Strong password policies include requirements on the length of passwords (at least eight characters), characters (at least one number and one other mark), rotation (e.g., quarterly), prohibition of reuse. Strong password controls are the mechanisms you use to make sure that users’ passwords do in fact meet your criteria for strength, rotation, and non-reuse.

0=We have no policies or controls

2=We have some policies but no controls

4=We use a password manager to ensure password strength

The security community is constantly discovering vulnerabilities in popular software products, which are then publicly announced as a Common Vulnerability and Exposure (CVE). So software companies are constantly issuing security “patches” to address those CVEs. The longer it takes your IT team to install those patches, the longer you remain vulnerable to attackers who constantly search for and exploit CVEs wherever they find them.
Pick a number between 0-4
0=No set process for identifying and fixing CVEs
2=We have a 30-day backlog of patches we need to install

4=We actively track CVEs and are currently up to date

Your current employees have lots of access to your data and systems. So when you
terminate an employee, it’s important to revoke all of those access privileges. This is
especially true in the case of a disgruntled employee who may want to do harm to your company as an act of revenge—or one who goes to work for one of your competitors.

0=No set process for revoking privileges upon termination

2=IT is alerted and revokes privileges manually

4=All privileges revoked completely and immediately

Cybercriminals commonly penetrate an organization’s cyberdefenses by tricking users with fake emails and/or deceptive phone calls (“phishing”). One of the most important ways organizations protect themselves against these social-engineering tactics is to train their users in best practices for safe computing. The safest organizations also perform simulated phishing attempts on themselves to see if the training has been effective

0=We don’t do any phishing-related training

2=We have sent some info to employees

4=We regularly train and test our people

Getting hacked or phished doesn’t have to spell disaster for your company IF you can detect and interdict malicious activity inside your network before the invader can reach your most valuable data and systems. But to do that, you must have a reliable way of detecting indicators of suspicious activity in your environment. And you must be able to respond to the detection of such threats quickly and decisively.

0=We don’t have tools that detect active threats

2=We have endpoint detection and response (EDR)

4=We have extended detection and response (XDR)

The administrators of your IT systems (sysadmins) have the most far-reaching privileges in your organization. And they need those privileges to perform their everyday technical tasks. But if a hacker gets hold of those sysadmin credentials—which they invariably try to do—they can do virtually unlimited damage. That’s why it’s essential to limit the damage hackers can do by making sure no single administrative credential can grant them access to everything.

0=Our admin(s) use the same password everywhere

2=Our admin(s) try to use a few different passwords

4=We fully segment all admin privileges

Your firewall is a key component of your cyberdefense—ideally capable of blocking any unauthorized network traffic while not blocking any traffic that your people need to be productive. But it’s not easy to achieve that balance. Any hackers will take advantage of any gaps in your firewall protection. So smart companies regularly test their firewalls from the outside (penetration testing) to find gaps and fix them before the bad guys do.

0=We never get penetration tests

2=We’ve had some tests, but it’s been a while

4=We test our firewall regularly, like clockwork

Cyberinsurance provides vital financial protections from the consequences of a cyberattack or other technology-related business interruption. But due to unsustainable losses, insurers are adopting increasingly stringent underwriting policies. To qualify for the right coverage at the right price, organizations must therefore be able to demonstrate that they have taken steps to minimize their prospective insurer’s exposure to risk.

0=We do not have a true cyberinsurance policy

2=Our policy and premiums are based on our current posture

4=We actively seek to qualify for the best coverage at the best price

Your backup files can be your last line of defense against a costly, extended business interruption. But it’s not enough to just copy your files. You must ensure that you could actually restore those files successfully to production-readiness if you needed to. You must make sure you’re backing up the files you need as often as you need to. And you must make sure that hackers can’t get to those backup files at the same time as they attack the rest of your business.
Pick a number between 0-4
0= We perform backups and that’s about it
2= We have good backup files and occasionally test them
4= We regularly test our backups against recover time objectives (RTO)

Once cyberattackers succeed in compromising one organization, they often use that beachhead to launch attacks on other adjacent organizations. So if you do business with companies that are lax when it comes to cybersecurity, they are putting you—and your customers—at risk every day. The solution, of course, is to set some minimum standards for your vendors—and to require them to provide some documentary evidence that they are in fact fulfilling those standards.
Please pick a number between 0-4

0=We don’t ask vendors about their cybersecurity
2= We only ask them about security as it relates to their direct dealings with us
4=We have specific cybersecurity requirements for our vendors

