cybersecurity . compliance . managed services

Cybersecurity Risk Baseline v2022.09

These survey questions are based on the essential cybersecurity controls that help companies avoid hacks and minimize business impact during cybersecurity events. Responses will provide a general sense of your company’s cybersecurity environment and should be validated through actual program and control inspection.

A risk baseline report will be provided with a cybersecurity maturity score, based solely on this attestation, along with control implications in areas where cybersecurity controls may need improvement.

Questions? Contact us at https://www.itegriti.com

ITEGRITI protects some of the nation’s most critical infrastructure, serving clients in energy, healthcare, transportation, education, retail and financial sectors. We have developed and implemented programs that mitigate cyber and compliance risk, supported by internal controls to measure, monitor and report ongoing program effectiveness. Our programs help companies avoid hacks and minimize business impact during a cybersecurity event.

Question Title

* 1. Contact Information (where the report will be sent)

Name

Company

City/Town

State/Province

ZIP/Postal Code

Email Address

Phone Number

Question Title

* 2. Company background

Industry

Business and services in U.S. only or multi-national

Approximate number of employees

Question Title

* 3. IT/Cybersecurity Regulatory Obligations

NERC CIP

TSA SD2

NRC/NEI

HIPAA

PCI

SOX

GDPR

Other (please specify)

Question Title

* 4. Cybersecurity Insurance

Already purchased

Evaluating vendors

Evaluating need

No interest or not in budget

Classification legend:
0 Non-Existent: Nothing in place

1 Initial: Undocumented practices are followed

2 Repeatable: Procedures are documented

3 Defined: Documented procedures have been incorporated in corporate processes

4 Managed: Processes are monitored and measured

Question Title

* 5. Asset Inventory: Hardware and Software

	0 Non-Existent	1 Initial	2 Repeatable	3 Defined	4 Managed
A list of cyber hardware and software is maintained	A list of cyber hardware and software is maintained 0 Non-Existent	A list of cyber hardware and software is maintained 1 Initial	A list of cyber hardware and software is maintained 2 Repeatable	A list of cyber hardware and software is maintained 3 Defined	A list of cyber hardware and software is maintained 4 Managed
Cyber hardware and software lists are validated regularly to ensure completeness and accuracy of population	Cyber hardware and software lists are validated regularly to ensure completeness and accuracy of population 0 Non-Existent	Cyber hardware and software lists are validated regularly to ensure completeness and accuracy of population 1 Initial	Cyber hardware and software lists are validated regularly to ensure completeness and accuracy of population 2 Repeatable	Cyber hardware and software lists are validated regularly to ensure completeness and accuracy of population 3 Defined	Cyber hardware and software lists are validated regularly to ensure completeness and accuracy of population 4 Managed

Question Title

* 6. Asset Baselines, Hardening and Change Management

	0 Non-Existent	1 Initial	2 Repeatable	3 Defined	4 Managed
A list of hardware and software configuration settings are maintained	A list of hardware and software configuration settings are maintained 0 Non-Existent	A list of hardware and software configuration settings are maintained 1 Initial	A list of hardware and software configuration settings are maintained 2 Repeatable	A list of hardware and software configuration settings are maintained 3 Defined	A list of hardware and software configuration settings are maintained 4 Managed
Security settings on hardware and software assets are established for like devices, with unnecessary software, login ids, and services disabled	Security settings on hardware and software assets are established for like devices, with unnecessary software, login ids, and services disabled 0 Non-Existent	Security settings on hardware and software assets are established for like devices, with unnecessary software, login ids, and services disabled 1 Initial	Security settings on hardware and software assets are established for like devices, with unnecessary software, login ids, and services disabled 2 Repeatable	Security settings on hardware and software assets are established for like devices, with unnecessary software, login ids, and services disabled 3 Defined	Security settings on hardware and software assets are established for like devices, with unnecessary software, login ids, and services disabled 4 Managed
Only authorized and tested changes are made to the production environment	Only authorized and tested changes are made to the production environment 0 Non-Existent	Only authorized and tested changes are made to the production environment 1 Initial	Only authorized and tested changes are made to the production environment 2 Repeatable	Only authorized and tested changes are made to the production environment 3 Defined	Only authorized and tested changes are made to the production environment 4 Managed

