Cyber Risk Maturity Self-Evaluation Programs & PoliciesEnsure cyber risk program policies are right sized to the organization and aligned to the business goals.1. Do you have a cyber risk management program?(Required) We do not have a formal program to manage cyber risk? We have performed a risk assessment in the past and we are remediating findings. We have defined an owner of our cyber risk management program with budget who reports maturity (capabilities and progress) of the program to the board or senior management regularly via a tool/platform. We have a business-aligned cyber risk management program and owner with budget who reports to the board or senior management regularly by quantitatively measuring maturity via a tool/platform. Comments2. Do you guide your staff with cyber security policies?(Required) We have no policies, or only certain policies in our employee handbook. We have an Information Security Policy, and our staff sign that they understand it when hired. We have a set of cyber security policies, our staff sign that they understand them when hired, and acknowledge them annually via a tool/platform. We review/update our cyber security policies, publish them, and require our staff to acknowledge and sign them annually via a tool/platform. We review/update our cyber security policies, publish them, and require our staff to acknowledge and sign them annually, and we measure and test compliance to our policies all via a tool/platform. Comments3. Do you have a cyber security program?(Required) We do not have a formal cyber security program? We have implemented some security practices like patching, antivirus, and email protections. We have a formal cyber security program with a defined owner (e.g., CISO, ISO) who is driving compliance to policies and a security framework via training and protective control implementation. We have a defined owner who is accountable for our cyber security posture at all layers of our environment (e.g., network, applications, data, O/S, endpoints, etc.), and provides performance metrics to leadership via tool/platform. We have a mature cyber security program that continuously monitors, measures, and attests to our cyber security posture via external audits, penetration tests, vulnerability scans, and is managed via a tool/platform. CommentsTraining & AwarenessEnable role specific training to elevate organizational skills and raise awareness to their responsibilities.4. Do you train your staff on cyber security?(Required) We do not train our staff. We have trained our staff at least once or do so periodically. We train our staff monthly on critical cyber security topics (e.g., phishing, passwords, social engineering, etc.) and track completion via a tool/platform. We train and test our staff monthly on critical cyber security topics, phish test our employees at least annually, and track completion and monitor performance via a tool/platform. We train, test, measure and address failures of our staff monthly on cyber security topics and our quarterly phish test failure rates are at or below 5% as measured via tool/platform. CommentsOperational ProcessesFortify change, problem and incident management processes, and assure proper provisioning and deprovisioning access to critical applications and systems.5. Do you document and comply with your cyber security processes?(Required) We have no documented cyber security processes that we follow. We have access management (e.g., provisioning/deprovisioning) processes documented and track completion. We have documented access management processes with tracking and reviews, and a documented incident handling process. We have mature access management and incident handling processes in place, and drive security remediation into existing operations. We have mature access management and incident handling processes, drive security requirements into new initiatives, check for failures, and approve new initiatives to proceed. 6. Do you monitor, manage, and patch your IT hardware and software assets?(Required) We do not have an accurate inventory, nor do we actively patch or monitor our IT assets. We automate patching and monitoring of some workstations and servers via commercial tools. We have an inventory of IT assets that are monitored, managed, and patched regularly per policy. We have a current inventory of all IT assets (hardware, infrastructure, software, endpoints) that are all monitored, managed, and patched regularly per policy. We have a current inventory of all IT assets, they are monitored, managed, and patched regularly, and we fix known vulnerabilities and produce metrics per policy. Comments7. Do you have change and problem management processes?(Required) We do not have change and/or problem management processes. We have informal change and problem management processes. We have formal change and problem management processes with impact reviews, approvals, and a help desk in place. We have formal change and problem management ticketing tools, review impacts, approve changes, require help desk notifications, and require root cause analysis for failed changes and problems. We have an integrated change and problem management process with tickets, workflow, impact, approvals, fallback procedures, help desk notification, escalation processes, root cause analysis, and metrics in a tool/platform. CommentsCrisis Management & Incident ResponseEstablish, assign and practice crisis management and incident response activities to ensure ongoing business resiliency.8. Do you have a Cyber Security Incident Response Plan??