Gap Assessment - Cyber Security Questionnaire Form

Cyber Risk Gap Assessment
Company Name
Date Completed

MonthDayYear
Name

First NameLast Name
Email
example@example.com
Phone Number
Please enter a valid phone number.Format: (000) 000-0000.
1. Is cyber security discussed at a management / board level?
If no, please provide any equivalent actions:
2. Do you currently have cyber insurance?
3. Do you have an internal person and/or external company who is responsible for your organization's cyber security?
4. Do you have a process to audit 3rd parties for their cybersecurity resilience before sharing confidential information?
If no, please provide any equivalent actions:
5. Do you have an inventory of all devices / phones / computers and details of what confidential information each holds related to our business?
If no, please provide any equivalent actions:
6. Do you have encryption enabled on all devices and a policy to ensure that all new devices have encryption enabled by default?
If no, please provide any equivalent actions:
7. Do you centralize management and configuration of all computers?
If no, please provide any equivalent actions:
8. Do you monitor network traffic for abnormal activity?
If no, please provide any equivalent actions:
9. Do you store access and activity logs for firewalls, servers, workstations and any other network connected devices to investigate a breach should one occur?
If no, please provide any equivalent actions:
10. Have you performed a penetration test in the past 18 months?
If no, please provide any equivalent actions:
11. Do you have any intrusion detection/prevention systems in place?
If no, please provide any equivalent actions:
12. Do you have an internal or external provider regularly applying software patches/system updates?
If no, please provide any equivalent actions:
13. Do you use a Password Manager?
If no, please provide any equivalent actions:
14. Do you have a Password Policy and Procedure in place?
If no, please provide any equivalent actions:
15. Do you enforce two-factor authentication on applications that have access to sensitive information?
If no, please provide any equivalent actions:
16. Do you have SPAM and anti-virus filtering enabled for inbound email?
If no, please provide any equivalent actions:
17. Do you have an acceptable use polices that includes the usage of Company email and internet?
If no, please provide any equivalent actions:
18. Do you have an active next generation anti-virus/malware service?
If no, please provide any equivalent actions:
19. Do your staff complete Cyber Security Awareness/Phishing Training regularly throughout the year (at least quarterly)?
If no, please provide any equivalent actions:
20. Do you have a VPN setup for staff to connect to the office remotely?
If no, please provide any equivalent actions:
21. Do you perform regular backups of computers and servers?
If no, please provide any equivalent actions:
22. Are your backups segregated from network to protect against a ransomware attack?
If no, please provide any equivalent actions:
23. Do you use removable media regularly?
If no, please provide any equivalent actions:
24. Does your organization perform a formal annual risk assessment?
If no, please provide any equivalent actions:
25. Have you specifically investigated your legal risk, related to a cyber security event?
If no, please provide any equivalent actions:
26. Do you have a basic plan of action (incident response plan) that outlines roles and responsibilities should you experience a cyber incident?
If no, please provide any equivalent actions:
Should be Empty: