Free ConsultationFree Consultation
Blog
Cyber Security Risk Assessment Template
— We have prepared a generic template for cybersecurity assessment with typical questions and sample answers. This security questionnaire build based on a different RFP for vendors collected in 2021 and 2022.
*Click on Question to see the Answers
Cyber Security Risk Assessment Template
— We have prepared a generic template for cybersecurity assessment with typical queistions and sample answers. This security questionnaire build based on a different RFP for vendors collected in 2021 and 2022.
Governance and Leadership  |
|||||
|---|---|---|---|---|---|
| Questions | A | B | C | D | |
| 1 | Does a formally documented cyber security strategy exist and who is it approved by within the organisation? | A cyber security strategy has been approved at senior executive level and is reviewed at least annually. | A cyber security strategy has been approved by senior executives. This is reviewed at set intervals, but not in the last 12 months. | A cyber security strategy has been approved by an operational or technology lead and is reviewed at set intervals. | There is no formally documented cyber security strategy. |
| 2 | Does a formally documented framework (including policies, standards and delivery programme) exist to maintain your security posture and to deliver the cyber security strategy? | A documented cyber security framework exists with all supporting components. It is aligned to industry-recognised standards, has been approved at senior executive level and is reviewed at least annually. | A documented cyber security framework exists, is aligned to industry-recognised standards and has been approved at senior executive level. This is reviewed at set intervals, but not in the last 12 months. | A cyber security framework has been approved by an operational or technology lead and is reviewed on an ad-hoc/infrequent basis. | There is no formally documented cyber security framework to deliver the cyber security strategy. |
| 3 | Has a senior executive been appointed who is accountable for the delivery of the cyber security framework within the organisation? | A senior executive has been appointed who is accountable for delivery of the cyber security framework. This is either their dedicated role or a significant proportion of their role. | Someone (not a senior executive) within the organisation has been appointed and is accountable for delivery of the cyber security framework. There are plans to appoint a senior executive in the future. | Someone (not a senior executive) within the organisation has been appointed and is accountable for the delivery of the cyber security framework. | No-one has been appointed to be accountable for the delivery of the cyber security framework. |
| 4 | Are risks to cyber security managed effectively? | All risks to cyber security are translated into and managed within the enterprise risk framework. These are aligned to enterprise-level risk appetite statements and reassessed on an ongoing basis. | All risks to cyber security are translated into and managed within the enterprise risk framework. These are aligned to functional risk appetite statements and reassessed at set intervals. | Risks to cyber security are managed locally, with some visibility provided at an organisational level. These risks are reassessed on an ad-hoc/infrequent basis. | There is some awareness of risks to cyber security but no formal structure to manage them. |
| 5 | Has the effectiveness of cyber controls been independently assessed against the control objective? | The effectiveness of cyber security controls has been independently assessed by a party with the competent level of skill and forms part of an established annual process, including senior executive review. | The effectiveness of cyber security controls has been independently assessed by a party with the competent level of skill and signed-off in the last 18 months, but is not part of an ongoing process. | The effectiveness of cyber security controls has not yet been independently assessed by a party with the competent level of skill, but an assessment is scheduled within the next six months. | The effectiveness of cyber security controls has not been independently assessed by a party with the competent level of skill and there is no plan to do so. |
| 6 | What level of knowledge and skills exists at the senior executive level? | All senior executives have sufficient understanding to provide effective oversight of the firm's cyber security strategy and cyber risk management. At least one senior executive has specialist knowledge and skills which the other executives can draw on. | At least one senior executive has sufficient understanding to provide effective oversight of the firm's cyber security strategy and cyber risk management. Training is scheduled to develop other senior executives' capabilities in the next 12 months. | Senior executives are currently dependent on external knowledge and skills to provide effective oversight of the firm's cyber security strategy and cyber risk management. There is a plan to address this in the next 12 months. | No senior executives currently have the relevant knowledge and skills to provide effective oversight of the firm's cyber security strategy and cyber risk management. There are no plans in place to address this. |
| 7 | Are roles, accountabilities and responsibilities for delivering the cyber security strategy clearly defined, assigned and understood by senior executives? | All roles, accountabilities and responsibilities are clearly defined, documented and assigned. All senior executives are aware of these and their understanding is validated. | All roles, accountabilities and responsibilities are clearly defined, documented and assigned. Senior executives' awareness and understanding of these are assumed. | Some roles, accountabilities and responsibilities are defined and assigned. Senior executives' awareness and understanding of these are assumed. | Accountabilities and responsibilities are not defined or assigned to roles. |
| 8 | To what extent is management information (MI), including Key Risk Indicators (KRIs), used to inform decision makers on the performance of cyber security controls? | Senior executives regularly review MI on cyber security controls. This MI is used to support the discussion of cyber security and relevant decision making. | Second line staff, such as operational risk leads, regularly review MI on cyber security controls. This MI is used to support the discussion of cyber security and relevant decision making. | First line staff, such as technology or operational leads, regularly review MI on cyber security controls. This MI is used to support relevant decision making. | MI on cyber security controls is not regularly reviewed. |
| 9 | Is there an exercising programme in place to validate your organisation's ability to respond to cyber security incidents, and inform your cyber security framework? | An ongoing strategic exercising programme is in place to validate the organisation's effectiveness in responding to cyber incidents across staff and processes, the results of which inform the development of the cyber security framework. | Exercises are conducted on an annual basis to validate the organisation's effectiveness in responding to cyber incidents across staff and processes, the results of which inform the development of the cyber security framework. | Exercising has been undertaken to validate the organisation's effectiveness in responding to cyber incidents, but this has not been conducted in the last 12 months. | The organisation does not undertake exercising to validate its effectiveness in responding to cyber incidents. |
| Identify |
|||||
|---|---|---|---|---|---|
| Questions | A | B | C | D | |
| 10 | Are business functions understood? | All business functions have been identified and prioritised in terms of their criticality and their underlying technology and processes. This is reviewed on an ongoing basis and updated in accordance with risk and change management processes. | All business functions have been identified and prioritised in terms of their criticality and their underlying technology and processes. This is reviewed annually. | Critical business functions have been identified and prioritised in terms of their criticality. This is reviewed on an infrequent or ad-hoc basis. | Critical business functions have not been formally identified and prioritised along with their underlying technology and processes. |
| 11 | Is a current inventory of information assets with supporting systems maintained? | Information assets and systems are identified, prioritised, and documented in a single inventory on an ongoing basis. | Information assets and systems are identified, prioritised, and documented in single/multiple inventories which are reviewed at set intervals. | Information assets and systems are identified, prioritised, and documented, and these are reviewed on an ad-hoc/infrequent basis. | Information assets and systems have not been formally identified, prioritised and documented. |
| 12 | Do you understand who your third party providers are and the services they provide? | An accurate register is maintained of all third party providers and the services they provide. Processes and procedures are in place to ensure that new third parties and/or changes in existing services are captured within the register. | A register is maintained of all critical third party providers and the services they provide. Processes and procedures are in place to ensure that new critical third parties and/or changes in existing services provided are captured within the register. | A list is held of critical third party providers and the services they provide. | There is no centrally held list of third party providers and services. |
| 13 | Are hardware and software vulnerabilities proactively identified and documented with their risk assessment? | There is an established vulnerability detection process to discover, document and risk assess vulnerabilities on a ongoing basis. | There is an established vulnerability detection process to discover, document and risk assess vulnerabilities on at least a monthly basis. | There is a vulnerability detection process to discover, document and risk assess vulnerabilities on an ad-hoc/infrequent basis. | There is no vulnerability detection process in place. |
| 14 | Are end of life hardware and software assets identified and effectively managed prior to expiration? | An asset inventory (or similar) is held which tracks the end-of-life for each asset. Assets out of support are recognised as potential vulnerabilities and managed accordingly through the risk management framework. | An asset inventory (or similar) is held which tracks the end-of-life for each asset. Decisions about when to replace these are risk-based. | End-of-life for groups of assets are tracked. Decisions about when to replace these groups are risk-based. | There is no process to identify end-of-life hardware or software. |
| Protect |
|||||
|---|---|---|---|---|---|
| Questions | A | B | C | D | |
| 15 | Does all remote access to the corporate network and business applications require remote access? | All remote access to the corporate network and business applications requires at least two-factor authentication. | Remote access to the majority of corporate network and business applications requires at least two-factor authentication. | Remote access for a limited number of corporate network and business applications requires at least two-factor authentication. | Remote access to the majority of corporate network and business applications requires only single-factor authentication. |
| 16 | How is user access to data via systems managed? | Requests for enabling or modifying user access to data requires permission from the data owner. | Requests for enabling or modifying user access to data is managed by line manager approval. | Requests for enabling or modifying user access to data requires permission from the system owner only. | Requests for enabling or modifying user access to data is not managed centrally. |
| 17 | How is user access to data via systems reviewed? | All user access and permissions to data is reviewed on an ongoing and requirements basis, e.g. as part of the joiners-movers-leavers process. | All user access and permissions to data is reviewed on at least an annual basis. | User access to data is reviewed on an ad-hoc basis and does not specify a review of permissions. | User access reviews are not required by policy. |
| 18 | Are privileged rights understood, documented and reviewed in terms of assignment to system and user accounts? | All privileged rights are centrally managed and documented. Access privileges are reviewed by the system/business owner on an ongoing basis and as part of any joiner-movers-leavers process. | All privileged rights are documented. Access privileges are reviewed by the system/business owner at set intervals and as part of any joiner-movers-leavers process. | Privileged rights are centrally understood and enforced as part of a joiners-movers-leavers process. Reviews are conducted on an ad-hoc/infrequent basis. | There is no centralised view of privileged rights or their assignment. |
| 19 | Are appropriate controls in place to classify information in terms of criticality and sensitivity? | All information assets and documents are classified and labelled in line with policy. Labelling is enforced for user generated content (e.g. emails and documents, etc.). | All information assets and documents should be classified and labelled in line with policy. Labelling is reliant on the user. | All documents should be classified and labelled in line with policy. Labelling is reliant on the user. | There is no consistently applied classifying and labelling of information. |
| 20 | Are appropriate tools and processes in place to detect and prevent sensitive data from leaving the corporate network? | Tools and processes are in place to prevent unauthorised sensitive data from leaving the corporate network at all egress/ingress points. All incidents are investigated and escalated where appropriate. | Tools and processes are in place to monitor for unauthorised sensitive data leaving the corporate network at all egress/ingress points. All incidents are investigated and escalated where appropriate. | Tools and processes are in place to monitor for unauthorised sensitive data leaving the corporate network at some egress/ingress points. Incidents are investigated on a best endeavours basis. | There are no formalised tools or processes in place to monitor or prevent unauthorised sensitive data leaving the corporate network. |
| 21 | Which option best describes your backup process? | All data and system configurations are backed up and encrypted in line with business requirements, including at least one format which does not require continuous access to the network. | All data is backed up and encrypted in line with business requirements, including at least one format which does not require continuous access to the network. | Critical data is backed up. Backups are typically protected and stored offsite, but this is not a formal requirement. | Data is not consistently backed up. |
| 22 | Do you have effective processes and procedures in place to assess the security capabilities and management of cyber risk by third party providers? | All third party providers are reviewed in line with the risks they present at set intervals. Findings are recorded and acted upon as required. | All critical third party providers are reviewed in line with the risks they present at set intervals. Findings are recorded and acted upon as required. | All critical third party providers are reviewed at the on-boarding stage in line with the risks they present. Findings have been recorded. | No assessment of third party providers is undertaken specifically in relation to risks they present. |
| 23 | Are proportionate measures in place to ensure that third parties with ongoing access to your network are appropriately managed? | Third party access to infrastructure and information is identified and documented, and proportionate controls implemented as a result e.g. periodic due diligence exercises, compliance audits, non-disclosure agreements, vetting/screening, contractual agreements. | Third party access to critical infrastructure and information is understood, and proportionate controls have been implemented e.g. periodic due diligence exercises, compliance audits, non-disclosure agreements, vetting/screening, contractual agreements. | Third party access to critical infrastructure and information is understood, and the organisation has measures in place to monitor (but not actively manage) this. | There are no measures currently in place to manage third party access to infrastructure or information. |
| 24 | Is cyber security incorporated in change management and design processes, as well as service and product development? | Cyber security is a fundamental part of all change processes and is considered within the business strategy. | Cyber security is a fundamental part of change processes relating to critical systems, services and products. | Cyber security is considered but not formally embedded as a part of change processes relating to critical systems, services and products. | Cyber security is not regularly considered in the context of change. |
