Cybersecurity Questionnaire

Cybersecurity Questionnaire
For each question, please answer Yes or No. For multi-part questions, if the answer to any part is 'No' please answer No. Please be as descriptive as possible and provide relevant documentation where available. These questions are designed to provide an overview of functional areas that may require extra attention and are not intended to provide a comprehensive evaluation of your cybersecurity program.
Company Name*
Form Completed By*

First NameLast Name
Email*

Confirmation Emailexample@example.com
Phone Number
Please enter a valid phone number.
Company Info
Please enter the total number of employees.
Equipment/Device Info
Please enter the total number of devices, endpoints, and servers (physical & virtual).

ASSET MANAGEMENT
Does the company have a documented inventory of its information systems and assets?*

YesNoN/A
Comments*
Has each IT service been classified based on sensitivity and criticality?*

YesNoN/A
Comments*
Is there a policy/process for managing the hardware lifecycle, from purchase through proper disposal?*

YesNoN/A
Comments*
Upload Supporting Documents Here

Cancelof

CYBER INCIDENT
Has there been a cyber incident that has resulted in financial or data loss in the last 3 years?*

YesNoN/A
Comments*
Upload Supporting Documents Here

Cancelof

CYBER INSURANCE
Do you currently have Cyber Insurance? If so, please describe the policy type and coverages.*

YesNoN/A
Comments*
Upload Supporting Documents Here

Cancelof

DATA BACKUP
Are test restores from backup periodically performed?*

YesNoN/A
Comments*
Are all servers and/or data (stored or hosted) protected by backups?*

YesNoN/A
Comments*
Are the backups stored in more than one physical location, including an offsite?*

YesNoN/A
Comments*
Upload Supporting Documents Here

Cancelof

EMAIL SECURITY GATEWAY
Is there a solution in place providing email encryption when sending sensitive data?*

YesNoN/A
Comments*
Is there a dedicated email spam filter in place?*

YesNoN/A
Comments*
Upload Supporting Documents Here

Cancelof

IDENTITY AND ACCESS MANAGEMENT
Are all login identity accounts controlled by a documented policy/process that covers onboarding, off-boarding, permission changes, and periodic audits?*

YesNoN/A
Comments*
Do you utilize any accounts that are shared across multiple users?*

YesNoN/A
Comments*
Upload Supporting Documents Here

Cancelof

INCIDENT RESPONSE PLANNING
Is there a documented Incident Response plan?*

YesNoN/A
Comments*
Are incident roles and responsibilities clearly defined and documented?*

YesNoN/A
Comments*
Upload Supporting Documents Here

Cancelof

IT RECOVERY PLAN
Is there a documented step-by-step guide (runbook) for restoring services after an incident/outage?*

YesNoN/A
Comments*
Have recovery time and recovery point objectives been defined?*

YesNoN/A
Comments*
Upload Supporting Documents Here

Cancelof

LOG MANAGEMENT
Is there a SIEM or other audit log aggregation/retention method in place?*

YesNoN/A
Comments*
Upload Supporting Documents Here

Cancelof

MOBILE DEVICE MANAGEMENT
Is there a mobile device management process/policy that prevents unauthorized access to company data?**

YesNoN/A
Comments*
Upload Supporting Documents Here

Cancelof

NEXT GEN AV/EDR
Is there a Next Gen (Behavior based or AI enabled) AV/EDR solution in place on every company endpoint?**

YesNoN/A
Comments*
Upload Supporting Documents Here

Cancelof

NEXT GENERATION FIREWALL
Is there a next generation firewall in place with intrusion detection services (IDS) and intrusion prevention services (IPS), content filtering, etc?*

YesNoN/A
Comments*
Upload Supporting Documents Here

Cancelof

PATCH MANAGEMENT
Is there a process/procedure in place for patching computer devices and network equipment?* *

YesNoN/A
Comments*
Upload Supporting Documents Here

Cancelof

PENETRATION TESTING
Has a penetration test been performed in the past 12 months? If so, please provide documentation.*

YesNoN/A
Comments*
Upload Supporting Documents Here

Cancelof

PHYSICAL ACCESS
Is physical access to critical systems controlled with auditing capabilities?*

YesNoN/A
Comments*
Upload Supporting Documents Here

Cancelof

REMOTE ACCESS
Is there a policy/process in place for allowing remote access to company resources?*

YesNoN/A
Comments*
Is remote access to company resources protected by MFA?*

YesNoN/A
Comments*
Upload Supporting Documents Here

Cancelof

TABLETOP EXERCISES
Is the incident response plan tested (i.e. tabletop exercise, failover to backup environment) at least annually?*

YesNoN/A
Comments*
Upload Supporting Documents Here

Cancelof

VENDOR MANAGEMENT
Is there a policy/process in place for vetting the cybersecurity posture of a vendor/third-party before engaging with them?*

YesNoN/A
Comments*
Upload Supporting Documents Here

Cancelof