Risk Assessment and Security Questionnaire

• • Read organization vision and Mission

  • • What is our organization business requirements

  • what are our risks

  • • SWOT Analysis

  • Which things bring us down financially and legally

  • what is our current security controls in place

  • which gap assessments conducted (last 3 years)

  • What do we learn from them

  • Which strategy we are following

  • what metrics we are collecting to compare our growth

  • What is our cyber budget

  • What is our threat landscape

  • Cyber security team roadmap and strategic plan for critical business operations

  • Identifying the stakeholders

  • Auditing Supply chain risk Management

  • Which audit policies are followed by org

  • • Internal audit

    • External audits

  • Risk Assessment tools

  • • Inventory of Assests

    • • Hardware

      • Software

    • Critical assests

    • Critical Operations

    • Asset/Data owners/custodians

    • Asset classifications

    • Prioritize risk remediation

• • Understanding current organization security environment and posture

  • Understanding critical information security issues faced/facing by organization

  • Initiating cyber security best practices

  • Developing modern Cyber Security program with Defense in Depth and Zero Trust

  • Developing Cyber Security Strategies to mitigate threats

  • Directing/Managing

  • Asset Management

• ○ High valued assets

• ○ Critical assets for operations

• - Cyber Physical Security Management

• - Hardware Security Management

• - IOT/OT/SCADA Security Management

• Cyber Security Operations

• • SIEM

  • • Audit log management

• SOC

• • SOC Playbooks

• SOAR

• Incident Response

• ▪ Identifying

• ▪ Containing

• ▪ Eradicating

• ▪ recovering

• Security breach management

• ▪ Ransomware

• ▪ Data loss

• ○

• ○ Shadow IT

• -

• Cloud Security Management

• ○ Cloud Security Architecture

• Cloud Security tools

• ▪ CASB, CWPP, CSPM

• ○

• ○ Security attacks

• Cloud security frameworks

• ▪ CSA, cloud adoption frameworks

• ▪ Cloud computing policy

• ▪ Cloud storage policy

• ○

• ○ Zero trust on cloud

• -

• SecDevOps/DevSecOps/Security Engineering

• ○ Shift left with security in DevOps Pipeline

• ○ Security Misconfigurations

• Security automation

• ▪ Infrastructure as code

• ○

• Data Encryption

• ▪ Symmetric

• ▪ Asymmetric

• ▪ Hashing

• ▪ Encoding

• Risk Assessment and Management

• ▪ Encoding

• ▪ Key exchange

• ▪ Certificates

• ▪ Digital signature

• ○ Data Privacy

• - Application Security

• - Secure Coding and software development

• Security Awareness

• ○ Security First

• ○ Security Situational Awareness

• -

• - Cryptography, Data Security and Protection

• Vulnerability and Patch Management

• ○ Build

• ○ Audit

• ○ Review

• -

• Network Security/Perimeter security

• ○ Layered security controls

• ○ NGFW, NSM, IDS/IPS, Load Balancers, Proxies,

• ○ VPN, IPsec

• -

• Endpoint Security

• ○ End-user Security

• ○ EDR, XDR, HIDS,HIPS, EPP, FIM, Sandboxing, whitelist/blocklist

• ○ Malware defense

• -

• Cyber Security Governance, Risk, Compliance Management

• ○ Risk Assessment and Management

• ○ Information security Management

• Security policies

• ▪ Business continuity

• ▪ Disaster Recovery

• ○

• ○ Cyber Security Maturity Models

• -

• Cyber Security Architecture

• Zero Trust Model

• ▪ Zero trust network access

• ○

• -

• Cyber Security Frameworks and controls

• ○ NIST cyber security framework

• ○ CIS critical controls

• ○ CMMC

• ○ NIST SP 800-171

• ○ NIST SP 800-53

• ○ ISO

• -

• Cyber Defense architecture and frameworks

• ○ MITRE ATT&CK

• -

• - Cyber Security Standards

• - Cyber Security Reporting

• - Cyber Gap Analysis

• - Cyber Security Strategic Plan

• - Security workflow and relationships among multiple teams

• - Cyber Security Budget Management

• - Cyber Security Team performance, growth, learning

• - Penetration Testing/Red Team

• - Bring your own device policies

• - Remote work policies

• - Cyber Security product and services SLA's

• New Section 1 Page 10

• - Cyber Security product and services SLA's

• - Developing Non-Disclosure Agreements

• Cyber Threat Landscape

• ○ Threat actors

• ○ Nation state attacks

• ○ TTP's

• ○ Critical business operations

• ○ Stakeholders

• -

• - Organization business goals and vision

• Security metrics

• ○ Weekly

• ○ Monthly

• ○ Quarterly

• -

• Few controls/areas on prem and cloud

• - Physical Security

• - Host Security/client/end point protection

• - Network controls

• - Application Security controls

• - Identity and Access Management

• - Data Classification

• Risk Frameworks

• - Security and risk management

• - Asset Security

• - Security Engineering

• - Communication and Network Security

• - Identity and Access Management

• - Security Assessment and Testing

• - Security Operations

• - Software Development Security

• Reference:

• 1. https://learn.cisecurity.org/cis-cat-lite