Skip links
Skip to primary navigation
Skip to content
Toggle navigation
Home
Our Approach
Our Services
About US
Careers
News
Contact
SECURITY POSTURE SELF-ASSESSMENT
Company Information
Name of person filling the questionnaire
*
Email address
*
Phone
*
Company
*
0 / 100
What is the size of your organization?
*
0-10 staff
11-50 staff
51-250 staff
250+ staff
IT Landscape
Please check all that exists in your organization
Local area network (LAN) devices
Security devices (e.g. firewalls, proxies)
Routers
Internal File Share system (e.g. SharePoint, Confluence)
Shared Storage (e.g. Network Attached Storage (NAS), SAN, Storage Server)
Shared printers, faxes, or multifunctional devices
VoIP telephony devices
Wireless network
Guest WIFI hotspot
WIFI is using WPA2
Managed and secure access points
Remote access connectivity
Citrix, Amazon Workspaces etc.
Direct connectivity via tools such as Microsoft Remote Desktop, VNC, Team Viewer
Direct tunneling into the network is possible
VPN solution is in place
Cloud integration
Cloud storage (e.g. Google Drive, OneDrive, AWS Cloud Storage)
Cloud hosted applications
Mobile devices
Company allows personally owned devices for business purposes
Company allows company owned devices for personal purposes
Public Services Exposure - Web
Does your company expose to the public following services
Does your company provide Web Services exposed to the world?
Yes
No
Do the exposed Web Services enforce the use of HTTPS?
Yes
No
Are the exposed Web Services hosted locally or in the cloud?
Locally
Cloud
Do you allow user generated content?
Yes
No
Are external users allowed to register?
Yes
No
Do the exposed Web Services allow content upload?
Yes
No
Is your cloud provider ISO 27001 (or similar) certified (e.g. AWS, Google, Azure)?
Yes
No
Public Services Exposure - API
Does your company provide APIs exposed to the world?
Yes
No
Do the exposed APIs enforce the use of HTTPS?
Yes
No
Are the exposed APIs hosted locally or in the cloud?
Locally
Cloud
Do the exposed APIs support basic authentication?
Yes
No
Is your cloud provider ISO 27001 (or similar) certified (e.g. AWS, Google, Azure)?
Yes
No
Public Services Exposure - File Sharing
Does your company expose File Sharing services to the world (e.g. SharePoint, Confluence, FTP etc.)?
Yes
No
Are the exposed File Sharing services locally or cloud hosted?
Locally
Cloud
Is anonymous access enabled for the exposed File Sharing services?
Yes
No
Are registered users considered internal or external to your company?
Local
External
Is traffic between users and the File Sharing system encrypted?
Yes
No
Is your cloud provider ISO 27001 (or similar) certified (e.g. AWS, Google, Azure)?
Yes
No
Users and Access Control
Please check all that apply for your environment or workplace
User types
Intranet users for employees
Intranet users for partners
Custom application users
Do all company systems and platforms?
Implement AAA for all users
Implement Network firewall protection
Implement Web application firewall protection
Implement Host firewall protection
Maintain routes and ACLs
Internet systems in DMZ
Access control
User configuration follows established approach such as RBAC, MAC or DAC
MFA is implemented for users
Password policy for length and complexity is enforced
Password policy for aging and reusability is enforced
Account lockout feature is implemented on all systems
Access controls are enforced on all information systems
Access contols are enforced on test and developmend environments
Physical security is in place (e.g. cameras)
Information security program implements dual controls, segregation of duties, employee background checks
Access is revoked immediately upon termination, move, or job funcion change
Critical data and systems are accessible by at least 2 trusted individuals as a safeguard agains SPF
A formal process granting administrator-level access exists
Administrator-level access is used solely for carrying out administrative tasks
Administrator roles are not used for network browsing and/or sending emails
Administrator-level accounts are personal and well documented
List of administrator-level accounts is audited on a regular basis
MFA is enforced on all administrator-level accounts
Users are restricted from installing unsigned applications even from known good sources
Users are not allowed to install applications outside the approved applications list
Data at Rest and Data in Transit
Please check all that apply for your environment or workplace
Backup system
Images are tested regularly
Redundant images are stored in different locations
Data at rest
Is encrypted at least with AES-256
Disposal process for storage hardware is in place
Mobile Device Management system is in place
Data in transit
Formal logging and monitoring for systems is in place
Intrusion Detection System other than basic logging is in place
SSL/TLS is mandatory for all communications, both internal and external
Connectivity with 3rd parties, vendors, and other entities is secured via a VPN solution
All confidential information transferred both locally and external is encrypted with industry standart cipher or uses TLS version 1.2 and above
Prevention
Please check all that apply
Does your company use or implement the following?
Network redundancy
Network segmentation
IDS/IPS technology
Applications facing the internet have their database(s) on a separate server
Follows an established and tested program of patch management
Test, development and production systems are physically and logically separated from each other
Policies and controls exist for development, test, and production environments
Architectural software design implements security controls
Redundancy or high availability for critical functions is in place
Split tunneling while connecting to customer networks is prohibited
Process is in place to monitor and adjust the information security program
Employee acceptable use policy is in place
Enterprise virus protection is active on all systems
Email server protected by anti-virus, anti-malware and/or other security solution
Policies and procedures for safe customer and consumer information disposal are in place
Password manager for secure storage of complex passwords
Macros disabled by default in office applications
Policies, Standards, and Procedures
Please check all that apply
The company
Will provide copies of Information Security Policies
Can provide results of 3rd party external Information Security Assessment conducted within the past 2 years (SAS-70, pen test, vulnerability assesment, audit, etc.)
Has a policy that prohibits sharing of individual accounts and passwords
Has a policy that implements the following Information Security concepts: need to know, least privilege, and checks and balances
Requires system administrators to be educated and qualified
Performs background checks for individuals handling confidential information
Has termination or job transfer procedures that immediately protect unauthorised access to information
Provides customer support with escalation procedures
Has documented change control processes
Requires contractors, subcontractors, vendors, outsourcing ventures, or other external third-party contracts to comply with policies and customer agreements
Has a policy that implements federal and provincial regulatory requirements
Maintains a routine user Information Security awareness program
Has a formal routine Information Security risk management program for risk assessments and risk management
Incident response plan defining responsibilities and duties for containing damage and minimizing risks to the institution and customers
Public Information Security
Please check all that apply
When your company manages and/or operates with public data
Information publicly exposed is compliant with country and region regulations
Newly added content is verified to be compliant with country and region regulations
Thank you
Our team of experts will review your answers and we will be contacting you shortly.
SEND
