Security Check-Up Overview
A Cyber Security Check-Up is a good way to get a picture of your IT organization’s current cyber security profile. CIO Street developed a custom survey organized into 8 Cyber Security categories that were deemed highly strategic from veteran Information Security leaders with years of experience in small, medium, and large organizations. This questionaire should be used as a good starting point to evaluate current cyber security controls and possibly offer guidance on additions and changes. We believe our cyber security check-up will help an organization recognize possible areas for improvement and assist in forming a strategic security plan for the future.
For ease of use, CIO Street has 2 assessments available. A quick 2 question per Cyber Security category survey that provides an overview of an IT organization's current information security or a complete 48 question survey that provides a more accurate IT Cyber Security assessment. If you complete the short survey and are interested in a more in-depth evaluation, fill free to open the comprehensive questionnaire and complete the remaining questions.
Once you complete the survey, you will receive immediate results and a few suggestions for improvement. Have fun!
Cyber Security Check-Up - Short Version
Category I - System Access
1. Does your IT organization have formalized policies and procedures for network and application access?
2. Does your IT organization use a tiered approval system to grant access to the network and applications?
3. Does your IT organization perform a user access review at least twice a year?
4. Does your IT organization use a multi-factor form of identifying users before granting access to networks and applications?
5. Does your IT organization have physical access controls including smart-card, biometric readers, cameras, and other identification systems for all sensitive areas including data centers, financial offices, HR offices, etc.?
Category II - Networks & Email
1. Does your organization use multiple vendors and network connections between locations/cloud and the Internet for redundancy?
2. Does your IT organization monitor network connectivity 24/7?
3. Does your IT organization have a formal network incident response plan?
4. Does your organization have an automated network intrusion detection system with incident alerting?
5. Does your organization provide a separate and isolated network connection to the Internet for guests and visitors?
6. Does your IT organization regularly perform network and systems penetration tests from multiple vendors?
7. Does your IT organization use an automated network intrusion detection system?
8. Is VPN communication used for all remote network connections?
9. Does your IT organization use firewalls for all relevant systems?
10. Does your IT organization use a strong encryption protocol for wireless Network access?
11. Does your IT organization have automated monitoring of unauthorized device connectivity?
12. Does your IT organization provide an email gateway for removing spam?
13. Does your IT organization use an email testing and forwarding system to guard against malware?
Category III - Data Security
1. Is data encrypted at rest for all enterprise systems?
2. Does your organization use a data traffic monitoring system to provide early warnings of anomalous access and data movement?
3. Does your IT organization regularly perform an asset and data classification review?
4. Does your IT organization develop and maintain a map of all available data resources within the organization?
5. Does your organization automatically encrypt all data stored on user devices?
Category IV - User Security
1. Does your IT organization automatically load and update user and enterprise hardware with antivirus software?
2. Does your IT organization regularly perform user phishing tests?
3. Does your IT organization provide user security training on a regular basis?
4. Does your IT organization provide warnings of possible cyber security threats to end-users?
Category V - Policies & Procedures
1. Does your IT organization develop and practice a cloud security policy and procedure?
3. Does your organization apply all relevant security policies and procedures to third party services?
4. Does your organization develop and provide a computer and data usage/confidentiality policy for all employees and 3rd party service providers?
5. Does your IT organization develop and provide digital signature tools, policies, and procedures?
6. Does your IT organization provide tools for reporting any required regulatory system/application security and change management policies, procedure, and monitoring?
Category VI - Change Controls
1. Does your IT organization develop and use formal change management policies and procedures?
2. Does your IT organization require testing of all changes prior to implementation?
3. Does your IT organization require a multi-tiered approval of system and software changes?
4. Does your IT organization review system logs for unauthorized changes on a regular basis?
Category VII - Business Continuity
1. Does your organization use multiple data centers with high-availability failover capabilities, or cloud computing environments with high-availability failover capabilities, or a mixed approach of both data centers and cloud environments with high-availability failover capabilities?
2. Does your IT organization use and regularly test appropriate backup and recovery processes?
3. Does your IT organization have a formalized application/systems incident response plan?
4. Does your organization use and regularly test a formalized and appropriate disaster recovery/business continuity plan?
5. Does your organization automatically back-up user data where appropriate?
6. Does your IT organization continually develop and test for security incidents?
7. Does you IT organization automatically implement security and operating system updates?
8. Are any of the user devices within the organization more than 5 years in age?
9. Are any of the hardware devices or cloud environment for enterprise systems more than 5 years in age?
10. Has any of the organization’s enterprise software gone more than a year without an update?
Category VIII - Software Development
1. Are all web sites designed to prevent DoS and/or DDoS attacks?
2. Do all software development efforts follow a standard security abatement design including prevention for SQL injection and spoofing?
3. Does your IT organization develop and practice formal software development and testing policies and procedures?
4. Does your IT organization always incorporate security, user access, and change management policies into development/integration projects?
Complete this form and immediatetly see your results!
(We promise not to harass you with uninvited solicitations or share your data with a 3rd party)