This diagnostic tool will help you understand your organization's current digital security posture. Please answer each question as accurately as possible.
You only need to fill out those sections that are relevant to your work - feel free to leave sections blank if they don't apply.
NOTE: To keep your data safe, this form doesn't autosave or back up to the cloud, so try to fill it out in one session. A refresh could cause data loss.
Here are steps to save your form:
Click "Print/Save as PDF"
Click "Destination" in the print dialog and select "Save to PDF"
Choose somewhere on your computer to save the PDF
Don't exit or refresh the page before taking these steps, or you will lose your work!
To share this form securely, go to Tresorit Send, click the + button to add your files, and follow the instructions to create a secure link.
Section 1: Asset Inventory and Management
Hardware Assets
1.1
Do you maintain an up-to-date inventory of all hardware devices used by your organization?
1.2
Which of the following hardware do you currently use? (Check all that apply)
1.3
Are all your hardware devices configured with up-to-date security settings?
Software Assets and Accounts
1.4
Do you maintain a list of all software applications and online accounts your organization uses?
1.5
Which types of software/platforms does your organization use? (Check all that apply)
1.6
Do you have a process for regularly updating all software?
Communication Platforms
1.7
Which messaging and communication platforms does your organization use? (Check all that apply)
Websites
1.8
Does your organization maintain any websites or web applications?
1.9
If yes, do you conduct regular security assessments of your websites?
Section 2: User Access Management
User Categories
2.1
Do you maintain a current list of all individuals who have access to your systems/data?
2.2
Which categories of users have access to your systems? (Check all that apply)
2.3
Do you have a formal process for granting access based on job roles and responsibilities?
2.4
Do you have a process for promptly removing access when people leave the organization?
2.5
Do you regularly review and update user access permissions?
Section 3: Data Collection and Management
Data Inventory
3.1
Do you know what types of data your organization collects and stores?
3.2
What types of data does your organization collect? (Check all that apply)
3.3
Through which platforms/methods do you collect data? (Check all that apply)
Data Sharing
3.4
Do you have a documented policy about who can access different types of data?
3.5
Do you share data with external parties (partners, vendors, government agencies)?
3.6
If yes, do you have agreements in place governing how shared data must be protected?
Section 4: Threat Assessment
Adversary Identification
4.1
Have you identified who might want to target your organization?
4.2
Which potential adversaries are you most concerned about? (Check all that apply)
4.3
How would you rate your organization's overall cybersecurity risk level?
Section 5: External Relationships
Stakeholder Access
5.1
Do external parties (clients, partners, advisors) have access to your systems or data?
5.2
If yes, do you have security requirements for external parties who access your systems?
5.3
Do you vet the cybersecurity practices of partners or vendors you work with?
5.4
Do you share information with partners?
Section 6: Risk Mitigation Measures
Authentication and Access Control
6.1
Do you require strong, unique passwords for all accounts?
6.2
Do you use multi-factor authentication (2FA/MFA) on critical systems?
6.3
Do you use a password manager to securely store passwords?
Incident Response and Governance
6.4
Do you have a written incident response plan for cybersecurity events?
6.5
Do you have a comprehensive cybersecurity policy?
6.6
Do you have data governance policies covering data collection and sharing?
Data Protection
6.7
Do you encrypt sensitive data both in storage and transmission?
6.8
Do you use secure communication platforms for sensitive discussions?
6.9
Do you regularly back up critical data?
6.10
Are your backups stored securely and tested for restoration?
Email and Network Security
6.11
Do you have email security measures in place (spam filtering, phishing protection)?
6.12
Do you have policies governing public communications and social media use?
6.13
Do you use firewalls to protect your network?
6.14
Do remote workers use VPNs to access organizational resources?
Endpoint Security
6.15
Are all computers and mobile devices protected with updated antivirus/security software?
6.16
Do you have policies for securing mobile devices used for work?
Section 7: Remote Work Security
Work Environment
7.1
Do your employees work remotely or in hybrid arrangements?
7.2
Do you provide guidance on secure home WiFi setup for remote workers?
7.3
Do remote workers use VPNs when accessing work resources?
Physical Security
7.4
Do you have policies about physical security for remote work (screen privacy, device locking, etc.)?
7.5
Do you use digital access controls (keycards, mobile apps) for physical office security?
Section 8: Training and Awareness
8.1
Do you provide cybersecurity training for employees and volunteers?
8.2
Do you conduct phishing simulations or security awareness exercises?
8.3
Do you have a process for reporting security incidents or suspicious activity?
Additional Information
Next Steps
Based on your responses, you may want to:
Prioritize areas where you answered "No" or "Partially"
Develop implementation plans for missing security measures
Consider consulting with cybersecurity professionals