Cloud-based applications and services offer compelling value by allowing your organization to acquire new digital capabilities without the additional capital and operational expenses associated with deploying more IT infrastructure internally. But your cloud providers are not responsible for your security and compliance. You are.
Please pick a number between 0-4
0=We trust cloud providers to keep us safe
2=We have put some cloud protections in place
4=We actively manage all cloud-related cyber risk

Cybersecurity isn’t just about keeping criminals from hacking you over the internet. It’s also about keeping them from getting to your sensitive data and critical systems by more ordinary means, such as simply sticking a thumb drive into an open USB port. To maintain this physical security, organizations must control physical access with the same rigor as they do digital access.
Please pick a number between 0-4

0=We keep an eye on whoever enters our office
2=We restrict access to our server room
4=We have policies and controls for rooms, USB drives, hard copies, etc.

Business email compromise (BEC) is a common occurrence—which is just one reason that your employees should never transmit sensitive data such as Social Security numbers and banking information as plain text in their unencrypted emails. Organizations can prevent this from happening by implementing a number of measures that include employee training, email encryption, recipient authentication, and data loss prevention (DLP) technologies.
Please pick a number between 0-4

0=We have no way to prevent risky emailing

2=We give employees the ability to encrypt sensitive emails
4=We have policies and controls for email content and encryption

Just about every company is subject to regulatory mandates regarding the way it manages data. For companies that handle credit cards, that mandate is PCI. For healthcare, it’s HIPAA. For financial services, it’s SEC and FTC guidelines. Compliance with these mandates requires that companies implement specific types of cybercontrols. Compliance also requires that companies be able to document their implementation of those controls to auditors.
Please pick a number between 0-4
0=We don’t currently comply with any mandates
2=We are starting our cyber compliance journey
4=We have a fully cyber compliance program in place

Every bit and byte and every computer in your organization and every application you use in the cloud is data. But not all data is created equal. The flier announcing your next company picnic is not the same kind of data as the HR file where you keep all of your employees’ Social Security numbers and ACH banking instructions. An effective risk mitigation strategy treats each of these data types appropriately in terms of access controls, encryption, backup, and other cybersecurity measures.
Please pick a number between 0-4
0= We treat all of our data pretty equally
2=We have special protections for our most precious data
4=We have a multi-tiered approach driven by business risk

Organizations increasingly depend on remote workers. Some of those remote workers
are salespeople, field service workers, and other road warriors who need to stay productive wherever they are. Others are the new generation of work-from-home (WFH) workers who only come into the office when they need to. Any organization seeking to attract the best talent—and to keep that talent productive even if extreme weather or a natural disaster keeps them from coming to the office—therefore needs to safely enable remote work.
Please pick a number between 0-4
0=Remote users only need their password
2=We use passwords and MFA to authenticate remote users
4=We have multilayered safeguards
for all remote logins

Despite all your precautions, your organization may still get hit by ransomware or some other type of cyberattack. But you can still significantly reduce the short- and long-term adverse impacts of those incidents by responding quickly and decisively. And your IR plan needs to encompass more than just restoring data from backups. It has to include pre-rehearsed processes for identifying and neutralizing the attack, communicating with employees via alternative channels, and making appropriate disclosures to customers.
Please pick a number between 0-4
0=We don’t currently have an IR plan in place
2=We have IR procedures for IT
4=We have a companywide IR plan that we preiodically rehearse

Effective cyberrisk management requires more than just installing some security tools. It requires strategic leadership to ensure that your security budget is being allocated wisely, that technology-related risks are proactively factored into executives’ business decisions, and that your organization’s security and cybercompliance posture is subject to the discipline and accountability needed for continuous improvement.
Pick a number between 0-4
0=We do not have a Chief Security Officer
2=Our technical security manager(s) try to think strategically
4=We have a true CSO or a virtual CSO (vCSO)

In an increasingly tech-centric world fraught with risk, effective security and cybercompliance are as central to an organization’s performance as its human capital, its intellectual property, its go-to-market strategy, or its financial management. That’s because security and compliance failures can permanently alienate customers, destroy brand reputation, and significantly diminish a company’s valuation in the eyes of investors.
Please pick a number between 0-4
0=“Security if unfortunately a necessary operational cost.”
2= “Security is an investment that pays off in mitigated risk.”
4=“Great security helps make us a great company.”