Question 1 of 13

Password & Access Management

Does your company manage user passwords centrally, ensuring users cannot come up with easy to guess passwords?

We do use a centrally-managed password manager and all corporate systems credentials are stored there. Users cannot choose a password such as [email protected] or Password123.

Many employees have their own password managers, but we don’t have a centralized solution.

All users choose their own passwords and store them as they wish, our company has no centralized password management.

Question 1 of 13

Question 2 of 13

Attack Mitigation

Does your company have mitigation measures for the most common 17 types of cyber attacks?

Yes, we have documented and implemented mitigation measures for the most common 17 types of cyberattacks, and we actively monitor for new attack types that might affect our company.

We have mitigation measures for some cyberattacks, but they are not categorized and documented. Our IT team improvises when it comes to defending the company.

We know cyberattacks go beyond malware, but we only have an antivirus and a firewall.

We don’t even use antivirus and a firewall, every employee is on their own when selecting how to protect their computer.

Question 2 of 13

Question 3 of 13

Security Awareness

Does your company provide regular Security Awareness training sessions for all employees, with job-specific additional sessions (for the CFO, for example) and does it regularly notify employees of ongoing cyberattacks in addition to the organized training sessions? Do you also test their understanding with attack simulations?

Yes, we do all that and more!

Some employees have passed through Security Awareness training, but the results have never been tested. We don’t know if our people understand the kinds of attacks that could happen to them.

We have never had Security Awareness training at our company.

Question 3 of 13

Question 4 of 13

Cloud Services Security

Does your company protect all cloud services used for work?

Examples of cloud services: Jira, Microsoft 365, Google Apps (Gmail, Docs, Hangouts, Drive), Dropbox, Slack.

We do use cloud services and our security team has well-documented security measures in place for each and every corporate cloud service used. We do not allow unprotected or uncontrolled cloud services in our network.

Users are using cloud services as they please, we do not control or ensure their security settings.

Question 4 of 13

Question 5 of 13

IT Infrastructure Protection

Has your company protected its IT infrastructure – servers, network devices, workstations, laptops and mobile devices?

Yes, all our servers, workstations, laptops and mobile devices, as well as all software installed on them, are protected according to CIS or STIG guidelines.

We harden some of our servers but do not follow a specific standard and our workstations are without security hardening.

We rely on the vendor of the operating system or software to protect it as-is.

Question 5 of 13

Question 6 of 13

Vulnerability Management

Does your company have a Vulnerability Management Program in place?

Yes, our Vulnerability Management Program covers all our devices and all software on them and we see consistent improvement in our vulnerability numbers.

We patch our servers and workstations, but we don’t have an official Vulnerability management program in place.

We rely on the Vendor to push security updates to our devices.

Question 6 of 13

Question 7 of 13

Email and Communications Security

Does your company ensure only authorized personnel can log in to email and collaboration services and if a password get stolen, it cannot be used by unauthorized people?

Our email and collaboration systems require 2-factor authentication which is impossible to spoof or intercept. Even if a user password gets stolen, the hackers will still be unable to log in.

We do not have any additional email and collaboration protection than the default.

Question 7 of 13

Question 8 of 13

Penetration Testing

Does your company perform regular attack simulations against critical business systems (penetration tests)?

Yes, we run regular penetration tests against critical business systems and fix all issues identified on time.

We have performed a penetration test once, but only against a small subset of our critical systems.

We have never performed a penetration test against our critical systems and we don’t know if we are vulnerable or not.

Question 8 of 13

Question 9 of 13

Secure Software Development

Do your software developers follow secure coding guidelines?

Yes, our developers follow secure coding guidelines, and we perform SAST/DAST after each build. We also perform threat modeling of each product we develop and security is part of the architecture from the design phase of the product.

Our developers do some security testing of our code, but it is not documented and not part of a process

Our developers do not follow secure software development guidelines.

We do not have a software development function in our company.

Question 9 of 13

Question 10 of 13

Security Policies and Procedures

10.

Do you have the necessary policies and procedures in place to ensure all business processes are protected from human mistakes, insider, and outsider threats?

Yes, we have all necessary policies and procedures, and our people follow them. We regularly perform spot checks and update our documentation after every incident.

We have some policies and procedures for compliance reasons, but nobody follows them.

We do not have any policies or procedures in place.

Question 10 of 13

Question 11 of 13

Secure Remote Access

11.

Do you protect remote access (work from home, partners connecting to your network remotely) from unauthorized use? (Such as if a password for a VPN connection gets stolen)

Yes, we protect all remote access by enforcing 2FA on all remote sessions. All remote personnel accesses our network from corporate, protected devices.

We use VPN, but all employees use only a username/password combination which can be stolen and reused by hackers.

Question 11 of 13

Question 12 of 13

Advanced Endpoint Security

12.

Do you protect your computers, laptops, and mobile devices beyond just installing an antivirus on them?

Yes, antivirus (EDR) is just one of twelve security controls implemented on all our endpoints. Ransomware and hacking attacks have no place in our network!

We only have a centrally-managed antivirus as our defense against hackers.

We do not have a centrally-managed antivirus solution in our network, all users use free antivirus or none.

Question 12 of 13

Question 13 of 13

Security Monitoring

13.

Does your company have Security Monitoring in place?

Yes, we have both Security Monitoring tools in place and the team to monitor them. If an anomaly happens in our network we will see and respond to it before it causes any significant damage.

We have some security monitoring in place but don’t have a team dedicated to it. We are unsure if we will detect any anomaly in our network.

We do not have Security Monitoring in place. If something happens in our network, we will never know.