| 25 | Are baseline system security configuration standards and hardening procedures in place to facilitate consistent application of security requirements to operating systems, databases, applications, devices, etc.? | Baseline security standards are documented and applied. Assets are monitored on an continuous basis for compliance against these standards. | Baseline security standards are documented and applied. Assets are checked at set intervals for compliance against these standards. | Baseline security standards are documented and applied. Assets either have not been checked for compliance against these standards, or are checked on an ad-hoc/infrequent basis. | Baseline security standards are not maintained. |
| 26 | Do you use monitoring and/or filtering solutions to restrict network traffic to or from ingress/egress points which might present a risk to the organisation? | The organisation proactively restricts or blocks access to all ingress/egress points. Filters are reviewed and regularly updated. | The organisation proactively restricts or blocks access to sensitive ingress/egress points. Filters are regularly updated. | The organisation proactively monitors access to ingress/egress points. Filters are regularly updated. | Monitoring or filtering solutions are not widely used. |
| 27 | Do you employ multiple layers of security to ensure that the corporate network is segregated effectively and protected from externally facing systems (e.g. firewalls and multiple AV vendors)? | A defence-in-depth strategy is employed creating multiple layers of security, including network segregation and application white listing. The organisation does not rely on a single solution for any of its cyber defences. | A defence-in-depth strategy is employed creating multiple layers of security. In most instances the organisation does not rely on a single solution for its cyber defences. | There are a few points where security is a single layer, but these do not relate to any critical systems. | The organisation typically relies on single vendors and solutions to protect the business. |
| 28 | Are staff provided with cyber security training ? | All staff are provided with mandatory cyber security training as part of an ongoing programme. Levels of understanding are measured and gaps in knowledge are identified and used to adapt or prompt additional training. | All staff are provided with mandatory cyber security training at set intervals. Levels of understanding are measured and are used to prompt additional training. | Staff have access to cyber security training but it is not mandatory. | There is no training provided on cyber security. |
| 29 | Do you take a risk based approach to identifying your high risk staff and is additional cyber security training provided as needed to these members of staff? | High risk staff are identified and reviewed on a ongoing basis. Additional bespoke training is provided. | High risk staff are identified and additional training is provided at set intervals. | High risk staff are identified but no additional training is provided. | High risk staff are not identified. |
| 30 | Is appropriate screening and/or background checks conducted on new appointments and when employees change roles? | Staff screening is conducted upon employment and when employees change roles. Similar checks, following a recognised standard, are conducted on all staff at regular intervals throughout their employment, including those with access to critical systems. | Staff screening is conducted upon employment, and some further screening is conducted when senior or privileged roles are filled. | Staff screening is conducted upon employment. | References are checked upon employment. |
| 31 | Are physical access controls implemented, maintained and tested regularly across your organisation's facilities? | Physical access controls are implemented and maintained for all facilities. Access reviews are completed on an ongoing basis. | Physical access controls are implemented and maintained for all facilities. Access reviews are completed at set intervals. | Physical access controls are implemented and maintained for some facilities. Access reviews are completed on an ad-hoc/infrequent basis. | Physical access controls are implemented and maintained for some facilities. Access reviews are not conducted. |
| Detect |
|||||
|---|---|---|---|---|---|
| Questions | A | B | C | D | |
| 32 | Do you have the ability to monitor for and detect anomalous activities and/or events? | Event information is collected in real time, or near real time which is then collated, aggregated and analysed. Any alerts, anomalies or suspicious activities are investigated as they are detected. The integrity of this information is protected. | Event information from critical systems is collected in real time, or near real time which is then collated, aggregated and analysed. Any alerts, anomalies or suspicious activities are investigated as they are detected. The integrity of this information is protected. | Event information from some systems is collected in real time, or near real time which is then collated, aggregated and analysed. Any alerts, anomalies or suspicious activities are investigated as they are detected. | No capabilities have been established to monitor and detect anomalous activities and/or events on an ongoing basis. |
| 33 | Are remote access attempts recorded and alerts exist for potential alicious activity? | All access attempts are recorded and alerts exist for potentially malicious activity for all corporate network and business applications that are remotely accessible. | All access attempts are recorded and alerts exist for potentially malicious activity for critical corporate network and business applications that are remotely accessible. | Successful access attempts are recorded and alerts exist for potentially malicious activity for a limited number of corporate network and business applications that are remotely accessible. | There is no visibility of remote access attempts. |
| 34 | Do detective systems extend to monitoring personnel operating on the corporate network, including unauthorised connections or devices? | Expected activity for roles performed are profiled. Active monitoring takes place to identify deviation from expected patterns. Unauthorised connections are blocked. | Staff behaviour is monitored generally but specific individuals are not identified. Unauthorised connections are blocked. | Data loss prevention software to monitor outgoing communications from staff is employed, but no other monitoring is carried out. | Staff activity is not monitored |
| 35 | How are known and documented vulnerabilities remediated in line with risk? | Vulnerabilities are remediated in line with the risks they present via the enterprise risk framework. Remediation is validated and assured as part of this process. There is an effective management process in place for accepted vulnerabilities. | Vulnerabilities are remediated in line with the risks they present. Remediation is validated and assured as part of this process. There is an effective management process in place for accepted vulnerabilities. | Vulnerabilities are remediated in line with the risks they present. | There is no consistent process for remediating vulnerabilities. |
| 36 | Do you carry out penetration tests to identify vulnerabilities that may affect your systems, networks, people or processes? | The organisation operates a strategic programme of threat intelligence-led end-to-end penetration tests, including against an industry recognised testing framework (e.g. CBEST or STAR) and aligned to long term business objectives. | The organisation undertakes threat intelligence-led end-to-end penetration tests against an industry recognised testing framework (e.g. CBEST or STAR). | The organisation undertakes testing against the wider enterprise or single applications, but these tend to be targeted in scope and/or are not threat intelligence-led. | The organisation does not regularly carry out penetration testing. |
