Cybersecurity Program Maturity Self Assessment 1. Does the organization maintain and accurate and up to date inventory of all technology assets? This inventory shall include all hardware assets, whether connected to the organization's network or not.(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments2. Does the organization ensure that unauthorized assets are either removed from the network, quarantined or the inventory is updated in a timely manner?(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments3. Is there a maintained and up to date list of all software and cloud applications that is required for any business purpose on any business system?(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments4. Do you ensure that only software applications or operating systems currently supported and receiving vendor updates are added to the organization's authorized software inventory? Unsupported software should be tagged as unsupported in the inventory system.(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments5. Do you ensure that unauthorized software is either removed or the inventory is updated in a timely manner?(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments6. Do you deploy automated software update tools in order to ensure that the operating systems of computers are running the most recent security updates provided by the software vendor?(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments7. Have all default passwords been changed on all hardware and software assets? (This includes wifi routers at all locations)(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments8. Do you ensure that all users with administrative account access use a dedicated or secondary account for elevated activities? This account should only be used for performing administrative activities and not internet browsing, email or other similar activities.(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments9. Do you ensure that local logging has been enabled on all systems and networking devices?(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments10. Do you only use fully supported web browsers and email clients for use in the organization?(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments11. Do you use Domain Name System (DNS) filtering services to help block access to known malicious domains?(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments12. Do you ensure that the organization's anti-malware software updates its scanning engine and signature database on a regular basis?(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments13. Are devices configured so that they automatically conduct an anti-malware scan of removable media/devices when inserted or connected?(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments14. Are devices configured to not auto-run content from removable media/devices?(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments15. Are host-based firewalls or port filtering tools on the user system be used with a default deny rule that drops all traffic except those services and ports that are explicitly allowed?(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments16. Do you ensure that all system data is automatically backed up on a regular basis? This is includes cloud application data.(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments17. Do you ensure that backups are properly protected via physical security or encryption when they are stored, as well as when they are moved across the network? This includes remote backups and cloud services.(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments18. Do you ensure that all backups have at least one offline (i.e. not accessible via a network connection) backup destination?(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments19. Have you performed test restores of the data backups to ensure that they will be reliable when needed?(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments20. Is the latest stable version of software installed on all network devices? This includes wifi routers/firewalls at home offices.(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments21. Do you have an inventory of sensitive information?(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments22. Do you have encryption enabled on all mobile devices, including laptops, phones and tablets?(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments23. Do you protect all corporate information stored on systems with access control lists? These controls will enforce who has access to what data. It is commonly referred to as the Principle of Least Privilege.(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments24. Is Multi-factor Authentication enabled on all accounts (where available)?(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments25. Is Advanced Encryption Standard (AES) enabled as a minimum to secure wireless networks?(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments26. Is there a separate wireless network for personal and untrusted devices?(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments27. Are all accounts that cannot be associated to business user or business process disabled or deleted?(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments28. Have you implemented a ongoing and current security awareness program?(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments29. Do you have documented incident response procedures?(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments30. Do you have separate cyber insurance coverage?(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Comments31. Has your cyber insurance policy been reviewed to ensure it covers the risks to your business and will appropriately cover your business?(Required) Fully Implemented Partially Implemented Not Implemented Not Applicable Name(Required) Company Name(Required) Email(Required)