Risk Assessment and Security Questionnaire

    • Read organization vision and Mission

      • What is our organization business requirements

    • what are our risks

      • SWOT Analysis

    • Which things bring us down financially and legally

    • what is our current security controls in place

    • which gap assessments conducted (last 3 years)

    • What do we learn from them

    • Which strategy we are following

    • what metrics we are collecting to compare our growth

    • What is our cyber budget

    • What is our threat landscape

    • Cyber security team roadmap and strategic plan for critical business operations

    • Identifying the stakeholders

    • Auditing Supply chain risk Management

    • Which audit policies are followed by org

      • Internal audit

      • External audits

    • Risk Assessment tools

      • Inventory of Assests

        • Hardware

        • Software

      • Critical assests

      • Critical Operations

      • Asset/Data owners/custodians

      • Asset classifications

      • Prioritize risk remediation

    • Understanding current organization security environment and posture

    • Understanding critical information security issues faced/facing by organization

    • Initiating cyber security best practices

    • Developing modern Cyber Security program with Defense in Depth and Zero Trust

    • Developing Cyber Security Strategies to mitigate threats

    • Directing/Managing

    • Asset Management

  • β—‹ High valued assets

  • β—‹ Critical assets for operations

  • - Cyber Physical Security Management

  • - Hardware Security Management

  • - IOT/OT/SCADA Security Management

  • Cyber Security Operations

    • SIEM

      • Audit log management

  • SOC

    • SOC Playbooks

  • SOAR

  • Incident Response

  • β–ͺ Identifying

  • β–ͺ Containing

  • β–ͺ Eradicating

  • β–ͺ recovering

  • Security breach management

  • β–ͺ Ransomware

  • β–ͺ Data loss

  • β—‹

  • β—‹ Shadow IT

  • -

  • Cloud Security Management

  • β—‹ Cloud Security Architecture

  • Cloud Security tools

  • β–ͺ CASB, CWPP, CSPM

  • β—‹

  • β—‹ Security attacks

  • Cloud security frameworks

  • β–ͺ CSA, cloud adoption frameworks

  • β–ͺ Cloud computing policy

  • β–ͺ Cloud storage policy

  • β—‹

  • β—‹ Zero trust on cloud

  • -

  • SecDevOps/DevSecOps/Security Engineering

  • β—‹ Shift left with security in DevOps Pipeline

  • β—‹ Security Misconfigurations

  • Security automation

  • β–ͺ Infrastructure as code

  • β—‹

  • Data Encryption

  • β–ͺ Symmetric

  • β–ͺ Asymmetric

  • β–ͺ Hashing

  • β–ͺ Encoding

  • Risk Assessment and Management

  • β–ͺ Encoding

  • β–ͺ Key exchange

  • β–ͺ Certificates

  • β–ͺ Digital signature

  • β—‹ Data Privacy

  • - Application Security

  • - Secure Coding and software development

  • Security Awareness

  • β—‹ Security First

  • β—‹ Security Situational Awareness

  • -

  • - Cryptography, Data Security and Protection

  • Vulnerability and Patch Management

  • β—‹ Build

  • β—‹ Audit

  • β—‹ Review

  • -

  • Network Security/Perimeter security

  • β—‹ Layered security controls

  • β—‹ NGFW, NSM, IDS/IPS, Load Balancers, Proxies,

  • β—‹ VPN, IPsec

  • -

  • Endpoint Security

  • β—‹ End-user Security

  • β—‹ EDR, XDR, HIDS,HIPS, EPP, FIM, Sandboxing, whitelist/blocklist

  • β—‹ Malware defense

  • -

  • Cyber Security Governance, Risk, Compliance Management

  • β—‹ Risk Assessment and Management

  • β—‹ Information security Management

  • Security policies

  • β–ͺ Business continuity

  • β–ͺ Disaster Recovery

  • β—‹

  • β—‹ Cyber Security Maturity Models

  • -

  • Cyber Security Architecture

  • Zero Trust Model

  • β–ͺ Zero trust network access

  • β—‹

  • -

  • Cyber Security Frameworks and controls

  • β—‹ NIST cyber security framework

  • β—‹ CIS critical controls

  • β—‹ CMMC

  • β—‹ NIST SP 800-171

  • β—‹ NIST SP 800-53

  • β—‹ ISO

  • -

  • Cyber Defense architecture and frameworks

  • β—‹ MITRE ATT&CK

  • -

  • - Cyber Security Standards

  • - Cyber Security Reporting

  • - Cyber Gap Analysis

  • - Cyber Security Strategic Plan

  • - Security workflow and relationships among multiple teams

  • - Cyber Security Budget Management

  • - Cyber Security Team performance, growth, learning

  • - Penetration Testing/Red Team

  • - Bring your own device policies

  • - Remote work policies

  • - Cyber Security product and services SLA's

  • New Section 1 Page 10

  • - Cyber Security product and services SLA's

  • - Developing Non-Disclosure Agreements

  • Cyber Threat Landscape

  • β—‹ Threat actors

  • β—‹ Nation state attacks

  • β—‹ TTP's

  • β—‹ Critical business operations

  • β—‹ Stakeholders

  • -

  • - Organization business goals and vision

  • Security metrics

  • β—‹ Weekly

  • β—‹ Monthly

  • β—‹ Quarterly

  • -

  • Few controls/areas on prem and cloud

  • - Physical Security

  • - Host Security/client/end point protection

  • - Network controls

  • - Application Security controls

  • - Identity and Access Management

  • - Data Classification

  • Risk Frameworks

  • - Security and risk management

  • - Asset Security

  • - Security Engineering

  • - Communication and Network Security

  • - Identity and Access Management

  • - Security Assessment and Testing

  • - Security Operations

  • - Software Development Security

  • Reference:

    1. https://learn.cisecurity.org/cis-cat-lite

PreviousCyber Security ArchitectureNextRansomware Prevention

Last updated

Was this helpful?