Cybersecurity Questionnaire

Cybersecurity Questionnaire
For each question, please answer Yes or No. For multi-part questions, if the answer to any part is 'No' please answer No. Please be as descriptive as possible and provide relevant documentation where available. These questions are designed to provide an overview of functional areas that may require extra attention and are not intended to provide a comprehensive evaluation of your cybersecurity program.
Company Name
Form Completed By

First NameLast Name
Email

Confirmation Emailexample@example.com
Phone Number
Please enter a valid phone number.Format: (000) 000-0000.
Company Info
Please enter the total number of employees.
Equipment/Device Info
Please enter the total number of devices, endpoints, and servers (physical & virtual).
- Is there a process in place for responding to alerts generated?
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Does the company have a documented inventory of its information systems and assets?
- Comments
- Has each IT service been classified based on sensitivity and criticality?
- Comments
- Is there a policy/process for managing the hardware lifecycle, from purchase through proper disposal?
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Is there an ongoing cybersecurity training program in place?
- Comments
- Are phishing campaigns conducted regularly?
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Is there a documented change management process in place?
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Has there been a cyber incident that has resulted in financial or data loss in the last 3 years?
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Do you currently have Cyber Insurance? If so, please describe the policy type and coverages.
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Are test restores from backup periodically performed?
- Comments
- Are all servers and/or data (stored or hosted) protected by backups?
- Comments
- Are the backups stored in more than one physical location, including an offsite?
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Is full disk encryption in place for servers and endpoints?
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Is there a solution in place providing email encryption when sending sensitive data?
- Comments
- Is there a dedicated email spam filter in place?
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Are all login identity accounts controlled by a documented policy/process that covers onboarding, off-boarding, permission changes, and periodic audits?
- Comments
- Do you utilize any accounts that are shared across multiple users?
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Is there a documented Incident Response plan?
- Comments
- Are incident roles and responsibilities clearly defined and documented?
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Is there a documented step-by-step guide (runbook) for restoring services after an incident/outage?
- Comments
- Have recovery time and recovery point objectives been defined?
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Is there a SIEM or other audit log aggregation/retention method in place?
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Is there a mobile device management process/policy that prevents unauthorized access to company data?*
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Are all network identities protected by MFA?
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Does the company have a network diagram with information flows?
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Is there a Next Gen (Behavior based or AI enabled) AV/EDR solution in place on every company endpoint?*
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Is there a next generation firewall in place with intrusion detection services (IDS) and intrusion prevention services (IPS), content filtering, etc?
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Is there a process/procedure in place for patching computer devices and network equipment?*
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Has a penetration test been performed in the past 12 months? If so, please provide documentation.
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Is physical access to critical systems controlled with auditing capabilities?
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Is DNS filtering in place?*
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Is there a policy/process in place for allowing remote access to company resources?
- Comments
- Is remote access to company resources protected by MFA?
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Is the incident response plan tested (i.e. tabletop exercise, failover to backup environment) at least annually?
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Is there a policy/process in place for vetting the cybersecurity posture of a vendor/third-party before engaging with them?
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Is there a vulnerability management program in place?
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Is there a web security gateway in place?
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Is there a 24/7 SOC in place monitoring for malicious activity?
- Comments
- Upload Supporting Documents Here
  
  Cancelof
- Should be Empty: