# Risk Assessment and Security Questionnaire * * Read organization vision and Mission * * What is our organization business requirements * what are our risks * * SWOT Analysis * Which things bring us down financially and legally * what is our current security controls in place * which gap assessments conducted (last 3 years) * What do we learn from them * Which strategy we are following * what metrics we are collecting to compare our growth * What is our cyber budget * What is our threat landscape * Cyber security team roadmap and strategic plan for critical business operations * Identifying the stakeholders * Auditing Supply chain risk Management * Which audit policies are followed by org * * Internal audit * External audits * Risk Assessment tools * * Inventory of Assests * * Hardware * Software * Critical assests * Critical Operations * Asset/Data owners/custodians * Asset classifications * Prioritize risk remediation * * * Understanding current organization security environment and posture * Understanding critical information security issues faced/facing by organization * Initiating cyber security best practices * Developing modern Cyber Security program with Defense in Depth and Zero Trust * Developing Cyber Security Strategies to mitigate threats * Directing/Managing * Asset Management * ○ High valued assets * ○ Critical assets for operations * \- Cyber Physical Security Management * \- Hardware Security Management * \- IOT/OT/SCADA Security Management * Cyber Security Operations * * SIEM * * Audit log management * SOC * * SOC Playbooks * SOAR * Incident Response * ▪ Identifying * ▪ Containing * ▪ Eradicating * ▪ recovering * * Security breach management * ▪ Ransomware * ▪ Data loss * ○ * ○ Shadow IT * \- * Cloud Security Management * ○ Cloud Security Architecture * Cloud Security tools * ▪ CASB, CWPP, CSPM * ○ * ○ Security attacks * Cloud security frameworks * ▪ CSA, cloud adoption frameworks * ▪ Cloud computing policy * ▪ Cloud storage policy * ○ * ○ Zero trust on cloud * \- * SecDevOps/DevSecOps/Security Engineering * ○ Shift left with security in DevOps Pipeline * ○ Security Misconfigurations * Security automation * ▪ Infrastructure as code * ○ * Data Encryption * ▪ Symmetric * ▪ Asymmetric * ▪ Hashing * ▪ Encoding * * Risk Assessment and Management * * * ▪ Encoding * ▪ Key exchange * ▪ Certificates * ▪ Digital signature * ○ Data Privacy * \- Application Security * \- Secure Coding and software development * Security Awareness * ○ Security First * ○ Security Situational Awareness * \- * \- Cryptography, Data Security and Protection * Vulnerability and Patch Management * ○ Build * ○ Audit * ○ Review * \- * Network Security/Perimeter security * ○ Layered security controls * ○ NGFW, NSM, IDS/IPS, Load Balancers, Proxies, * ○ VPN, IPsec * \- * Endpoint Security * ○ End-user Security * ○ EDR, XDR, HIDS,HIPS, EPP, FIM, Sandboxing, whitelist/blocklist * ○ Malware defense * \- * Cyber Security Governance, Risk, Compliance Management * ○ Risk Assessment and Management * ○ Information security Management * Security policies * ▪ Business continuity * ▪ Disaster Recovery * ○ * ○ Cyber Security Maturity Models * \- * Cyber Security Architecture * Zero Trust Model * ▪ Zero trust network access * ○ * \- * Cyber Security Frameworks and controls * ○ NIST cyber security framework * ○ CIS critical controls * ○ CMMC * ○ NIST SP 800-171 * ○ NIST SP 800-53 * ○ ISO * \- * Cyber Defense architecture and frameworks * ○ MITRE ATT\&CK * \- * \- Cyber Security Standards * \- Cyber Security Reporting * \- Cyber Gap Analysis * \- Cyber Security Strategic Plan * \- Security workflow and relationships among multiple teams * \- Cyber Security Budget Management * \- Cyber Security Team performance, growth, learning * \- Penetration Testing/Red Team * \- Bring your own device policies * \- Remote work policies * \- Cyber Security product and services SLA's * New Section 1 Page 10 * \- Cyber Security product and services SLA's * \- Developing Non-Disclosure Agreements * Cyber Threat Landscape * ○ Threat actors * ○ Nation state attacks * ○ TTP's * ○ Critical business operations * ○ Stakeholders * \- * \- Organization business goals and vision * Security metrics * ○ Weekly * ○ Monthly * ○ Quarterly * \- * Few controls/areas on prem and cloud * \- Physical Security * \- Host Security/client/end point protection * \- Network controls * \- Application Security controls * \- Identity and Access Management * \- Data Classification * Risk Frameworks * \- Security and risk management * \- Asset Security * \- Security Engineering * \- Communication and Network Security * \- Identity and Access Management * \- Security Assessment and Testing * \- Security Operations * \- Software Development Security * * * Reference: * 1. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://moharat.gitbook.io/cylabs/introduction-to-cyber-security-operations/grc/information-security-and-risk-management/risk-assessment-and-security-questionnaire.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.