Instructions & Guidance
Stridium provides cybersecurity expertise and on-demand resources to small and medium-sized organizations to help them meet the challenges of preventing a costly data breach while demonstrating due diligence around protecting their systems, people and information. According to NIST, “Risk assessments are used to identify, estimate, and prioritize risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems.” Stridium works with its clients to help them understand the nature and severity of the risks they have related to their use of information technology assets.
The 20 questions contained in this assessment, are designed to provide an understanding of the information you collect, and the requirements and associated security measures in place for protecting this information. In some cases, the security measure described may be provided by a third-party provider.Please answer the following questions to the best of your knowledge and please check to make sure your phone number is correct because we will use this number to contact you about the free security scan after you submit your assessment.
Personal information, also referred to as Personally Identifiable Information (PII), is defined as any data that could potentially identify a specific individual. This information is typically collected from customers, donors, members, and business partners.
All U.S. businesses are required to protect personal information that they collect. This question pertains to requirements above and beyond that. Examples would be the HIPAA regulation for healthcare companies, PCI DSS requirements for credit card information, or contractual agreements to protect information shared by business partners.
Phishing emails are a primary way that hackers gain access to your systems, by tricking an employee into clicking a link in what they believe to be a legitimate email. This generally executes malware code that exploits some well-known system vulnerability to allow the hacker to control the system or access accounts.
Security policy is how management conveys their intent for how company systems and information are to be protected.
Strong passwords are passwords that are at least 8 characters and require a number or special character, such as !, @, #, $, or %.
Externally facing systems are any system reachable by a public network, such as the Internet, and include web servers and remote access servers. 2-factor authentication is when a system requires some kind of password in addition to another identifier. Examples are hard- or soft-tokens, or authentication that sends a PIN to your mobile device that must be entered to connect.
A password management tool is an specialized application that stores system and application passwords in an encrypted and secured manner and is itself protected by a separate master password.
A system security scan, or penetration test (pentest), is performed (usually by an outside vendor) to detect vulnerabilities in any systems that can be reached via the Internet, and to exploit these systems (without causing damage to systems or applications) in an effort to determine what damage an outside attacker could do to compromise these targets.
Vulnerability scans are usually performed on internal systems to determine if there are any known system or application vulnerabilities that could be exploited by an attacker to gain access to a system or its information.
Patching (or updating the version of) software helps eliminate known vulnerabilities in the software that attackers can exploit to compromise your systems and steal your information.
System backups make copies of your production data and store them to be restored in case of data loss due to data breach or system failures. Data stored at offsite would include tapes shipped to a different long-term storage location, or data backed up to a storage device in another location, such as an Internet storage provider.
Network and server devices typically can be configured to create log files containing events occurring on the device. These logs can either be accessed manually to sent to a log collection device or Security Event Information System (SEIM) and be analyzed in an automated manner to detect suspicious activities that may indicate the presence of an attack, allowing you to take appropriate action.
Anti-virus software uses signatures to look for known malware. They can be set to update these signatures automatically or manually.
Email scanners inspect incoming email to detect and prevent messages containing spam and malware from being delivered.
These systems go beyond basic firewall protection to detect and/or block Internet-based attacks. Examples include Intrusion Detection/Prevention (IDS/IPS), Behavioral Anomaly Detection, Secure Web Gateway, and Unified Threat Management (UTM).
Data encryption protects data by making it unreadable to anyone without the encryption key used to encrypt the data. It is most often used to control access to stored data or applied to data being transmitted over public networks (such as the Internet) so it cannot be viewed in transit by unauthorized parties.
Data Loss Prevention (DLP) software detects sensitive data (e.g., personal information) and allows you to apply a policy dictating where it can be sent (e.g., only to those authorized to access it) and where it can be stored (e.g., only in a certain folder or storage device).
A security incident response plan covers how security incidents (such as how data breaches are identified, eradicated, and how affected systems and data are recovered, as well as who needs to be notified and how they are to be notified.
Cyber liability insurance is a specialized type of insurance that can cover expenses such as customer notification, fraud and credit monitoring services, cyber extortion reimbursement, and legal expenses, including lawyer fees and any damages.
Think about who is responsible for dealing with implementing security measures and dealing with security events at your organization. Can they dedicate at least half of their time to these tasks?