline of network operations and expected data flows for users and systems? *

Has the Organization tested the implemented network detection processes? *

Penetration tests are used to exploit or discover network weaknesses, and phishing campaigns are used to test user behavior.

Is the Organization's physical network environment being monitored to detect potential cybersecurity events? *

This includes reviews of access logs, and removable media usage policies.

Does the Organization use a SIEM or other monitoring tools to aggregate and correlate event data from multiple sources and sensors to discern potential attack targets and methods? *

Has the Organization established incident alert thresholds? *

These thresholds are based on network activity baselines. The Organization complies with the time frame to report an incident (successful or unsuccessful) to the appropriate authorities (internal or external).

PATCHING/UPDATES

Are the Organization's servers and workstations (desktop/laptop) being patched on a regular basis? *

Which patching method does the Organization use?

Manual
Automated software to install patches (i.e., an RMM tool)
Through a third party IT organization
Not currently doing patching

Numbers

Single Line Text