Cybersecurity Risk Baseline v2017.08

Survey questions are based on the fundamental and essential set of cybersecurity controls. These questions are typically used to prepare for and scope a cybersecurity review. Responses provide a general sense of the cybersecurity environment and should be validated through actual program and control inspection.

A follow-on report will be provided with a cybersecurity maturity score, based solely on this attestation, along with control implications in areas where cybersecurity controls might be weak.

* 1. Contact Information (where the report will be sent)

* 2. Company background

* 3. IT/Cybersecurity Regulatory Obligations

* 4. Cybersecurity Insurance

Classification legend:
  0 Non-Existent: Nothing in place
  1 Initial: Undocumented practices are followed
  2 Repeatable: Procedures are documented
  3 Defined: Documented procedures have been incorporated in corporate processes
  4 Managed: Processes are monitored and measured

* 5. Asset Inventory: Hardware and Software

  0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed
A list of cyber hardware and software is maintained
Cyber hardware and software lists are validated regularly to ensure completeness and accuracy of population

* 6. Asset Baselines, Hardening and Change Management

  0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed
A list of hardware and software configuration settings are maintained
Security settings on hardware and software assets are established for like devices, with unnecessary software, login ids, and services disabled
Only authorized and tested changes are made to the production environment

* 7. Vulnerability Management

  0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed
Security updates and patches for hardware and software assets are tested and applied timely
Anti-malware is installed and signature updates are tested and applied timely
Vulnerability assessments are performed and necessary corrective measures are implemented

* 8. Access and Account Management

  0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed
Users are granted approved access to systems and information repositories as required by their responsibilities or role
Administrator and privilege user accounts are used only when needed, and never for regular logon
Strong passwords are required and changed on regular intervals
User access and access levels are reviewed on a regular basis
Unneeded user access is terminated in a timely manner

* 9. Information Management and Protection

  0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed
Information classification is defined and formal repositories have been established
Confidential information is maintained only in established, limited access information repositories
Data is backed up on a regular basis and stored securely

* 10. Boundary Defense: Electronic and Physical Security

  0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed
Corporate and operational networks are segregated with limited and monitored exchange of information
Wireless access is configured securely and never allowed in operational networks
Electronic access to cyber network, server and control hardware is limited and restricted
Physical access to cyber network, server and control hardware is limited and restricted to only authorized individuals

* 11. Incident Management and Review

  0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed
Event logging is enabled on hardware and software assets
Logs are reviewed to identify and investigate concerns
Response to cybersecurity incidents follows a defined communication and response process
Incident response and recovery plans are developed and tested

* 12. Security Awareness and Training

  0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed
All users receive cybersecurity training addressing acceptable use and common risks
Cybersecurity awareness materials are posted or distributed on a regular basis

* 13. Supply Chain Management

  0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed
Vendors that provide, connect to, or support hardware and software attest to the effectiveness of their cybersecurity programs
Program is in place to purchase hardware only from the manufacturer directly or through resellers authorized and certified by the equipment manufacturer
Third party access is controlled and monitored

* 14. Questions or comments

SSL/TLS encryption is enabled to keep survey data safe.

Survey responses are kept confidential.

Survey responses are reviewed by Certified Information Systems Auditors (CISA) that have passed Personnel Risk Assessments (PRA) that include identity validation and 7-year criminal background check.

© 2016.  Cybersecurity assessment survey, questions and methodology are proprietary and property of ITEGRITI Corporation.  All rights reserved.

T