Use this set of questions
- Assess your cyber security posture.
- Support cyber security investment decision making.
- Plan cyber security objectives.
Score your answers as:
- zero – not doing it
- 1 – doing it
Your Business
Use these questions to help assess your cyber security posture and the areas that need investment.
Are your business objectives documented?
Objectives drive risk. Information, risk, and information security management are more effective when aligned to business objectives.
Do you align security controls to the objectives?
Security efforts should be focused on business objectives. Protect the information needed to achieve business goals. Some controls are given, like malware controls, but the program is best developed and maintained aligned to the business. Consider the critical information assets that relate to the objectives.
Do you have third parties that help maintain your security posture?
Another set of risks, but a level of risk mitigation is expected. For example, a third party may do record keeping. The good news is that suppliers of these systems are expected to have a security program and be looking after the information’s security.
Do you have a documented cyber security program?
Are the elements of your program documented and regularly reviewed?
Do you have cyber security policies?
Adversaries attack all. Even a simple policy sets expectations, builds trust, supports compliance and risk amangement, and prevents choas during incidents.
Do you have cyber security program improvement goals?
You should. Even if it’s to assess the program, looking for improvements.
Do you have data about your customers?
Protecting it is paramount.
Is your customer data secure?
Score zero if you don’t know.
Risk Management
Use these questions to help assess your cyber security posture and the areas that need investment.
Do you manage your information risks?
.
Do you use computer applications to manage your operations?
.
Do you have mitigaton plans for your security risks?
.
Have you considered the impact of information asset loss?
.
The Program
Use these questions to help assess your cyber security posture and the areas that need investment.
Do you have formal cyber security awareness training?
.
Do you actively identify, protect, detect, and plan to respond and recover?
.
Have you cataloged your hardware inventory?
.
Have you cataloged your software inventory?
.
Have you listed your information assets?
.
Have you considered each information asset’s risk?
.
Do you have malware protection in place, updated, and active?
.
Do your endpoints have access control?
.
Do your endpoints have access control?
.
Do you use two factor authentication?
.
Do you have security controls in place for your infrastructure?
.
Respond & Recover
Use these questions to help assess your cyber security posture and the areas that need investment.
Do you have an incident response strategy?
.
Do you have incident response plans?
.
Do you have backup of your data?
.
Governance
Use these questions to help assess your cyber security posture and the areas that need investment.
Do you have program governance in place?
.
Do you assess threats?
.
Do you assess vulnerabilities?
.
Have you documented what could attack your business?
.
Do you monitor your security controls?
.
Do you measure your programs effectiveness?
.
Do you assess the program periodically?
.
Are you compliant with your regulations?
.