Understanding Your Business, Information,
Risk, and Threats
1. Do you have an information classification program
that helps your workforce members identify your
most important information, business processes,
and IT assets?
2. Do you have a process to collect and share back
threat intelligence?
Managing Your Risk
3. Do you have a process for keeping your systems
patched and managing vulnerabilities?
4. Do you have well-communicated Information Security
policies, procedures, and practices (e.g. multi-factor
authentication, encryption, etc.)?
5. Do you have a defined security architecture that
enables you to protect assets, detect events, and
respond to threats?
6. Are your security tools deployed efficiently and
effectively, providing maximum value without
duplication?
7. Does your information security program address
your Internet of Things, Industrial Control Systems,
Operational Technologies, and/or Digital Products?
Responding to Security Events & Breaches
8. Do you have enterprise incident response and
disaster recovery plan(s) that address cyber events
like ransomware, insider theft/sabotage, and denial
of service attacks?
9. Do you know what your first three actions would be
if a partner, customer, or law enforcement agency
informed you that you had been breached?
10. Have you practiced your response to a cyber incident
with current stakeholders and key participants?
Governing and Measuring Your Program
11. Do you know what you’re spending on security,
and how those resources/efforts are reducing your
information risk?
12. Do you have good answers when your board or
executive leaders ask how the current headline
affects your organization?
13. Do you know how many third parties have access
to your sensitive information, and that they are
protecting it well?
Workforce Awareness and Behavior Change
14. Do you know how susceptible your organization
is to phishing, social engineering, or physical
information theft?
15. Do you have an awareness program that engages
your workforce and creates positive change in
cybersecurity?