| 37 | Are detection systems integrated within the organisation's incident response process? | Detection systems are linked directly to the incident response process, and automated alerting exists to trigger response actions if required. This is in place 24/7. | Detection systems are included within the incident response process. If the systems trigger an alert, the incident process is invoked manually. This is in place 24/7. | Detection systems are included within the incident response process. If the systems trigger an alert, the incident process is invoked manually. This is only available during business hours. | Detection systems have not been integrated into the incident response process. |
| 38 | Is there a process for gathering, analysing and sharing information on cyber threats? | There is a formalised process in place for analysing cyber threat intelligence. This encompasses information gathering from a diverse range of sources, collation and analysis, and defined links to business decision making. The process also articulates how intelligence should be shared with peers and other relevant parties. | There is a formalised process in place for analysing cyber threat intelligence. This encompasses information gathering from multiple sources, collation, analysis and dissemination to internal and external stakeholders. | There is an informal or nascent process in place for analysing cyber threat intelligence. This encompasses information gathering, analysis and dissemination. | There is no process in place for the utilisation of cyber threat intelligence. |
| 39 | Is cyber threat intelligence used to inform your cyber security strategy and framework? | Cyber threat intelligence is actionable, timely, targeted to specific audiences and used to support decision-making at all levels of the business (strategic through to tactical). | Cyber threat intelligence is actionable, timely and used to support a specific group (or groups) of business stakeholders. | Cyber threat intelligence is used to inform situational awareness and contextual understanding. | Cyber threat intelligence is not regularly used to inform decision making. |
| Respond |
|||||
|---|---|---|---|---|---|
| Questions | A | B | C | D | |
| 40 | Do your response plans include proactive communications with customers, third parties, authorities, media, etc.? | A communications plan and stakeholder map exists that has been developed and tested for use in a cyber incident. | A communications plan and stakeholder map exists that has been developed for use in a cyber incident. | A communications plan exists which is designed to be used for all incidents. | There is no formal communications plan for incidents. |
| 41 | Do incident response procedures/policies include how and when regulators and/or stakeholders should be informed of incidents? | The obligation to notify regulators and key stakeholders of incidents is included within incident response procedures along with set thresholds or triggers. | The obligation to notify regulators and key stakeholders of incidents is included within incident response procedures. | There is awareness of how and when regulators and key stakeholders should be notified of incidents, however this is not formally documented. | Obligations to report incidents to regulators and other key stakeholders are not widely understood across the organisation. |
| 42 | Does your incident response plan require you to share information on incidents and near-misses with industry peers (e.g. through CiSP)? | The incident response plan defines a specific requirement for information to be shared proactively through trusted channels, along with a named individual or team responsible for delivering this requirement. Information is shared as soon as is practically possible during or after an incident. | The incident response plan defines a specific requirement for information to be shared proactively through trusted channels. Information is typically shared after the conclusion of an incident. | The incident response plan does not specifically define proactive information sharing as a requirement; however this is done on an ad-hoc basis depending on the nature of the incident. | Information relating to incidents is not typically shared outside of the organisation. |
| 43 | Do you have thresholds that are aligned to impacts which determine the response when cyber security events or incidents occur? | Defined thresholds exist, aligned to impacts, which determine the response to an incident. These have been approved by business and supporting functions, and are formally documented as part of operational procedures. Thresholds are reviewed on a regular basis or after an event/incident. | Defined thresholds exist, aligned to impacts, which determine the response to an incident. These have been approved by the business and supporting IT functions and are formally documented as part of operational procedures. | Defined thresholds exist to help determine the response to an incident, but these are not formally documented or aligned to impacts. | There are no defined thresholds. Responses to incidents are determined on an ad‐hoc basis. |
| 44 | Do you undertake in-depth investigations following a cyber security event or incident? | Processes are in place to carry out investigations and forensic analysis following an incident where required. Protective and detective controls are specifically engineered to facilitate the investigative process. | Processes are in place to carry out investigations and forensic analysis following an incident where required. | Processes are in place to carry out investigations following an incident where required. There is no forensic capability. | There are no processes in place to carry out investigation following an incident. |
| Recover |
|||||
|---|---|---|---|---|---|
| Questions | A | B | C | D | |
| 45 | Do you have a process in place to recover systems and data from an incident? | Processes are in place to recover systems and data in-line with business requirements. These processes are tested regularly against possible scenarios, findings are risk assessed with appropriate actions taken. The confidentiality, integrity and availability of these systems and data is maintained throughout the process. | Processes are in place to recover systems and data in-line with business requirements. These processes are tested regularly, findings are risk assessed with appropriate actions taken. The confidentiality, integrity and availability of these systems and data is maintained throughout the process. | Processes are in place to recover systems and data, however they are not all aligned to business requirements. These processes are not regularly or comprehensively tested. | There are no established policies and procedures in place for the recovery of data or systems. |
| 46 | Do you have a process in place that incorporates lessons learned from cyber security events and incidents? | Incident response and risk management processes incorporate lessons learned from incidents, near-misses and external events. These are used to inform improvements at all levels of the organisation ( e.g. cyber security strategy through to incident response procedures). | Incident response and risk management processes incorporate lessons learned from incidents. These are used to inform improvements at operational levels of the organisation. | Incident response and risk management processes incorporate lessons learned from incidents. These may be used to inform improvements at operational levels of the organisation but not on a consistent basis. | Processes do not consistently incorporate lessons learned. |
| 47 | Have you engaged with critical third parties to understand the risks that exist between both parties, and taken steps to ensure that recovery activities are clearly understood by both parties? | Proactive relationships exist with critical third parties. There is assurance that response and recovery plans for all parties are understood, appropriate and tested. | Critical third parties have been engaged to discuss cyber risk. The organisation does not proactively share details of its recovery planning with third parties or involve them in testing. | There has been some limited engagement with third parties to map potential cyber risks. | There is no active engagement with third parties on cyber risk. |
Governance and Leadership
Questions
1
Does a formally documented cyber
security strategy exist and who is it approved by within the organisation?
1a
A cyber security strategy has been approved at senior executive level and is
reviewed at least annually.
1b
A cyber security strategy has been approved by senior executives. This is
reviewed
at set intervals, but not in the last 12 months.
1c
A cyber security strategy has been approved by an operational or technology
lead and
is reviewed at set intervals.
1d
There is no formally documented cyber security strategy.
2
Does a formally documented framework (including policies, standards and delivery programme) exist to maintain your security posture and to deliver
the cyber security strategy?
2a
A documented cyber security framework exists with all supporting components. It
is
aligned to industry-recognised standards, has been approved at senior executive level and is reviewed at least
annually.
2b
A documented cyber security framework exists, is aligned to industry-recognised
standards and has been approved at senior executive level. This is reviewed at set intervals, but not in the
last 12 months.
2c
A cyber security framework has been approved by an operational or technology lead
and is reviewed on an ad-hoc/infrequent basis.
2d
There is no formally documented cyber security framework to deliver the cyber
security strategy.
3
Has a senior executive been appointed who is accountable for the delivery of the cyber security framework within the
organisation?
3a
A senior executive has been appointed who is accountable for delivery of the
cyber
security framework. This is either their dedicated role or a significant proportion of their role.
3b
Someone (not a senior executive) within the organisation has been appointed and
is
accountable for delivery of the cyber security framework. There are plans to appoint a senior executive in the
future.
3c
Someone (not a senior executive) within the organisation has been appointed and
is
accountable for the delivery of the cyber security framework.
3d
No-one has been appointed to be accountable for the delivery of the cyber
security
framework.
4
Are risks to cyber security managed effectively?
4a
All risks to cyber security are translated into and managed within the enterprise
risk framework. These are aligned to enterprise-level risk appetite statements and reassessed on an ongoing
basis.
4b
All risks to cyber security are translated into and managed within the enterprise
risk framework. These are aligned to functional risk appetite statements and reassessed at set intervals.
4c
Risks to cyber security are managed locally, with some visibility provided at an
organisational level. These risks are reassessed on an ad-hoc/infrequent basis.
4d
There is some awareness of risks to cyber security but no formal structure to
manage
them.
5
Has the effectiveness of cyber controls been independently assessed against the control objective?
5a
The effectiveness of cyber security controls has been independently assessed by a
party with the competent level of skill and forms part of an established annual process, including senior
executive review.
5b
The effectiveness of cyber security controls has been independently assessed by a
party with the competent level of skill and signed-off in the last 18 months, but is not part of an ongoing
process.
5c
The effectiveness of cyber security controls has not yet been independently
assessed
by a party with the competent level of skill, but an assessment is scheduled within the next six months.
5d
The effectiveness of cyber security controls has not been independently assessed
by
a party with the competent level of skill and there is no plan to do so.
6
What level of knowledge and skills exists at the senior executive level?
6a
All senior executives have sufficient understanding to provide effective
oversight
of the firm's cyber security strategy and cyber risk management. At least one senior executive has specialist
knowledge and skills which the other executives can draw on.
6b
At least one senior executive has sufficient understanding to provide effective
oversight of the firm's cyber security strategy and cyber risk management. Training is scheduled to develop
other senior executives' capabilities in the next 12 months.
6c
Senior executives are currently dependent on external knowledge and skills to
provide effective oversight of the firm's cyber security strategy and cyber risk management. There is a plan
to
address this in the next 12 months.
6d
No senior executives currently have the relevant knowledge and skills to provide
effective oversight of the firm's cyber security strategy and cyber risk management. There are no plans in
place
to address this.
7
Are roles, accountabilities and responsibilities for delivering the cyber security strategy clearly defined, assigned
and understood by senior executives?
7a
All roles, accountabilities and responsibilities are clearly defined, documented
and
assigned. All senior executives are aware of these and their understanding is validated.
7b
All roles, accountabilities and responsibilities are clearly defined, documented
and
assigned. Senior executives' awareness and understanding of these are assumed.
7c
Some roles, accountabilities and responsibilities are defined and assigned.
Senior
executives' awareness and understanding of these are assumed.
7d
Accountabilities and responsibilities are not defined or assigned to roles.
8
To what extent is management information (MI), including Key Risk Indicators (KRIs), used to inform decision makers on the performance
of
cyber security controls?
8a
Senior executives regularly review MI on cyber security controls. This MI is used
to
support the discussion of cyber security and relevant decision making.
8b
Second line staff, such as operational risk leads, regularly review MI on cyber
security controls. This MI is used to support the discussion of cyber security and relevant decision making.
8c
First line staff, such as technology or operational leads, regularly review MI on
cyber security controls. This MI is used to support relevant decision making.
8d
MI on cyber security controls is not regularly reviewed.
9
Is there an exercising programme in place to validate your organisation's ability to respond to cyber security incidents, and
inform your cyber security framework?
9a
An ongoing strategic exercising programme is in place to validate the
organisation's
effectiveness in responding to cyber incidents across staff and processes, the results of which inform the
development of the cyber security framework.
9b
Exercises are conducted on an annual basis to validate the organisation's
effectiveness in responding to cyber incidents across staff and processes, the results of which inform the
development of the cyber security framework.
9c
Exercising has been undertaken to validate the organisation's effectiveness in
responding to cyber incidents, but this has not been conducted in the last 12 months.
9d
The organisation does not undertake exercising to validate its effectiveness in
responding to cyber incidents.
Identify
Questions
10
Are business functions understood?
10a
All business functions have been identified and prioritised in terms of their
criticality and their underlying technology and processes. This is reviewed on an ongoing basis and updated in
accordance with risk and change management processes.
10b
All business functions have been identified and prioritised in terms of their
criticality and their underlying technology and processes. This is reviewed annually.
10c
Critical business functions have been identified and prioritised in terms of
their
criticality. This is reviewed on an infrequent or ad-hoc basis.
10d
Critical business functions have not been formally identified and prioritised
along
with their underlying technology and processes.
11
Is a current inventory of information assets with supporting systems maintained?
11a
Information assets and systems are identified, prioritised, and documented in a
single inventory on an ongoing basis.
11b
Information assets and systems are identified, prioritised, and documented in
single/multiple inventories which are reviewed at set intervals.
11c
Information assets and systems are identified, prioritised, and documented, and
these are reviewed on an ad-hoc/infrequent basis.
11d
Information assets and systems have not been formally identified, prioritised and
documented.
12
Do you understand who your third party providers are and the services they provide?
12a
An accurate register is maintained of all third party providers and the services
they provide. Processes and procedures are in place to ensure that new third parties and/or changes in
existing
services are captured within the register.
12b
A register is maintained of all critical third party providers and the services
they
provide. Processes and procedures are in place to ensure that new critical third parties and/or changes in
existing services provided are captured within the register.
12c
A list is held of critical third party providers and the services they provide.
12d
There is no centrally held list of third party providers and services.
13
Are hardware and software vulnerabilities proactively identified and documented with their risk assessment?
13a
There is an established vulnerability detectiona> process to discover, document and
risk assess vulnerabilities on a ongoing basis.
13b
There is an established vulnerability detection process to discover, document and
risk assess vulnerabilities on at least a monthly basis.
13c
There is a vulnerability detection process to discover, document and risk assess
vulnerabilities on an ad-hoc/infrequent basis.
13d
There is no vulnerability detection process in place.
14
Are end of life hardware and software assets identified and effectively managed prior to expiration?
14a
An asset inventory (or similar) is held which tracks the end-of-life for each
asset.
Assets out of support are recognised as potential vulnerabilities and managed accordingly through the risk
management framework.
14b
An asset inventory (or similar) is held which tracks the end-of-life for each
asset.
Decisions about when to replace these are risk-based.
14c
End-of-life for groups of assets are tracked. Decisions about when to replace
these
groups are risk-based.
14d
There is no process to identify end-of-life hardware or software.
Protect
Questions
15
Does all remote access to the corporate network and business applications require remote access?
15a
All remote access to the corporate network and business applications requires at
least two-factor authentication.
15b
Remote access to the majority of corporate network and business applications
requires at least two-factor authentication.
15c
Remote access for a limited number of corporate network and business applications
requires at least two-factor authentication.
15d
Remote access to the majority of corporate network and business applications
requires only single-factor authentication.
16
How is user access to data via systems managed?
16a
Requests for enabling or modifying user access to data requires permission from
the
data owner.
16b
Requests for enabling or modifying user access to data is managed by line manager
approval.
16c
Requests for enabling or modifying user access to data requires permission from
the
system owner only.
16d
Requests for enabling or modifying user access to data is not managed centrally.
17
How is user access
to
data via systems reviewed?
17a
All user access and permissions to data is reviewed on an ongoing and
requirements
basis, e.g. as part of the joiners-movers-leavers process.
17b
All user access and permissions to data is reviewed on at least an annual basis.
17c
User access to data is reviewed on an ad-hoc basis and does not specify a review
of
permissions.
17d
User access reviews are not required by policy.
18
Are privileged
rights understood, documented and reviewed in terms of assignment to system and user accounts?
18a
All privileged rights are centrally managed and documented. Access privileges are
reviewed by the system/business owner on an ongoing basis and as part of any joiner-movers-leavers process.
18b
All privileged rights are documented. Access privileges are reviewed by the
system/business owner at set intervals and as part of any joiner-movers-leavers process.
18c
Privileged rights are centrally understood and enforced as part of a
joiners-movers-leavers process. Reviews are conducted on an ad-hoc/infrequent basis.
18d
There is no centralised view of privileged rights or their assignment.
19
Are appropriate controls in place to classify
information in terms of criticality and sensitivity?
19a
All information assets and documents are classified and labelled in line with
policy. Labelling is enforced for user generated content (e.g. emails and documents, etc.).
19b
All information assets and documents should be classified and labelled in line
with
policy. Labelling is reliant on the user.
19c
All documents should be classified and labelled in line with policy. Labelling is
reliant on the user.
19d
There is no consistently applied classifying and labelling of information.
20
Are appropriate tools and processes in place to detect
and prevent sensitive data from leaving the corporate network?
20a
Tools and processes are in place to prevent unauthorised sensitive data from
leaving
the corporate network at all egress/ingress points. All incidents are investigated and escalated where
appropriate.
20b
Tools and processes are in place to monitor for unauthorised sensitive data
leaving
the corporate network at all egress/ingress points. All incidents are investigated and escalated where
appropriate.
20c
Tools and processes are in place to monitor for unauthorised sensitive data
leaving
the corporate network at some egress/ingress points. Incidents are investigated on a best endeavours basis.
20d
There are no formalised tools or processes in place to monitor or prevent
unauthorised sensitive data leaving the corporate network.
21
Which option best describes your backup
process?
21a
All data and system configurations are backed up and encrypted in line with
business
requirements, including at least one format which does not require continuous access to the network.
21b
All data is backed up and encrypted in line with business requirements, including
at
least one format which does not require continuous access to the network.
21c
Critical data is backed up. Backups are typically protected and stored offsite,
but
this is not a formal requirement.
21d
Data is not consistently backed up.
22
Do you have effective processes and procedures in place
to
assess the security capabilities and management
of cyber risk by third party providers?
22a
All third party providers are reviewed in line with the risks they present at set
intervals. Findings are recorded and acted upon as required.
22b
All critical third party providers are reviewed in line with the risks they
present
at set intervals. Findings are recorded and acted upon as required.
22c
All critical third party providers are reviewed at the on-boarding stage in line
with the risks they present. Findings have been recorded.
22d
No assessment of third party providers is undertaken specifically in relation to
risks they present.
23
Are proportionate measures in place to ensure
that third parties with ongoing access to your network are appropriately managed?
23a
Third party access to infrastructure and information is identified and
documented,
and proportionate controls implemented as a result e.g. periodic due diligence exercises, compliance audits,
non-disclosure agreements, vetting/screening, contractual agreements.
23b
Third party access to critical infrastructure and information is understood, and
proportionate controls have been implemented e.g. periodic due diligence exercises, compliance audits,
non-disclosure agreements, vetting/screening, contractual agreements.
23c
Third party access to critical infrastructure and information is understood, and
the
organisation has measures in place to monitor (but not actively manage) this.
23d
There are no measures currently in place to manage third party access to
infrastructure or information.
24
Is cyber
security
incorporated in change management and design processes, as well as service and product development?
24a
Cyber security is a fundamental part of all change processes and is considered
within the business strategy.
24b
Cyber security is a fundamental part of change processes relating to critical
systems, services and products.
24c
Cyber security is considered but not formally embedded as a part of change
processes
relating to critical systems, services and products.
24d
Cyber security is not regularly considered in the context of change.
25
Are baseline system
security configuration standards and hardening procedures in place to facilitate consistent application of
security requirements to operating systems, databases, applications, devices, etc.?
25a
Baseline security standards are documented and applied. Assets are monitored on
an
continuous basis for compliance against these standards.
25b
Baseline security standards are documented and applied. Assets are checked at set
intervals for compliance against these standards.
25c
Baseline security standards are documented and applied. Assets either have not
been
checked for compliance against these standards, or are checked on an ad-hoc/infrequent basis.
25d
Baseline security standards are not maintained.
26
Do you use monitoring
and/or filtering solutions to restrict network traffic to or from
ingress/egress points which might present a risk to the organisation?
26a
The organisation proactively restricts or blocks access to all ingress/egress
points. Filters are reviewed and regularly updated.
26b
The organisation proactively restricts or blocks access to sensitive
ingress/egress
points. Filters are regularly updated.
26c
The organisation proactively monitors access to ingress/egress points. Filters
are
regularly updated.
26d
Monitoring or filtering solutions are not widely used.
27
Do you employ multiple
layers of security to ensure that the corporate network is segregated effectively and protected from
externally facing systems (e.g. firewalls and multiple AV vendors)?
27a
A defence-in-depth strategy is employed creating multiple layers of security,
including network segregation and application white listing. The organisation does not rely on a single
solution
for any of its cyber defences.
27b
A defence-in-depth strategy is employed creating multiple layers of security. In
most instances the organisation does not rely on a single solution for its cyber defences.
27c
There are a few points where security is a single layer, but these do not relate
to
any critical systems.
27d
The organisation typically relies on single vendors and solutions to protect the
business.
28
Are staff provided with cyber
security training ?
28a
All staff are provided with mandatory cyber security training as part of an
ongoing
programme. Levels of understanding are measured and gaps in knowledge are identified and used to adapt or
prompt
additional training.
28b
All staff are provided with mandatory cyber security training at set intervals.
Levels of understanding are measured and are used to prompt additional training.
28c
Staff have access to cyber security training but it is not mandatory.
28d
There is no training provided on cyber security.
29
Do you take a risk based approach to identifying your high risk staff and is additional cyber security training provided as
needed to these members of staff?
29a
High risk staff are identified and reviewed on a ongoing basis. Additional
bespoke
training is provided.
29b
High risk staff are identified and additional training is provided at set
intervals.
29c
High risk staff are identified but no additional training is provided.
29d
High risk staff are not identified.
30
Is appropriate screening
and/or background checks conducted on new appointments and when
employees change roles?
30a
Staff screening is conducted upon employment and when employees change roles.
Similar checks, following a recognised standard, are conducted on all staff at regular intervals throughout
their employment, including those with access to critical systems.
30b
Staff screening is conducted upon employment, and some further screening is
conducted when senior or privileged roles are filled.
30c
Staff screening is conducted upon employment.
30d
References are checked upon employment.
31
Are physical access
controls implemented, maintained and tested regularly across your organisation's facilities?
31a
Physical access controls are implemented and maintained for all facilities.
Access
reviews are completed on an ongoing basis.
31b
Physical access controls are implemented and maintained for all facilities.
Access
reviews are completed at set intervals.
31c
Physical access controls are implemented and maintained for some facilities.
Access
reviews are completed on an ad-hoc/infrequent basis.
31d
Physical access controls are implemented and maintained for some facilities.
Access
reviews are not conducted.
Detect
Questions
32
Do you have the ability to monitor for and detect anomalous activities and/or events?
32a
Event information is collected in real time, or near real time which is then
collated, aggregated and analysed. Any alerts, anomalies or suspicious activities are investigated as they are
detected. The integrity of this information is protected.
32b
Event information from critical systems is collected in real time, or near real
time
which is then collated, aggregated and analysed. Any alerts, anomalies or suspicious activities are
investigated
as they are detected. The integrity of this information is protected.
32c
Event information from some systems is collected in real time, or near real time
which is then collated, aggregated and analysed. Any alerts, anomalies or suspicious activities are
investigated
as they are detected.
32d
No capabilities have been established to monitor and detect anomalous activities
and/or events on an ongoing basis.
33
Are remote access attempts recorded and alerts exist for
potential malicious activity ?
33a
All access attempts are recorded and alerts exist for potentially malicious
activity
for all corporate network and business applications that are remotely accessible.
33b
All access attempts are recorded and alerts exist for potentially malicious
activity
for critical corporate network and business applications that are remotely accessible.
33c
Successful access attempts are recorded and alerts exist for potentially
malicious
activity for a limited number of corporate network and business applications that are remotely accessible.
33d
There is no visibility of remote access attempts.
34
Do detective systems extend to monitoring
personnel operating on the corporate network, including unauthorised connections or devices?
34a
Expected activity for roles performed are profiled. Active monitoring takes place
to
identify deviation from expected patterns. Unauthorised connections are blocked.
34b
Staff behaviour is monitored generally but specific individuals are not
identified.
Unauthorised connections are blocked.
34c
Data loss prevention software to monitor outgoing communications from staff is
employed, but no other monitoring is carried out.
34d
Staff activity is not monitored
35
How are known and documented vulnerabilities
remediated in line with risk?
35a
Vulnerabilities are remediated in line with the risks they present via the
enterprise risk framework. Remediation is validated and assured as part of this process. There is an effective
management process in place for accepted vulnerabilities.
35b
Vulnerabilities are remediated in line with the risks they present. Remediation
is
validated and assured as part of this process. There is an effective management process in place for accepted
vulnerabilities.
35c
Vulnerabilities are remediated in line with the risks they present.
35d
There is no consistent process for remediating vulnerabilities.
36
Do you carry out penetration tests to identify vulnerabilities that may affect your systems, networks, people or processes?
36a
The organisation operates a strategic programme of threat intelligence-led
end-to-end penetration tests, including against an industry recognised testing framework (e.g. CBEST or STAR)
and aligned to long term business objectives.
36b
The organisation undertakes threat intelligence-led end-to-end penetration tests
against an industry recognised testing framework (e.g. CBEST or STAR).
36c
The organisation undertakes testing against the wider enterprise or single
applications, but these tend to be targeted in scope and/or are not threat intelligence-led.
