Survey Form Step 1 of 56 1% Name First Last Job TitleCompany NameLocationNumber of employees50 – 250251 – 500501 – 1,0001,000 – 5,0005,001+ 1. Do you have someone internally responsible for your information security program (i.e. CIO, CISO, etc.)?YesNo 2. Are people in the organization assigned to specific cyber security roles and responsibilities?YesNo 3. Is the status of the Information Security program reported to the board of directors on at least an annual basis?YesNo 4. Does the budgeting process include information security related expenses and tools?YesNo 5. Does the organization maintain an inventory of organizational assets (e.g., hardware, software, data, and systems hosted internally or public/hybrid cloud)?YesNo 6. Does the organization prioritize assets based on criticality or value to the business?YesNo 7. Is someone in the organization assigned accountability to maintain the inventory of organizational assets?YesNo 8. Does the organization have a formal change management process to request and approve changes to the systems?YesNo 9. Has the organization ever conducted a risk assessment of its information technology?YesNo 10. Does the risk assessment identify high-risk assets that require additional security controls?YesNo 11. Is the risk assessment updated at least annually or when major changes occur?YesNo 12. Are all users required to complete annual security awareness training?YesNo 13. Does the annual information security training include incident response, cyber threats (e.g., phishing, social engineering, and mobile security) and emerging issues?YesNo 14. Do you conduct phishing testing of your users at least quarterly?YesNo 15. Does management hold employees accountable for complying with the information security program?YesNo 16. Do you subscribe to any industry commercial or public threat intelligence or cyber threat feeds?YesNo 17. Is threat intelligence information used to monitor for threats and vulnerabilities in the environment?YesNo 18. Do you use threat intelligence information to enhance your risk management or your cyber security controls?YesNo 19. Do you centrally collect and store logs via SIEM or a Log Management platform?YesNo 20. Do you leverage logs for threat detection (altering, correlation, IoC sweeps, threat hunting, etc.?YesNo 21. Do you have a Detection and Response process that ensures someone investigates, assesses, and documents each alert?YesNo 22. Does monitoring occur on a 24/7/365 basis to review all events?YesNo 23. Do you have network perimeter defense tools in place at all Internet access points?YesNo 24. Do you deploy system hardening standards on all servers, desktops, and network infrastructure to protect how systems are secured?YesNo 25. Do you control which users are allowed to make configuration changes?YesNo 26. Do you require all wireless networks to have strong encryption and authentication settings?YesNo 27. Do you review/audit your firewall configurations at least annually?YesNo 28. Is multi-factor authentication (MFA) enabled for all critical business functions (i.e., remote access, admin access, email, etc.)?YesNo 29. Do you perform internal vulnerability scans monthly?YesNo 30. Do you perform external vulnerability scans weekly?YesNo 31. Do you perform an annual internal and external penetration test?YesNo 32. Do you have end point protection (EPP) or end point detection and response (EDR) on all endpoints in the organization?YesNo 33. Do you use any form of phishing protection (enterprise email security, sandboxing, email tagging, etc.?YesNo 34. Are you able to monitor user activity to determine the presence of malicious user activity or insider threats?YesNo 35. Do you monitor the use of privileged user (admin) accounts for potential abuse?YesNo 36. Do you have a process to baseline normal system and network activity on your network?YesNo 37. Do you have escalation procedures in place to alert internal stakeholders of potential attacks/threats from monitoring?YesNo 38. Do you have processes to detect unauthorized or rogue devices on the network?YesNo 39. Do you have a formal patch management program?YesNo 40. Are patches tested before being applied to systems?YesNo 41. Is there a process in place to review patch management reports or missing patches?YesNo 42. Do you have a formal third-party risk assessment process?YesNo 43. Does your third-party risk assessment process require you to perform due diligence on prospective their parties prior to contracts being signed?YesNo 44. Does your third-party risk process require you to maintaining a list of all your third-party service providers?YesNo 45. Does your third-party risk process require you to perform a risk analysis of your third-party vendors based on risk?YesNo 46. Do you have a documented incident response plan?YesNo 47. Are employees trained on the proper communication channels to report and incident in a timely manner?YesNo 48. Are roles and responsibilities for incident response team members defined in a plan?YesNo 49. Do you have a Cyber Insurance policy in place?YesNo 50. Does a formal back up and recovery plan exist for all critical business lines?YesNo 51. Is your incident response plan tested annually?YesNo 52. Does your incident response testing include third-parties like your SOC provider or Incident Response firms?YesNo 53. Do you routinely check the viability of the backups you have?YesNo 54. Do you have procedures for containing incidents to prevent further damage from an incident?YesNo 55. Do you have a business resumption process that details ways to restore operations?YesNoEmailThis field is for validation purposes and should be left unchanged. This iframe contains the logic required to handle AJAX powered Gravity Forms.