01 Security Awareness and training: Does your organization:
Conduct recurring security training for its employees?
If yes to (A) above, does your training include specific information about how to recognize social engineering attacks (e.g., phishing, media drops, human manipulation)?
If yes to (A) above, does your organization test for knowledge absorption (i.e., did employees learn the material)?
02 Remote Access and multifactor authentication: Can employees access the organization:
Remotely (i.e., get access to their email, shared drives/folders, etc.) from outside the facility?
If yes to (A) above, can employees access remotely, using their own, personal devices?
If yes to either, does your organization use multifactor authentication and/or use VPN for remote access?
Does your organization “regularly” (at least annually) conduct security testing to evaluate the efficacy of its identity, access and authentication management capabilities?
03 Security tools: To the extent you know, does your organization have:
A comprehensive, accurate inventory of IT assets (systems, infrastructure, devices, hardware, etc.) that is maintained and updated automatically or manually on a regular basis?
A tool or service that filters out potentially malicious email (e.g., spam; phishing emails, etc.)?
A regular approach to maintain and update its antivirus rules, signatures and adversarial indicators?
An “end-point security” tool (such as Crowdstrike, Carbon Black, Symantec Endpoint Protection, Cisco AMP, Sophos, etc.)?
Vulnerability scanning tools/services to identify vulnerabilities on external and internal IT assets (such as Qualys, Rapid7, Tenable, etc.)?
The ability to patch identified vulnerabilities in a timely manner (e.g., critical vulnerabilities within 48 hours, etc.)?
A tool or service that acts as a Security Information and Event Manager (SIEM) or external Managed Security Service Provider (MSSP) to analyze logs, alerts and other collected information for suspicious behavior?
04 Security governance: Does your organization have:
Secure, hardened baseline images for organizational assets (i.e., workstations, servers, virtual machines, boundary infrastructure, etc.) based on a recognized standard(s) (e.g., Center for Internet Security, Federal Desktop Core Configuration, etc.)?
An incident response plan to response to cyber incidents, that is reviewed by management and updated periodically?
A security or risk committee comprised of key leaders and stakeholders across the corporate and business units that meets regularly to discuss and decide on security-related issues?
Processes and procedures in place to identify, classify, label and segment critical information and data?
IT and security policies, standards and procedures that are reviewed and updated at least annually and are readily available to employees and IT/security personnel?
People and/or resources to conduct IT and security audits and/or risk assessments, procedures to communicate findings to appropriate stakeholders, and validate remediation has occurred?
05 Ransomware response and recovery: Does your organization have:
An incident response team and/or security operations center to analyze and respond to potential cyber incidents?
Drafted crisis communications and has coordination contact lists for key, external parties (e.g., law enforcement, external legal counsel, public/media relations, etc.)?
Processes and procedures in place to back-up and retrieve sensitive customer and corporate data?
You're almost there! Please fill out the form below to receive your Assessment
Your assessment results
Significant Level of Readiness
Moderate Level of Readiness
Foundational Level of Readiness
Gaps in Readiness Apparent
Share this quiz:
Moderate Level of Readiness
Your organization appears to have a number of security governance, procedures, tools and/or controls in place to address a potential ransomware incident. That said, there are key elements that seem to be missing that, if exploited, could lead to a breach or infection. Even a single breach or infection can cause wide-spread downtime, service delays, and financial impact and so we would recommend a Ransomware Readiness Assessment. The RRA will identify which governance, tools and controls are in place to address a ransomware incident and where gaps and potential weaknesses exist. Our RRA can quickly and clearly identify positive aspects of your security program as well as provide recommendations on areas for development and improvement.
In participating in this survey, the user acknowledges that the results of this survey are provided at no cost to the recipient and for informational purposes only. The Chertoff Group does not provide warranties of any kind regarding any information contained within and does not endorse any commercial product or service, referenced in this bulletin. The results of this survey do not represent an actual risk assessment but are merely for educational purposes. The Chertoff Group expressly disclaims liability for any user’s belief in or actual understanding of its security posture based on the results of this survey.