Question Title

* 7. Vulnerability Management

	0 Non-Existent	1 Initial	2 Repeatable	3 Defined	4 Managed
Security updates and patches for hardware and software assets are tested and applied timely	Security updates and patches for hardware and software assets are tested and applied timely 0 Non-Existent	Security updates and patches for hardware and software assets are tested and applied timely 1 Initial	Security updates and patches for hardware and software assets are tested and applied timely 2 Repeatable	Security updates and patches for hardware and software assets are tested and applied timely 3 Defined	Security updates and patches for hardware and software assets are tested and applied timely 4 Managed
Anti-malware is installed and signature updates are tested and applied timely	Anti-malware is installed and signature updates are tested and applied timely 0 Non-Existent	Anti-malware is installed and signature updates are tested and applied timely 1 Initial	Anti-malware is installed and signature updates are tested and applied timely 2 Repeatable	Anti-malware is installed and signature updates are tested and applied timely 3 Defined	Anti-malware is installed and signature updates are tested and applied timely 4 Managed
Vulnerability assessments are performed and necessary corrective measures are implemented	Vulnerability assessments are performed and necessary corrective measures are implemented 0 Non-Existent	Vulnerability assessments are performed and necessary corrective measures are implemented 1 Initial	Vulnerability assessments are performed and necessary corrective measures are implemented 2 Repeatable	Vulnerability assessments are performed and necessary corrective measures are implemented 3 Defined	Vulnerability assessments are performed and necessary corrective measures are implemented 4 Managed

Question Title

* 8. Access and Account Management

	0 Non-Existent	1 Initial	2 Repeatable	3 Defined	4 Managed
Users are granted approved access to systems and information repositories as required by their responsibilities or role	Users are granted approved access to systems and information repositories as required by their responsibilities or role 0 Non-Existent	Users are granted approved access to systems and information repositories as required by their responsibilities or role 1 Initial	Users are granted approved access to systems and information repositories as required by their responsibilities or role 2 Repeatable	Users are granted approved access to systems and information repositories as required by their responsibilities or role 3 Defined	Users are granted approved access to systems and information repositories as required by their responsibilities or role 4 Managed
Administrator and privilege user accounts are used only when needed, and never for regular logon	Administrator and privilege user accounts are used only when needed, and never for regular logon 0 Non-Existent	Administrator and privilege user accounts are used only when needed, and never for regular logon 1 Initial	Administrator and privilege user accounts are used only when needed, and never for regular logon 2 Repeatable	Administrator and privilege user accounts are used only when needed, and never for regular logon 3 Defined	Administrator and privilege user accounts are used only when needed, and never for regular logon 4 Managed
Strong passwords are required and changed on regular intervals	Strong passwords are required and changed on regular intervals 0 Non-Existent	Strong passwords are required and changed on regular intervals 1 Initial	Strong passwords are required and changed on regular intervals 2 Repeatable	Strong passwords are required and changed on regular intervals 3 Defined	Strong passwords are required and changed on regular intervals 4 Managed
User access and access levels are reviewed on a regular basis	User access and access levels are reviewed on a regular basis 0 Non-Existent	User access and access levels are reviewed on a regular basis 1 Initial	User access and access levels are reviewed on a regular basis 2 Repeatable	User access and access levels are reviewed on a regular basis 3 Defined	User access and access levels are reviewed on a regular basis 4 Managed
Unneeded user access is terminated in a timely manner	Unneeded user access is terminated in a timely manner 0 Non-Existent	Unneeded user access is terminated in a timely manner 1 Initial	Unneeded user access is terminated in a timely manner 2 Repeatable	Unneeded user access is terminated in a timely manner 3 Defined	Unneeded user access is terminated in a timely manner 4 Managed