(Required) We do not have an incident response plan, or we have a plan that has not been updated recently. We have an up-to-date incident response plan and it has been tested recently by IT. We have an existing response plan, it is tested with the business, and we have competent and sufficient crisis staff to run the plan when needed. We have an incident response plan with dedicated crisis staff who oversee the development, orchestration, and improvements to the CSIR Plan in a tool/platform. We have a CSIR plan with a core team including Legal, Public Relations, Forensics, and Communications functions, and it is fully operational, tested, updated, and documented in a tool/platform. CommentsContingency PlanningDocument data flows, analyze business impact, document recovery requirements, and test resiliency against cyber and other threat scenarios.9. Do you back up and can you restore your critical data?(Required) We are not sure if our critical data is being backed up, or our backups are on site. We back up all critical data offsite and/or in the cloud. We back up all critical data offsite/in the cloud and have performed at least one test restore. We back up all critical data offsite/in the cloud per our Disaster Recovery Plan and perform test restores annually. We back up all critical data offsite, in the cloud, and/or offline, perform restore testing, update DR plans, and have aligned the plan with business requirements to continue operating if a major disaster occurred. CommentsBusiness Context10. Is your cyber risk program aligned to business objectives?(Required) We have no visibility to executive-level initiatives or only base our program on compliance requirements. We have limited visibility to executive-level initiatives, our program is based on compliance and/or aligned to some security requirements. We have some visibility to executive-level initiatives, and our program is aligned to a security controls framework with a crosswalk to compliance requirements. We have visibility to senior leadership and board-level objectives, controls are based on security frameworks and compliance requirements, and are right-sized and aligned to business objectives. We are closely aligned with senior leadership and board-level objectives, regularly meet and assure that our program stays aligned to enterprise risk. Comments11. Do you document critical business processes and recovery requirements?(Required) We do not document our critical business processes. We have documented some of our business and IT processes with minimal recovery requirements. We have documented all critical business and IT processes with defined Recovery Time Objectives (RTOs) and Recovery Point Objectives (RPOs) and Service Level Agreements (SLAs) with our third parties. We have documented all critical business and IT processes with RTOs/RPOs and include them in our Disaster Recovery Plan (DRP) tests per SLAs via a tool/platform. We have documented all critical processes with RTOs/RPOs, ensured Business Impact Analyses (BIAs) are kept current, and tested them as part of our DRP SLAs via a tool/platform. CommentsGovernance & ComplianceStreamline ownership, accountability and activities to continuously comply with internal and external risk and compliance factors.12. Do you comply with laws and regulations impacting your business?(Required) We are not aware of, or are only moderately familiar with, the laws and regulations impacting our business. We are aware and versed in the laws and regulations impacting our business and attempt to comply. We are aware and versed in the laws and regulations impacting our business and comply with most. We are aware of and versed in applicable laws and regulations, comply with all, and manage remediation via a tool/platform. We are aware, versed, and continuously comply with all applicable laws and regulations, actively manage remediation, and measure risks via a tool/platform. Comments13. Do you manage third party risk and/or your supply chain?(Required) We do not manage third-party risk or supply chain providers, or we do so informally. We have a manual inventory of our third parties and suppliers and evaluate them once when we sign an original contract. We have a complete and accurate inventory of our third parties and suppliers and assess some of them annually. We have an accurate, tiered inventory of our third parties and suppliers, assess our top tier annually, and address findings via a tool/platform. We have an accurate, tiered inventory of third parties and suppliers, assess them annually, address findings, and compare results to SLAs in contracts via a tool/platform. Comments14. Do you have a current inventory of all IT hardware?