36d
The organisation does not regularly carry out penetration testing.
37
Are detection
systems integrated within the organisation's incident response process?
37a
Detection systems are linked directly to the incident response process, and
automated alerting exists to trigger response actions if required. This is in place 24/7.
37b
Detection systems are included within the incident response process. If the
systems
trigger an alert, the incident process is invoked manually. This is in place 24/7.
37c
Detection systems are included within the incident response process. If the
systems
trigger an alert, the incident process is invoked manually. This is only available during business hours.
37d
Detection systems have not been integrated into the incident response process.
38
Is there a process for gathering, analysing and sharing
information on cyber threats ?
38a
There is a formalised process in place for analysing cyber threat intelligence.
This
encompasses information gathering from a diverse range of sources, collation and analysis, and defined links
to
business decision making. The process also articulates how intelligence should be shared with peers and other
relevant parties.
38b
There is a formalised process in place for analysing cyber threat intelligence.
This
encompasses information gathering from multiple sources, collation, analysis and dissemination to internal and
external stakeholders.
38c
There is an informal or nascent process in place for analysing cyber threat
intelligence. This encompasses information gathering, analysis and dissemination.
38d
There is no process in place for the utilisation of cyber threat intelligence.
39
Is cyber threat intelligence used to inform your cyber
security strategy and framework ?
39a
Cyber threat intelligence is actionable, timely, targeted to specific audiences
and
used to support decision-making at all levels of the business (strategic through to tactical).
39b
Cyber threat intelligence is actionable, timely and used to support a specific
group
(or groups) of business stakeholders.
39c
Cyber threat intelligence is used to inform situational awareness and contextual
understanding.
39d
Cyber threat intelligence is not regularly used to inform decision making.
Respond
Questions
40
Do your response
plans include proactive communications with customers, third parties, authorities, media, etc.?
40a
A communications plan and stakeholder map exists that has been developed and
tested
for use in a cyber incident.
40b
A communications plan and stakeholder map exists that has been developed for use
in
a cyber incident.
40c
A communications plan exists which is designed to be used for all incidents.
40d
There is no formal communications plan for incidents.
41
Do incident response procedures/policies include how and
when regulators and/or stakeholders
should be informed of incidents?
41a
The obligation to notify regulators and key stakeholders of incidents is included
within incident response procedures along with set thresholds or triggers.
41b
The obligation to notify regulators and key stakeholders of incidents is included
within incident response procedures.
41c
There is awareness of how and when regulators and key stakeholders should be
notified of incidents, however this is not formally documented.
41d
Obligations to report incidents to regulators and other key stakeholders are not
widely understood across the organisation.
42
Does your incident
response plan require you to share information on incidents and near-misses with industry peers (e.g.
through CiSP)?
42a
The incident response plan defines a specific requirement for information to be
shared proactively through trusted channels, along with a named individual or team responsible for delivering
this requirement. Information is shared as soon as is practically possible during or after an incident.
42b
The incident response plan defines a specific requirement for information to be
shared proactively through trusted channels. Information is typically shared after the conclusion of an
incident.
42c
The incident response plan does not specifically define proactive information
sharing as a requirement; however this is done on an ad-hoc basis depending on the nature of the incident.
42d
Information relating to incidents is not typically shared outside of the
organisation.
43
Do you have thresholds
that
are aligned to impacts which determine the response when cyber security events or incidents occur?
43a
Defined thresholds exist, aligned to impacts, which determine the response to an
incident. These have been approved by business and supporting functions, and are formally documented as part
of
operational procedures. Thresholds are reviewed on a regular basis or after an event/incident.
43b
Defined thresholds exist, aligned to impacts, which determine the response to an
incident. These have been approved by the business and supporting IT functions and are formally documented as
part of operational procedures.
43c
Defined thresholds exist to help determine the response to an incident, but these
are not formally documented or aligned to impacts.
43d
There are no defined thresholds. Responses to incidents are determined on an
ad‐hoc
basis.
44
Do you undertake in-depth
investigations following a cyber security event or incident?
44a
Processes are in place to carry out investigations and forensic analysis
following
an incident where required. Protective and detective controls are specifically engineered to facilitate the
investigative process.
44b
Processes are in place to carry out investigations and forensic analysis
following
an incident where required.
44c
Processes are in place to carry out investigations following an incident where
required. There is no forensic capability.
44d
There are no processes in place to carry out investigation following an incident.
Recover
Questions
45
Do you have a process in place to recover
systems and data from an incident?
45a
Processes are in place to recover systems and data in-line with business
requirements. These processes are tested regularly against possible scenarios, findings are risk assessed with
appropriate actions taken. The confidentiality, integrity and availability of these systems and data is
maintained throughout the process.
45b
Processes are in place to recover systems and data in-line with business
requirements. These processes are tested regularly, findings are risk assessed with appropriate actions taken.
The confidentiality, integrity and availability of these systems and data is maintained throughout the
process.
45c
Processes are in place to recover systems and data, however they are not all
aligned
to business requirements. These processes are not regularly or comprehensively tested.
45d
There are no established policies and procedures in place for the recovery of
data
or systems.
46
Do you have a process in place that incorporates
lessons learned from cyber security events and incidents?
46a
Incident response and risk management processes incorporate lessons learned from
incidents, near-misses and external events. These are used to inform improvements at all levels of the
organisation ( e.g. cyber security strategy through to incident response procedures).
46b
Incident response and risk management processes incorporate lessons learned from
incidents. These are used to inform improvements at operational levels of the organisation.
46c
Incident response and risk management processes incorporate lessons learned from
incidents. These may be used to inform improvements at operational levels of the organisation but not on a
consistent basis.
46d
Processes do not consistently incorporate lessons learned.
47
Have you engaged with critical third parties to
understand
the risks that exist between both parties, and taken steps to ensure
that recovery activities are clearly understood by both parties?
47a
Proactive relationships exist with critical third parties. There is assurance
that
response and recovery plans for all parties are understood, appropriate and tested.
47b
Critical third parties have been engaged to discuss cyber risk. The organisation
does not proactively share details of its recovery planning with third parties or involve them in testing.
47c
There has been some limited engagement with third parties to map potential cyber
risks.
47d
There is no active engagement with third parties on cyber risk.