Question Title

* 9. Information Management and Protection

	0 Non-Existent	1 Initial	2 Repeatable	3 Defined	4 Managed
Information classification is defined and formal repositories have been established	Information classification is defined and formal repositories have been established 0 Non-Existent	Information classification is defined and formal repositories have been established 1 Initial	Information classification is defined and formal repositories have been established 2 Repeatable	Information classification is defined and formal repositories have been established 3 Defined	Information classification is defined and formal repositories have been established 4 Managed
Confidential information is maintained only in established, limited access information repositories	Confidential information is maintained only in established, limited access information repositories 0 Non-Existent	Confidential information is maintained only in established, limited access information repositories 1 Initial	Confidential information is maintained only in established, limited access information repositories 2 Repeatable	Confidential information is maintained only in established, limited access information repositories 3 Defined	Confidential information is maintained only in established, limited access information repositories 4 Managed
Data is backed up on a regular basis and stored securely	Data is backed up on a regular basis and stored securely 0 Non-Existent	Data is backed up on a regular basis and stored securely 1 Initial	Data is backed up on a regular basis and stored securely 2 Repeatable	Data is backed up on a regular basis and stored securely 3 Defined	Data is backed up on a regular basis and stored securely 4 Managed

Question Title

* 10. Boundary Defense: Electronic and Physical Security

	0 Non-Existent	1 Initial	2 Repeatable	3 Defined	4 Managed
Corporate and operational networks are segregated with limited and monitored exchange of information	Corporate and operational networks are segregated with limited and monitored exchange of information 0 Non-Existent	Corporate and operational networks are segregated with limited and monitored exchange of information 1 Initial	Corporate and operational networks are segregated with limited and monitored exchange of information 2 Repeatable	Corporate and operational networks are segregated with limited and monitored exchange of information 3 Defined	Corporate and operational networks are segregated with limited and monitored exchange of information 4 Managed
Wireless access is configured securely and never allowed in operational networks	Wireless access is configured securely and never allowed in operational networks 0 Non-Existent	Wireless access is configured securely and never allowed in operational networks 1 Initial	Wireless access is configured securely and never allowed in operational networks 2 Repeatable	Wireless access is configured securely and never allowed in operational networks 3 Defined	Wireless access is configured securely and never allowed in operational networks 4 Managed
Electronic access to cyber network, server and control hardware is limited and restricted	Electronic access to cyber network, server and control hardware is limited and restricted 0 Non-Existent	Electronic access to cyber network, server and control hardware is limited and restricted 1 Initial	Electronic access to cyber network, server and control hardware is limited and restricted 2 Repeatable	Electronic access to cyber network, server and control hardware is limited and restricted 3 Defined	Electronic access to cyber network, server and control hardware is limited and restricted 4 Managed
Physical access to cyber network, server and control hardware is limited and restricted to only authorized individuals	Physical access to cyber network, server and control hardware is limited and restricted to only authorized individuals 0 Non-Existent	Physical access to cyber network, server and control hardware is limited and restricted to only authorized individuals 1 Initial	Physical access to cyber network, server and control hardware is limited and restricted to only authorized individuals 2 Repeatable	Physical access to cyber network, server and control hardware is limited and restricted to only authorized individuals 3 Defined	Physical access to cyber network, server and control hardware is limited and restricted to only authorized individuals 4 Managed

Question Title

* 11. Incident Management and Review

	0 Non-Existent	1 Initial	2 Repeatable	3 Defined	4 Managed
Event logging is enabled on hardware and software assets	Event logging is enabled on hardware and software assets 0 Non-Existent	Event logging is enabled on hardware and software assets 1 Initial	Event logging is enabled on hardware and software assets 2 Repeatable	Event logging is enabled on hardware and software assets 3 Defined	Event logging is enabled on hardware and software assets 4 Managed
Logs are reviewed to identify and investigate concerns	Logs are reviewed to identify and investigate concerns 0 Non-Existent	Logs are reviewed to identify and investigate concerns 1 Initial	Logs are reviewed to identify and investigate concerns 2 Repeatable	Logs are reviewed to identify and investigate concerns 3 Defined	Logs are reviewed to identify and investigate concerns 4 Managed
Response to cybersecurity incidents follows a defined communication and response process	Response to cybersecurity incidents follows a defined communication and response process 0 Non-Existent	Response to cybersecurity incidents follows a defined communication and response process 1 Initial	Response to cybersecurity incidents follows a defined communication and response process 2 Repeatable	Response to cybersecurity incidents follows a defined communication and response process 3 Defined	Response to cybersecurity incidents follows a defined communication and response process 4 Managed
Incident response and recovery plans are developed and tested	Incident response and recovery plans are developed and tested 0 Non-Existent	Incident response and recovery plans are developed and tested 1 Initial	Incident response and recovery plans are developed and tested 2 Repeatable	Incident response and recovery plans are developed and tested 3 Defined	Incident response and recovery plans are developed and tested 4 Managed

