Security Self-Assessments

The 5 Security Self-Assessments below are based on the NIST CyberSecurity Framework, which requires adopters to:

(1)  Have the capability to Identify cyber threats and vulnerabilities,

(2)  Protect themselves accordingly with security controls and defenses,

(3)  Have the capability to Detect if security controls have been compromised,

(4)  Respond to cyber-attacks, incidents and breaches and lastly,

(5)  Recover from cyber-attacks, incidents, and breaches.

Assess your organization’s security posture by completing the questionnaires below. Your results are provided at the end of each assessment and no personal information is required.

Security Self-Assessment: Identify

1 / 8

Category: Security: Identity

1 – All physical systems and devices within the organization are inventoried.

2 / 8

Category: Security: Identity

2 – All software platforms and applications within the organization are inventoried.

3 / 8

Category: Security: Identity

3 – All systems, devices, software platforms, and applications are classified and prioritized based on their critical nature and business value.

4 / 8

Category: Security: Identity

4 – The organization has clearly defined cybersecurity roles and responsibilities for internal users, external vendors, customers, and partners.

5 / 8

Category: Security: Identity

5 – The organization has written information security policies and procedures.

6 / 8

Category: Security: Identity

6 – The organization clearly understands all legal and regulatory requirements regarding cybersecurity.

7 / 8

Category: Security: Identity

7 – Cybersecurity risks are identified and managed by a governance and risk management process.

8 / 8

Category: Security: Identity

8 – Cybersecurity risk tolerance is determined, expressed in policy, and agreed upon by all stakeholders.

Your score is

0%

Security Self-Assessment: Protect

1 / 15

Category: Security: Protect

1 – A security awareness training program is in place, and all users are provided training at least annually.

2 / 15

Category: Security: Protect

2 – Critical or sensitive data is protected by encryption technology at rest and in transit.

3 / 15

Category: Security: Protect

3 – Network segmentation is used logically or physically to separate systems according to policy.

4 / 15

Category: Security: Protect

4 – The organization has a formal change management process.

5 / 15

Category: Security: Protect

5 – There is a formal process documented for conducting, maintaining, and testing data backups.

6 / 15

Category: Security: Protect

6 – Data backups of critical systems have at least three copies, two of which are located on different media, and at least one of which is physically situated offsite.

7 / 15

Category: Security: Protect

7 – All systems are secured and hardened using industry best practices or according to policy.

8 / 15

Category: Security: Protect

8 – There is a formal vulnerability and patch management program in which systems, devices, software, and applications are regularly scanned for known vulnerabilities and then patched or upgraded accordingly.

9 / 15

Category: Security: Protect

9 – Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties.

10 / 15

Category: Security: Protect

10 – Physical access to critical systems and devices is managed.

11 / 15

Category: Security: Protect

11 – Multi-factor authentication is used to authenticate critical systems or applications.

12 / 15

Category: Security: Protect

12 – There is a formal, written disaster recovery (DR) and business continuity plan (BCP).

13 / 15

Category: Security: Protect

13 – There is a formal, written incident response and recovery plan.

14 / 15

Category: Security: Protect

14 – Perimeter defenses such as firewalls and intrusion detection/prevention systems are implemented and managed.

15 / 15

Category: Security: Protect

15 – Perimeter defenses such as firewalls and intrusion detection/prevention systems are implemented and managed.

Your score is

0%

Security Self-Assessment: Detect

1 / 4

Category: Security: Detect

1 – The organization has a clear definition of normal network operations and expected data flows for users and systems.

2 / 4

Category: Security: Detect

2 – The organization has the capability to collect and correlate events and logs from multiple sources, systems, devices, or applications.

3 / 4

Category: Security: Detect

3 – The network, physical environment, and user activity are actively monitored to detect potential cybersecurity events.

4 / 4

Category: Security: Detect

4 – The organization always knows when a security control has been comprised.

Your score is

0%

Security Self-Assessment: Respond

1 / 6

Category: Security: Respond

1 – Roles and responsibilities for incident response personnel are thoroughly defined and communicated.

2 / 6

Category: Security: Respond

2 – Cybersecurity incidents are properly communicated throughout the organization when they occur. Information related to the event is shared in a manner consistent with the incident response plan.

3 / 6

Category: Security: Respond

3 – Formal, documented processes and procedures for investigating notifications of suspicious activity are executed and maintained by the incident response team.

4 / 6

Category: Security: Respond

4 – Formal, documented processes and procedures exist to ensure the preservation of forensic evidence during or after an event.

5 / 6

Category: Security: Respond

5 – The organization has the capability to quickly contain and mitigate cybersecurity incidents.

6 / 6

Category: Security: Respond

6 – The incident response plan is regularly reviewed and updated based on test results or actual events.

Your score is

0%

Security Self-Assessment: Recover

1 / 4

Category: Security: Recover

1 – The disaster recovery (DR) and business continuity plan (BCP) is tested regularly, and at least annually.

2 / 4

Category: Security: Recover

2 – The organization is capable of recovering from a cybersecurity event or incident in accordance with desired recovery time objectives (RTO) and recovery point objectives (RPO).

3 / 4

Category: Security: Recover

3 – The organization maintains a crisis communication plan that manages the organization’s reputation after a cybersecurity event or incident occurs.

4 / 4

Category: Security: Recover

4 – The disaster recovery (DR) and business continuity plan (BCP) is reviewed and updated regularly, at least annually.

Your score is

0%