# Risk Assessment and Security Questionnaire * * Read organization vision and Mission * * What is our organization business requirements * what are our risks * * SWOT Analysis * Which things bring us down financially and legally * what is our current security controls in place * which gap assessments conducted (last 3 years) * What do we learn from them * Which strategy we are following * what metrics we are collecting to compare our growth * What is our cyber budget * What is our threat landscape * Cyber security team roadmap and strategic plan for critical business operations * Identifying the stakeholders * Auditing Supply chain risk Management * Which audit policies are followed by org * * Internal audit * External audits * Risk Assessment tools * * Inventory of Assests * * Hardware * Software * Critical assests * Critical Operations * Asset/Data owners/custodians * Asset classifications * Prioritize risk remediation * * * Understanding current organization security environment and posture * Understanding critical information security issues faced/facing by organization * Initiating cyber security best practices * Developing modern Cyber Security program with Defense in Depth and Zero Trust * Developing Cyber Security Strategies to mitigate threats * Directing/Managing * Asset Management * ○ High valued assets * ○ Critical assets for operations * \- Cyber Physical Security Management * \- Hardware Security Management * \- IOT/OT/SCADA Security Management * Cyber Security Operations * * SIEM * * Audit log management * SOC * * SOC Playbooks * SOAR * Incident Response * ▪ Identifying * ▪ Containing * ▪ Eradicating * ▪ recovering * * Security breach management * ▪ Ransomware * ▪ Data loss * ○ * ○ Shadow IT * \- * Cloud Security Management * ○ Cloud Security Architecture * Cloud Security tools * ▪ CASB, CWPP, CSPM * ○ * ○ Security attacks * Cloud security frameworks * ▪ CSA, cloud adoption frameworks * ▪ Cloud computing policy * ▪ Cloud storage policy * ○ * ○ Zero trust on cloud * \- * SecDevOps/DevSecOps/Security Engineering * ○ Shift left with security in DevOps Pipeline * ○ Security Misconfigurations * Security automation * ▪ Infrastructure as code * ○ * Data Encryption * ▪ Symmetric * ▪ Asymmetric * ▪ Hashing * ▪ Encoding * * Risk Assessment and Management * * * ▪ Encoding * ▪ Key exchange * ▪ Certificates * ▪ Digital signature * ○ Data Privacy * \- Application Security * \- Secure Coding and software development * Security Awareness * ○ Security First * ○ Security Situational Awareness * \- * \- Cryptography, Data Security and Protection * Vulnerability and Patch Management * ○ Build * ○ Audit * ○ Review * \- * Network Security/Perimeter security * ○ Layered security controls * ○ NGFW, NSM, IDS/IPS, Load Balancers, Proxies, * ○ VPN, IPsec * \- * Endpoint Security * ○ End-user Security * ○ EDR, XDR, HIDS,HIPS, EPP, FIM, Sandboxing, whitelist/blocklist * ○ Malware defense * \- * Cyber Security Governance, Risk, Compliance Management * ○ Risk Assessment and Management * ○ Information security Management * Security policies * ▪ Business continuity * ▪ Disaster Recovery * ○ * ○ Cyber Security Maturity Models * \- * Cyber Security Architecture * Zero Trust Model * ▪ Zero trust network access * ○ * \- * Cyber Security Frameworks and controls * ○ NIST cyber security framework * ○ CIS critical controls * ○ CMMC * ○ NIST SP 800-171 * ○ NIST SP 800-53 * ○ ISO * \- * Cyber Defense architecture and frameworks * ○ MITRE ATT\&CK * \- * \- Cyber Security Standards * \- Cyber Security Reporting * \- Cyber Gap Analysis * \- Cyber Security Strategic Plan * \- Security workflow and relationships among multiple teams * \- Cyber Security Budget Management * \- Cyber Security Team performance, growth, learning * \- Penetration Testing/Red Team * \- Bring your own device policies * \- Remote work policies * \- Cyber Security product and services SLA's * New Section 1 Page 10 * \- Cyber Security product and services SLA's * \- Developing Non-Disclosure Agreements * Cyber Threat Landscape * ○ Threat actors * ○ Nation state attacks * ○ TTP's * ○ Critical business operations * ○ Stakeholders * \- * \- Organization business goals and vision * Security metrics * ○ Weekly * ○ Monthly * ○ Quarterly * \- * Few controls/areas on prem and cloud * \- Physical Security * \- Host Security/client/end point protection * \- Network controls * \- Application Security controls * \- Identity and Access Management * \- Data Classification * Risk Frameworks * \- Security and risk management * \- Asset Security * \- Security Engineering * \- Communication and Network Security * \- Identity and Access Management * \- Security Assessment and Testing * \- Security Operations * \- Software Development Security * * * Reference: * 1.