Cybersecurity Assessment Questionnaires

1. Governance, Risk, and Compliance (GRC)

 Security Policies and Procedures

o Do you have an enterprise-wide cybersecurity policy? Is it regularly updated?
o How is your cybersecurity policy communicated across the organization?
o Are security standards aligned with industry frameworks (e.g., NIST, ISO 27001,
CIS)?
 Risk Management
o How do you assess and manage cybersecurity risks within the organization?
o Do you conduct regular risk assessments? How frequently?
o What risk management framework (e.g., FAIR, OCTAVE) do you use?
o How do you handle third-party/vendor risk?
 Compliance and Regulatory Requirements
o Are you compliant with applicable laws and regulations (GDPR, HIPAA, PCI-
DSS)?
o How do you manage audit trails and logging for compliance purposes?
o Have you been audited for cybersecurity practices in the past year?
 Incident Response and Business Continuity
o Do you have an incident response (IR) plan in place? When was it last tested?
o How do you ensure business continuity and disaster recovery in the event of a
cybersecurity breach?
o How often do you perform tabletop exercises or mock security incidents?

2. Access Management and Identity Control

 Identity and Access Management (IAM)

o What identity management system do you use (e.g., Active Directory, Okta)?
o Do you employ Multi-Factor Authentication (MFA) for users and admins?
o How are user privileges granted, reviewed, and revoked?
o What process do you follow for managing privileged access (e.g., for system
administrators)?
o Do you regularly audit access control lists (ACLs) and user accounts for
appropriateness?
 Authentication and Authorization
o Do you use Single Sign-On (SSO) solutions for application access?
o What methods do you use for verifying user identity (biometrics, passwords,
smart cards)?
o How do you handle identity federation and role-based access control (RBAC)?

3. Network Security

 Network Segmentation and Firewalls

o How is your network segmented to protect critical assets and data?
 o What firewall configurations and rules do you have in place to prevent
unauthorized access?
o Are there any firewalls in place between internal networks and external-facing
systems?
 Intrusion Detection and Prevention Systems (IDS/IPS)
o Do you have an IDS/IPS in place? How are alerts monitored and responded to?
o How do you protect your network from Distributed Denial of Service (DDoS)
attacks?
 Secure Network Architecture
o Do you regularly perform network vulnerability assessments and penetration
tests?
o How do you ensure secure configuration for your routers, switches, and other
network devices?
o Do you use Virtual Private Networks (VPNs) or other encrypted channels for
remote access?

4. Endpoint Security

 Antivirus and Endpoint Detection and Response (EDR)

o Do you have antivirus/antimalware protection on all endpoints (servers, desktops,
mobile devices)?
o What endpoint detection and response (EDR) solutions do you have in place for
real-time threat detection?
o How do you manage and monitor software patches and updates on endpoints?
 Mobile Device Management (MDM)
o Do you have an MDM solution in place for managing mobile devices
(smartphones, tablets)?
o How do you secure and control employee-owned devices (BYOD)?
o Do you enforce mobile device encryption and remote wipe capabilities?
 USB and External Media Security
o Do you restrict the use of USB devices and other external media on company
systems?
o What controls are in place to prevent malware from entering the network via
external media?

5. Application Security

 Secure Software Development Lifecycle (SDLC)

o Do you have a secure software development lifecycle (SDLC) in place for
building and deploying applications?
o Are secure coding practices followed to prevent vulnerabilities (e.g., SQL
injection, cross-site scripting)?
o How do you perform code reviews and vulnerability testing (static and dynamic
analysis)?
 Application Security Testing
 o Do you regularly perform penetration tests or vulnerability assessments on your
applications?
o How do you monitor and secure your web applications from attacks like cross-site
scripting (XSS) and cross-site request forgery (CSRF)?
o Are third-party applications or services assessed for security vulnerabilities?
 Third-party Integrations and APIs
o How do you secure and monitor third-party APIs and integrations?
o Do you conduct security assessments of third-party services before integrating
them into your systems?

6. Data Protection and Privacy

 Data Encryption
o Do you encrypt sensitive data both at rest and in transit?
o What encryption standards (e.g., AES-256) do you use for protecting data?
o How do you manage encryption keys?
 Data Retention and Disposal
o How do you ensure proper data retention and secure disposal practices?
o Do you have procedures for safely deleting sensitive data when it is no longer
needed?
 Privacy Controls
o How do you comply with privacy regulations (GDPR, CCPA)?
o Do you conduct regular data privacy impact assessments?
o How do you handle and protect personally identifiable information (PII)?

7. Security Monitoring and Logging

 Security Information and Event Management (SIEM)

o Do you use a SIEM system to aggregate and analyze security data from your
network, endpoints, and applications?
o How do you monitor for suspicious activity and potential threats?
o How long do you retain security logs, and how are they protected?
 Incident Detection and Response
o How do you detect, analyze, and respond to cybersecurity incidents in real-time?
o What role do Security Operations Centers (SOC) or Managed Detection and
Response (MDR) services play in your organization?

8. Cloud Security

 Cloud Security Posture Management (CSPM)

o What steps have you taken to secure your cloud environments (AWS, Azure,
Google Cloud)?
o How do you ensure the security of cloud storage, computing, and networking
resources?
 Cloud Access Security Broker (CASB)
 o Do you use a CASB to monitor and control access to cloud services?
o How do you ensure the secure use of SaaS, PaaS, and IaaS applications?

9. Training and Awareness

 Employee Training
o Do you conduct regular cybersecurity awareness training for all employees?
o How do you ensure employees recognize phishing, social engineering, and other
common attacks?
o Are there specific training programs for IT and security personnel?
 Security Culture
o How do you foster a security-conscious culture within your organization?
o Do you incentivize reporting of security incidents and potential vulnerabilities?

10. Emerging Threats and Advanced Security Measures

 Threat Intelligence
o Do you use external threat intelligence feeds to stay informed of current
cybersecurity trends?
o How do you integrate threat intelligence into your detection and prevention
systems?
 Zero Trust Architecture
o Have you implemented a Zero Trust security model within your organization?
o How do you verify trust continuously across users, devices, and applications?
 AI/ML in Security
o Are you leveraging AI/ML technologies for threat detection or automation in
security tasks?
o How do you ensure that AI/ML models are secure and not vulnerable to
manipulation?