Cybersecurity Risk Baseline v2022.09

These survey questions are based on the essential cybersecurity controls that help companies avoid hacks and minimize business impact during cybersecurity events. Responses will provide a general sense of your company’s cybersecurity environment and should be validated through actual program and control inspection.

A risk baseline report will be provided with a cybersecurity maturity score, based solely on this attestation, along with control implications in areas where cybersecurity controls may need improvement.


Questions?  Contact us at https://www.itegriti.com

ITEGRITI protects some of the nation’s most critical infrastructure, serving clients in energy, healthcare, transportation, education, retail and financial sectors. We have developed and implemented programs that mitigate cyber and compliance risk, supported by internal controls to measure, monitor and report ongoing program effectiveness. Our programs help companies avoid hacks and minimize business impact during a cybersecurity event.

 

Question Title

* 1. Contact Information (where the report will be sent)

Question Title

* 2. Company background

Question Title

* 3. IT/Cybersecurity Regulatory Obligations

Question Title

* 4. Cybersecurity Insurance

Classification legend:
  0 Non-Existent: Nothing in place
  1 Initial: Undocumented practices are followed
  2 Repeatable: Procedures are documented
  3 Defined: Documented procedures have been incorporated in corporate processes
  4 Managed: Processes are monitored and measured

Question Title

* 5. Asset Inventory: Hardware and Software

  0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed
A list of cyber hardware and software is maintained
Cyber hardware and software lists are validated regularly to ensure completeness and accuracy of population

Question Title

* 6. Asset Baselines, Hardening and Change Management

  0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed
A list of hardware and software configuration settings are maintained
Security settings on hardware and software assets are established for like devices, with unnecessary software, login ids, and services disabled
Only authorized and tested changes are made to the production environment

Question Title

* 7. Vulnerability Management

  0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed
Security updates and patches for hardware and software assets are tested and applied timely
Anti-malware is installed and signature updates are tested and applied timely
Vulnerability assessments are performed and necessary corrective measures are implemented

Question Title

* 8. Access and Account Management

  0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed
Users are granted approved access to systems and information repositories as required by their responsibilities or role
Administrator and privilege user accounts are used only when needed, and never for regular logon
Strong passwords are required and changed on regular intervals
User access and access levels are reviewed on a regular basis
Unneeded user access is terminated in a timely manner

Question Title

* 9. Information Management and Protection

  0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed
Information classification is defined and formal repositories have been established
Confidential information is maintained only in established, limited access information repositories
Data is backed up on a regular basis and stored securely

Question Title

* 10. Boundary Defense: Electronic and Physical Security

  0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed
Corporate and operational networks are segregated with limited and monitored exchange of information
Wireless access is configured securely and never allowed in operational networks
Electronic access to cyber network, server and control hardware is limited and restricted
Physical access to cyber network, server and control hardware is limited and restricted to only authorized individuals

Question Title

* 11. Incident Management and Review

  0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed
Event logging is enabled on hardware and software assets
Logs are reviewed to identify and investigate concerns
Response to cybersecurity incidents follows a defined communication and response process
Incident response and recovery plans are developed and tested

Question Title

* 12. Security Awareness and Training

  0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed
All users receive cybersecurity training addressing acceptable use and common risks
Cybersecurity awareness materials are posted or distributed on a regular basis

Question Title

* 13. Supply Chain Management

  0 Non-Existent 1 Initial 2 Repeatable 3 Defined 4 Managed
Vendors that provide, connect to, or support hardware and software attest to the effectiveness of their cybersecurity programs
Program is in place to purchase hardware only from the manufacturer directly or through resellers authorized and certified by the equipment manufacturer
Third party access is controlled and monitored

Question Title

* 14. Questions or comments

SSL/TLS encryption is enabled to keep survey data safe.

Survey responses are kept confidential.

Survey responses are reviewed by Certified Information Systems Auditors (CISA) or Certified Information Security Managers (CISM) that have passed Personnel Risk Assessments (PRA) that include identity validation and criminal background checks.

© 2016.  Cybersecurity assessment survey, questions and methodology are proprietary and property of ITEGRITI Corporation.  All rights reserved.

T