(Required) We do not track our IT hardware/infrastructure, or we do so informally. We manually maintain a list with some of out IT hardware/infrastructure, but do not compare against an approved list and have no vendor support tracking. We have a complete listing of all IT hardware/infrastructure, a new hardware approval process, with some tracking of vendor support, service plans, and end-of-life (EOL) dates. We have a complete listing of all approved IT hardware/infrastructure and approval process, including tracking of all vendor support, service plans, and EOL dates in a tool/platform. We have an auto-discovered, complete, and current inventory of all IT infrastructure and approval process, with vendor support/service plans tracking & renewal, and replacement plan for equipment becoming EOL or end-of-support in a tool/platform. Comments15. Do you have a current inventory of all software?(Required) We do not track our software (i.e., applications, systems, solutions, and/or services), or we do so informally. We manually maintain a list with some of our software (on-prem and in the cloud), but do not compare against an approved list and have no vendor support tracking. We have a complete listing of all approved software, a new software approval process, with some tracking of vendor support or end-of-life (EOL) dates. We have a complete listing of all approved software and approval process, including tracking of all vendor support and EOL dates in a tool/platform. We have an auto-discovered, complete, and current inventory of all software (including cloud) and approval process, with vendor support/EOL dates including upgrading, tracking, and renewing all software in a tool/platform. Comments16. Do you know where your critical data is and how it is protected?(Required) We do not know where most of our critical data is stored. We know where most or all our critical data is stored at rest. We know where our critical data is locally and/or in the cloud, and we protect it at rest and in transit with technical controls and defined policies. We know where our critical is stored (locally/cloud) at rest and in transit and we protect it with technical controls and defined policies and processes that are regularly validated. We know where our critical data is stored throughout its lifecycle, controls/protections are regularly validated, and we train and assess employees regularly on proper handling and protections. CommentsRisk ManagementDefine the tolerance for business risks to baseline, measure and manage risk decisions.17. Do you have a risk register and risk tolerance defined?(Required) We do not have a risk register, nor our risk tolerance defined. We have an initial IT risk register documented. We have a business-wide risk register and we have defined our initial risk tolerance. We have a complete risk register and risk tolerance with only IT owners identified, captured in a tool/platform. We have a complete risk register with risk tolerance aligned with business owners and risk actions (accept, mitigate, transfer, etc.) captured in a tool/platform. Comments18. Do you have an IT or cyber risk committee?(Required) We do not have any group that meets to consider IT risks. We have an IT team that meets periodically to discuss projects and associated risks. We have a formal IT/Cyber Risk Committee that meets at least quarterly to review our risk register and remediation projects. We have a cross-functional IT/Cyber Risk Committee with business stakeholders responsible for risk management that is aligned to business objectives and digital objectives and digital initiatives via a tool/platform. We have an IT/Cyber Risk Committee with business stakeholders that proactively manage cyber risk, ensuring all digital initiatives are vetted and aligned to the organization's risk tolerance via a tool/platform. CommentsControls FrameworkAlign controls to business context prioritization, benchmark against relevant framework best practices, and harmonize control sets across compliance mandates.19. Do you assess your cyber security posture?(Required) We do not assess our security controls unless there is a compliance mandate. We do not regularly assess our security controls, but we have had penetration tests or external scans conducted within the past 18 months. We assess our detect and response control effectiveness for on-prem and cloud environments via annual assessments (e.g., penetration tests, red team exercises, etc.). We regularly assess all on-prem and cloud security controls via internal and external assessments to improve our ability to manage our cyber security posture relative to current threats. We continuously assess our cyber security posture via tests, simulated attacks, and leverage tools to monitor our threat landscape. Comments20. Do you have a defined cyber security framework?(Required) We have no security framework or defined controls architecture. We have defined our cyber security framework (e.g., NIST) and documented our controls architecture. We have a cyber security framework with a documented controls architecture and have begun to harmonize our controls against compliance requirements. We have a cyber security framework with a documented controls architecture, cross-walked, harmonized and aligned our controls to compliance and business objectives in a tool/platform. We have rationalized our control requirements within our defined architecture, cross-walked controls to compliance and business objectives, aligned them with critical processes, and measure effectiveness against industry-leading cyber security frameworks. Comments