20 Question Security Assessment

2. Do you have a risk management plan that is regularly reviewed and updated?

No        Somewhat        Yes

3. Do you require at least annual/semi-annual security training for all employees?

No        Somewhat        Yes

4. Do you regularly receive, review and monitor threat and vulnerability information for your IT systems and software?

No        Somewhat        Yes

5. Have you identified potential business impacts of a security breach and prepared adequate mitigation strategies for them?

No        Somewhat        Yes

6. Are you actively managing employee access (both physical and virtual), identities, and credentials? For example, are you enforcing strict password policies, implementing role-based permissions for users on all systems, and utilizing strong physical protections (locks, alarms, biometrics, etc.) for critical infrastructure?

No        Somewhat        Yes

7. Do you have a robust firewall, antivirus/anti-malware, and intrusion detection/prevention systems in place?

No        Somewhat        Yes

8. Are you monitoring and controlling employee remote access (VPN, Citrix, etc.) and mobile devices that access your systems so as to prevent the transport, storage or printing of sensitive data outside of company networks?

No        Somewhat        Yes

9. Are your data and systems being securely backed up at regular intervals in geographically distinct regions and do you have a robust disaster recovery plan that is tested on a regular (at least quarterly) basis?

No        Somewhat        Yes

10. Are your un-needed data and obsolete hardware devices being destroyed or disposed of in a secure manner?

No        Somewhat        Yes

11. Do you have an active configuration management and/or change control policy for your IT systems?

No        Somewhat        Yes

12. Are you performing routine vulnerability scans and activity monitoring for all of your IT systems?

No        Somewhat        Yes

13. Do you have established incident response procedures and is your staff aware of it?

No        Somewhat        Yes

14. Are your vendors and suppliers aware of their roles and responsibilities in managing security risks with signed agreements in place?

No        Somewhat        Yes

15. Are employees and senior executives aware of their roles and responsibilities in managing security risks?

No        Somewhat        Yes

16. Do you patch and update of all of your IT systems on at least a weekly basis?

No        Somewhat        Yes

17. Are you ensuring that sensitive data "at rest" (on disk, in a database, etc.) is stored safely utilizing strong encryption as necessary?

No        Somewhat        Yes

18. Are you ensuring that sensitive data "in transit" (moving over the network or internet) is securely encrypted as necessary?

No        Somewhat        Yes

19. Do you have an up-to-date policy for personal (user-owned) device security standards (encryption, anti-virus, software, etc.) that is strictly enforced?

No        Somewhat        Yes

20. Are you routinely communicating the latest high-risk security threats and scams/phishing attempts to your employees?

No        Somewhat        Yes