Risk Assessment and Security Questionnaire

    • Read organization vision and Mission

      • What is our organization business requirements

    • what are our risks

      • SWOT Analysis

    • Which things bring us down financially and legally

    • what is our current security controls in place

    • which gap assessments conducted (last 3 years)

    • What do we learn from them

    • Which strategy we are following

    • what metrics we are collecting to compare our growth

    • What is our cyber budget

    • What is our threat landscape

    • Cyber security team roadmap and strategic plan for critical business operations

    • Identifying the stakeholders

    • Auditing Supply chain risk Management

    • Which audit policies are followed by org

      • Internal audit

      • External audits

    • Risk Assessment tools

      • Inventory of Assests

        • Hardware

        • Software

      • Critical assests

      • Critical Operations

      • Asset/Data owners/custodians

      • Asset classifications

      • Prioritize risk remediation

    • Understanding current organization security environment and posture

    • Understanding critical information security issues faced/facing by organization

    • Initiating cyber security best practices

    • Developing modern Cyber Security program with Defense in Depth and Zero Trust

    • Developing Cyber Security Strategies to mitigate threats

    • Directing/Managing

    • Asset Management

  • â—‹ High valued assets

  • â—‹ Critical assets for operations

  • - Cyber Physical Security Management

  • - Hardware Security Management

  • - IOT/OT/SCADA Security Management

  • Cyber Security Operations

    • SIEM

      • Audit log management

  • SOC

    • SOC Playbooks

  • SOAR

  • Incident Response

  • â–ª Identifying

  • â–ª Containing

  • â–ª Eradicating

  • â–ª recovering

  • Security breach management

  • â–ª Ransomware

  • â–ª Data loss

  • â—‹

  • â—‹ Shadow IT

  • -

  • Cloud Security Management

  • â—‹ Cloud Security Architecture

  • Cloud Security tools

  • â–ª CASB, CWPP, CSPM

  • â—‹

  • â—‹ Security attacks

  • Cloud security frameworks

  • â–ª CSA, cloud adoption frameworks

  • â–ª Cloud computing policy

  • â–ª Cloud storage policy

  • â—‹

  • â—‹ Zero trust on cloud

  • -

  • SecDevOps/DevSecOps/Security Engineering

  • â—‹ Shift left with security in DevOps Pipeline

  • â—‹ Security Misconfigurations

  • Security automation

  • â–ª Infrastructure as code

  • â—‹

  • Data Encryption

  • â–ª Symmetric

  • â–ª Asymmetric

  • â–ª Hashing

  • â–ª Encoding

  • Risk Assessment and Management

  • â–ª Encoding

  • â–ª Key exchange

  • â–ª Certificates

  • â–ª Digital signature

  • â—‹ Data Privacy

  • - Application Security

  • - Secure Coding and software development

  • Security Awareness

  • â—‹ Security First

  • â—‹ Security Situational Awareness

  • -

  • - Cryptography, Data Security and Protection

  • Vulnerability and Patch Management

  • â—‹ Build

  • â—‹ Audit

  • â—‹ Review

  • -

  • Network Security/Perimeter security

  • â—‹ Layered security controls

  • â—‹ NGFW, NSM, IDS/IPS, Load Balancers, Proxies,

  • â—‹ VPN, IPsec

  • -

  • Endpoint Security

  • â—‹ End-user Security

  • â—‹ EDR, XDR, HIDS,HIPS, EPP, FIM, Sandboxing, whitelist/blocklist

  • â—‹ Malware defense

  • -

  • Cyber Security Governance, Risk, Compliance Management

  • â—‹ Risk Assessment and Management

  • â—‹ Information security Management

  • Security policies

  • â–ª Business continuity

  • â–ª Disaster Recovery

  • â—‹

  • â—‹ Cyber Security Maturity Models

  • -

  • Cyber Security Architecture

  • Zero Trust Model

  • â–ª Zero trust network access

  • â—‹

  • -

  • Cyber Security Frameworks and controls

  • â—‹ NIST cyber security framework

  • â—‹ CIS critical controls

  • â—‹ CMMC

  • â—‹ NIST SP 800-171

  • â—‹ NIST SP 800-53

  • â—‹ ISO

  • -

  • Cyber Defense architecture and frameworks

  • â—‹ MITRE ATT&CK

  • -

  • - Cyber Security Standards

  • - Cyber Security Reporting

  • - Cyber Gap Analysis

  • - Cyber Security Strategic Plan

  • - Security workflow and relationships among multiple teams

  • - Cyber Security Budget Management

  • - Cyber Security Team performance, growth, learning

  • - Penetration Testing/Red Team

  • - Bring your own device policies

  • - Remote work policies

  • - Cyber Security product and services SLA's

  • New Section 1 Page 10

  • - Cyber Security product and services SLA's

  • - Developing Non-Disclosure Agreements

  • Cyber Threat Landscape

  • â—‹ Threat actors

  • â—‹ Nation state attacks

  • â—‹ TTP's

  • â—‹ Critical business operations

  • â—‹ Stakeholders

  • -

  • - Organization business goals and vision

  • Security metrics

  • â—‹ Weekly

  • â—‹ Monthly

  • â—‹ Quarterly

  • -

  • Few controls/areas on prem and cloud

  • - Physical Security

  • - Host Security/client/end point protection

  • - Network controls

  • - Application Security controls

  • - Identity and Access Management

  • - Data Classification

  • Risk Frameworks

  • - Security and risk management

  • - Asset Security

  • - Security Engineering

  • - Communication and Network Security

  • - Identity and Access Management

  • - Security Assessment and Testing

  • - Security Operations

  • - Software Development Security

  • Reference:

    1. https://learn.cisecurity.org/cis-cat-lite

PreviousCyber Security ArchitectureNextRansomware Prevention

Last updated

Was this helpful?