Question Title

* 12. Security Awareness and Training

	0 Non-Existent	1 Initial	2 Repeatable	3 Defined	4 Managed
All users receive cybersecurity training addressing acceptable use and common risks	All users receive cybersecurity training addressing acceptable use and common risks 0 Non-Existent	All users receive cybersecurity training addressing acceptable use and common risks 1 Initial	All users receive cybersecurity training addressing acceptable use and common risks 2 Repeatable	All users receive cybersecurity training addressing acceptable use and common risks 3 Defined	All users receive cybersecurity training addressing acceptable use and common risks 4 Managed
Cybersecurity awareness materials are posted or distributed on a regular basis	Cybersecurity awareness materials are posted or distributed on a regular basis 0 Non-Existent	Cybersecurity awareness materials are posted or distributed on a regular basis 1 Initial	Cybersecurity awareness materials are posted or distributed on a regular basis 2 Repeatable	Cybersecurity awareness materials are posted or distributed on a regular basis 3 Defined	Cybersecurity awareness materials are posted or distributed on a regular basis 4 Managed

Question Title

* 13. Supply Chain Management

	0 Non-Existent	1 Initial	2 Repeatable	3 Defined	4 Managed
Vendors that provide, connect to, or support hardware and software attest to the effectiveness of their cybersecurity programs	Vendors that provide, connect to, or support hardware and software attest to the effectiveness of their cybersecurity programs 0 Non-Existent	Vendors that provide, connect to, or support hardware and software attest to the effectiveness of their cybersecurity programs 1 Initial	Vendors that provide, connect to, or support hardware and software attest to the effectiveness of their cybersecurity programs 2 Repeatable	Vendors that provide, connect to, or support hardware and software attest to the effectiveness of their cybersecurity programs 3 Defined	Vendors that provide, connect to, or support hardware and software attest to the effectiveness of their cybersecurity programs 4 Managed
Program is in place to purchase hardware only from the manufacturer directly or through resellers authorized and certified by the equipment manufacturer	Program is in place to purchase hardware only from the manufacturer directly or through resellers authorized and certified by the equipment manufacturer 0 Non-Existent	Program is in place to purchase hardware only from the manufacturer directly or through resellers authorized and certified by the equipment manufacturer 1 Initial	Program is in place to purchase hardware only from the manufacturer directly or through resellers authorized and certified by the equipment manufacturer 2 Repeatable	Program is in place to purchase hardware only from the manufacturer directly or through resellers authorized and certified by the equipment manufacturer 3 Defined	Program is in place to purchase hardware only from the manufacturer directly or through resellers authorized and certified by the equipment manufacturer 4 Managed
Third party access is controlled and monitored	Third party access is controlled and monitored 0 Non-Existent	Third party access is controlled and monitored 1 Initial	Third party access is controlled and monitored 2 Repeatable	Third party access is controlled and monitored 3 Defined	Third party access is controlled and monitored 4 Managed

Question Title

* 14. Questions or comments

SSL/TLS encryption is enabled to keep survey data safe.

Survey responses are kept confidential.

Survey responses are reviewed by Certified Information Systems Auditors (CISA) or Certified Information Security Managers (CISM) that have passed Personnel Risk Assessments (PRA) that include identity validation and criminal background checks.

© 2016. Cybersecurity assessment survey, questions and methodology are proprietary and property of ITEGRITI Corporation. All rights reserved.