Risk Assessment and Security Questionnaire

    • Read organization vision and Mission

      • What is our organization business requirements

    • what are our risks

      • SWOT Analysis

    • Which things bring us down financially and legally

    • what is our current security controls in place

    • which gap assessments conducted (last 3 years)

    • What do we learn from them

    • Which strategy we are following

    • what metrics we are collecting to compare our growth

    • What is our cyber budget

    • What is our threat landscape

    • Cyber security team roadmap and strategic plan for critical business operations

    • Identifying the stakeholders

    • Auditing Supply chain risk Management

    • Which audit policies are followed by org

      • Internal audit

      • External audits

    • Risk Assessment tools

      • Inventory of Assests

        • Hardware

        • Software

      • Critical assests

      • Critical Operations

      • Asset/Data owners/custodians

      • Asset classifications

      • Prioritize risk remediation

    • Understanding current organization security environment and posture

    • Understanding critical information security issues faced/facing by organization

    • Initiating cyber security best practices

    • Developing modern Cyber Security program with Defense in Depth and Zero Trust

    • Developing Cyber Security Strategies to mitigate threats

    • Directing/Managing

    • Asset Management

  • ○ High valued assets

  • ○ Critical assets for operations

  • - Cyber Physical Security Management

  • - Hardware Security Management

  • - IOT/OT/SCADA Security Management

  • Cyber Security Operations

    • SIEM

      • Audit log management

  • SOC

    • SOC Playbooks

  • SOAR

  • Incident Response

  • ▪ Identifying

  • ▪ Containing

  • ▪ Eradicating

  • ▪ recovering

  • Security breach management

  • ▪ Ransomware

  • ▪ Data loss

  • ○ Shadow IT

  • -

  • Cloud Security Management

  • ○ Cloud Security Architecture

  • Cloud Security tools

  • ▪ CASB, CWPP, CSPM

  • ○ Security attacks

  • Cloud security frameworks

  • ▪ CSA, cloud adoption frameworks

  • ▪ Cloud computing policy

  • ▪ Cloud storage policy

  • ○ Zero trust on cloud

  • -

  • SecDevOps/DevSecOps/Security Engineering

  • ○ Shift left with security in DevOps Pipeline

  • ○ Security Misconfigurations

  • Security automation

  • ▪ Infrastructure as code

  • Data Encryption

  • ▪ Symmetric

  • ▪ Asymmetric

  • ▪ Hashing

  • ▪ Encoding

  • Risk Assessment and Management

  • ▪ Encoding

  • ▪ Key exchange

  • ▪ Certificates

  • ▪ Digital signature

  • ○ Data Privacy

  • - Application Security

  • - Secure Coding and software development

  • Security Awareness

  • ○ Security First

  • ○ Security Situational Awareness

  • -

  • - Cryptography, Data Security and Protection

  • Vulnerability and Patch Management

  • ○ Build

  • ○ Audit

  • ○ Review

  • -

  • Network Security/Perimeter security

  • ○ Layered security controls

  • ○ NGFW, NSM, IDS/IPS, Load Balancers, Proxies,

  • ○ VPN, IPsec

  • -

  • Endpoint Security

  • ○ End-user Security

  • ○ EDR, XDR, HIDS,HIPS, EPP, FIM, Sandboxing, whitelist/blocklist

  • ○ Malware defense

  • -

  • Cyber Security Governance, Risk, Compliance Management

  • ○ Risk Assessment and Management

  • ○ Information security Management

  • Security policies

  • ▪ Business continuity

  • ▪ Disaster Recovery

  • ○ Cyber Security Maturity Models

  • -

  • Cyber Security Architecture

  • Zero Trust Model

  • ▪ Zero trust network access

  • -

  • Cyber Security Frameworks and controls

  • ○ NIST cyber security framework

  • ○ CIS critical controls

  • ○ CMMC

  • ○ NIST SP 800-171

  • ○ NIST SP 800-53

  • ○ ISO

  • -

  • Cyber Defense architecture and frameworks

  • ○ MITRE ATT&CK

  • -

  • - Cyber Security Standards

  • - Cyber Security Reporting

  • - Cyber Gap Analysis

  • - Cyber Security Strategic Plan

  • - Security workflow and relationships among multiple teams

  • - Cyber Security Budget Management

  • - Cyber Security Team performance, growth, learning

  • - Penetration Testing/Red Team

  • - Bring your own device policies

  • - Remote work policies

  • - Cyber Security product and services SLA's

  • New Section 1 Page 10

  • - Cyber Security product and services SLA's

  • - Developing Non-Disclosure Agreements

  • Cyber Threat Landscape

  • ○ Threat actors

  • ○ Nation state attacks

  • ○ TTP's

  • ○ Critical business operations

  • ○ Stakeholders

  • -

  • - Organization business goals and vision

  • Security metrics

  • ○ Weekly

  • ○ Monthly

  • ○ Quarterly

  • -

  • Few controls/areas on prem and cloud

  • - Physical Security

  • - Host Security/client/end point protection

  • - Network controls

  • - Application Security controls

  • - Identity and Access Management

  • - Data Classification

  • Risk Frameworks

  • - Security and risk management

  • - Asset Security

  • - Security Engineering

  • - Communication and Network Security

  • - Identity and Access Management

  • - Security Assessment and Testing

  • - Security Operations

  • - Software Development Security

  • Reference:

    1. https://learn.cisecurity.org/cis-cat-lite

PreviousCyber Security ArchitectureNextRansomware Prevention

Last updated

Was this helpful?