Use this set of questions
- Assess your cyber security posture.
- Support cyber security investment decision making.
- Plan cyber security objectives.
Track answers scoring in a range with:
- zero – not doing it
- 1 – doing it a bit
- 2 – should probably do it better
Your Business
Use these questions to help assess your cyber security posture and the areas that need investment.
Are your business objectives documented?
Objectives drive risk. Information, risk, and security management are more effective when algned to focused objectives.
Do you align security controls to the objectives?
Security efforts should be focused on these. Protect the information needed to achieve business goals. Some controls are given, like malware controls, but the program is best developed and maintained aligned to the business. Consider the critical information assets that relate.
Do you have third parties that help maintain your security posture?
Good news. Another set of risks, but a level of technical control is expeceted.
Do you have a documented cyber security program?
Strategy, policy, inventories, control desciptions, or all of it.
Do you have cyber security policies?
Adversaries attack all. Even a simple policy sets expectations, builds trust, supports compliance and risk amangement, and prevents choas during incidents.
Do you have cyber security program improvement goals?
You should. Even if it’s to assess the program, looking for improvements.
Do you have data about your customers?
Protecting it is paramount.
Is your customer data secure?
Score zero if you don’t know.
Risk Management
Use these questions to help assess your cyber security posture and the areas that need investment.
Do you manage your information risks?
.
Do you use computer applications to manage your operations?
.
Do you have mitigaton plans for your security risks?
.
Have you considered the impact of information asset loss?
.
The Program
Use these questions to help assess your cyber security posture and the areas that need investment.
Do you have formal cyber security awareness training?
.
Do you actively identify, protect, detect, and plan to respond and recover?
.
Have you cataloged your hardware inventory?
.
Have you cataloged your software inventory?
.
Have you listed your information assets?
.
Have you considered each information asset’s risk?
.
Do you have malware protection in place, updated, and active?
.
Do your endpoints have access control?
.
Do your endpoints have access control?
.
Do you use two factor authentication?
.
Do you have security controls in place for your infrastructure?
.
Respond & Recover
Use these questions to help assess your cyber security posture and the areas that need investment.
Do you have an incident response strategy?
.
Do you have incident response plans?
.
Do you have backup of your data?
.
Governance
Use these questions to help assess your cyber security posture and the areas that need investment.
Do you have program governance in place?
.
Do you assess threats?
.
Do you assess vulnerabilities?
.
Have you documented what could attack your business?
.
Do you monitor your security controls?
.
Do you measure your programs effectiveness?
.
Do you assess the program periodically?
.
Are you compliant with your regulations?
.