Cyber Essentials Risk Assessment Questionnaire

Thank you for taking the time to participate in this risk assessment process. The goal of this assessment is to identify your security strengths and weaknesses, and to provide advice as to the improvements you should be considering relative to your security posture. The assessment and your results are aligned around Cyber Insurability standards, NIST Cybersecurity Framework (CSF 2.0), as well as how your business aligns to other firms with respect to size, location, and industry.
Please enter your name.(Required)
Provide us your external IP range(s) for all locations and data centers (One IP per line).(Required)
List each domain your business has in production (One domain per line).(Required)

Identity and Access Management (IAM)

This section evaluates how effectively your organization controls access to sensitive systems and data, ensuring only authorized personnel can access key resources.
Do you enforce role-based access control (RBAC) for sensitive systems and data?(Required)
Is Multi-Factor Authentication (MFA) required for all privileged accounts and remote access?(Required)
Are user permissions reviewed and updated at least every 90 days?(Required)
Are all privileged accounts (e.g., admin accounts) inventoried and monitored for unusual behavior?(Required)
Is Local Administrator access restricted to essential personnel?(Required)

Backup and Recovery Planning

This section assesses your organization's capability to recover data and systems in the event of an incident, ensuring business continuity.
Have you tested successful restoration from backups in the past 6 months?(Required)
Are your backups encrypted and stored in an air-gapped/offline solution?(Required)
Do you have a documented Recovery Time Objective (RTO) and Recovery Point Objective (RPO)?(Required)
Is backup access protected with different credentials and MFA from other systems?(Required)

Cloud Security and Governance

This section examines the security and governance of your cloud services and infrastructure, ensuring sensitive data is properly protected in cloud environments.
Is MFA enforced for accessing all cloud-based systems?(Required)
Are your cloud-hosted services and data encrypted at rest and in transit?(Required)
Do you periodically back up cloud-hosted services (e.g., CRM, General Ledger, HR)?(Required)
Are cloud environments segmented to separate sensitive data from less critical systems?(Required)

Security Awareness and Training

This section reviews the training programs in place to ensure that employees understand their role in maintaining cybersecurity.
Do you conduct annual cybersecurity awareness training for all employees?(Required)
Have you conducted a simulated phishing exercise within the last year?(Required)
Do you provide specialized training for employees involved in financial transactions, such as wire transfers?(Required)

Incident Response and Cybersecurity Preparedness

This section evaluates your organization’s preparedness to respond effectively to cybersecurity incidents and recover from them.
Do you have a documented Incident Response Plan (IRP) that covers ransomware and network intrusions?(Required)
Have you tested your incident response and disaster recovery plans within the last 12 months?(Required)
Is there a designated individual responsible for vendor security evaluations and updates?(Required)
Have you completed a cybersecurity incident response tabletop exercise in the last year?(Required)

Data Security and Protection

This section focuses on how your organization protects sensitive data from unauthorized access, loss, or breach.
Is sensitive data encrypted both at rest and in transit?(Required)
Do you maintain an inventory of critical data assets, and are they classified based on sensitivity?(Required)
Are portable devices that access sensitive data (laptops, phones, tablets) encrypted?(Required)
Do you have a data destruction policy for obsolete data and hardware?(Required)

Email and Communication Security

This section assesses how well your organization protects against email-based threats and ensures the secure transmission of sensitive information.
Does your email system support SPF, DKIM, and DMARC to prevent email spoofing and phishing?(Required)
Are employees trained on email encryption policies, and do you enforce encryption for sensitive emails?(Required)
Is there a system in place to scan attachments and links for malicious content?(Required)

Endpoint Detection and Response (EDR)

This section evaluates the tools and processes in place to detect, prevent, and respond to threats on end-user devices.
Do you have an Endpoint Protection Platform (EPP) and/or Endpoint Detection and Response (EDR) solution deployed across all devices?(Required)
Is your EDR solution configured to be automatically updated and monitored?(Required)
Have you replaced all end-of-life software, and do you track software for security vulnerabilities?(Required)

Perimeter and Firewall Security

This section reviews the effectiveness of your perimeter defenses, including firewalls, to protect the network from external threats.
Does your firewall provide Intrusion Detection (IDS) and Intrusion Prevention (IPS) systems?(Required)
Are firewall rules reviewed at least twice a year for accuracy and security risks?(Required)
Is remote access to the network only allowed via encrypted VPN with MFA?(Required)

Network Security and Monitoring

This section looks at how your organization monitors and secures its internal network to detect and respond to suspicious activities.
Do you conduct third-party penetration testing and security assessments annually?(Required)
Is internal vulnerability scanning performed at least every 90 days?(Required)
Are network and storage logs monitored and reviewed at least every 30 days?(Required)

Software Asset Management and Patch Management

This section assesses how your organization manages software inventories and applies security patches to minimize vulnerabilities.
Is all software tracked in a centralized inventory, and are patches applied within 3 days for critical vulnerabilities?(Required)
Do you have a documented patching policy that includes testing before deployment?(Required)
Is obsolete software replaced and removed from all systems?(Required)

Physical Security Controls

This section evaluates the physical controls in place to prevent unauthorized access to sensitive systems and data.
Are physical security controls in place to restrict access to servers and sensitive records?(Required)
Are employees trained on protecting portable devices (laptops, phones) from physical theft?(Required)
Do you have a process for securely disposing of hard-copy records and hardware containing sensitive data?(Required)

Privacy and Data Protection Compliance

This section examines how your organization handles data privacy, compliance with regulations, and the protection of personal information.
Do you have a publicly available privacy policy, and has it been reviewed by legal counsel?(Required)
Are you compliant with all relevant data privacy regulations (e.g., GDPR, CCPA)?(Required)
Is there a designated Privacy Officer responsible for overseeing privacy policies and procedures?

Vendor Risk Management

This section evaluates how you assess and manage the security posture of third-party vendors with access to your systems and data.
Do you require vendors to carry cyber liability insurance?(Required)
Are vendor access rights reviewed at least once per quarter?(Required)
Do you have formal agreements in place with all vendors that handle sensitive information?(Required)
Is there an annual review of vendor security and agreements?
Do you require vendors to meet specific cybersecurity standards before they are granted access to your systems?(Required)