— We have prepared a generic template for cybersecurity assessment with typical questions and sample answers. This security questionnaire build based on a different RFP for vendors collected in 2021 and 2022.
— We have prepared a generic template for cybersecurity assessment with typical queistions and sample answers. This security questionnaire build based on a different RFP for vendors collected in 2021 and 2022.
Governance and Leadership | |||||
---|---|---|---|---|---|
Questions | A | B | C | D | |
1 | Does a formally documented cyber security strategy exist and who is it approved by within the organisation? | A cyber security strategy has been approved at senior executive level and is reviewed at least annually. | A cyber security strategy has been approved by senior executives. This is reviewed at set intervals, but not in the last 12 months. | A cyber security strategy has been approved by an operational or technology lead and is reviewed at set intervals. | There is no formally documented cyber security strategy. |
2 | Does a formally documented framework (including policies, standards and delivery programme) exist to maintain your security posture and to deliver the cyber security strategy? | A documented cyber security framework exists with all supporting components. It is aligned to industry-recognised standards, has been approved at senior executive level and is reviewed at least annually. | A documented cyber security framework exists, is aligned to industry-recognised standards and has been approved at senior executive level. This is reviewed at set intervals, but not in the last 12 months. | A cyber security framework has been approved by an operational or technology lead and is reviewed on an ad-hoc/infrequent basis. | There is no formally documented cyber security framework to deliver the cyber security strategy. |
3 | Has a senior executive been appointed who is accountable for the delivery of the cyber security framework within the organisation? | A senior executive has been appointed who is accountable for delivery of the cyber security framework. This is either their dedicated role or a significant proportion of their role. | Someone (not a senior executive) within the organisation has been appointed and is accountable for delivery of the cyber security framework. There are plans to appoint a senior executive in the future. | Someone (not a senior executive) within the organisation has been appointed and is accountable for the delivery of the cyber security framework. | No-one has been appointed to be accountable for the delivery of the cyber security framework. |
4 | Are risks to cyber security managed effectively? | All risks to cyber security are translated into and managed within the enterprise risk framework. These are aligned to enterprise-level risk appetite statements and reassessed on an ongoing basis. | All risks to cyber security are translated into and managed within the enterprise risk framework. These are aligned to functional risk appetite statements and reassessed at set intervals. | Risks to cyber security are managed locally, with some visibility provided at an organisational level. These risks are reassessed on an ad-hoc/infrequent basis. | There is some awareness of risks to cyber security but no formal structure to manage them. |
5 | Has the effectiveness of cyber controls been independently assessed against the control objective? | The effectiveness of cyber security controls has been independently assessed by a party with the competent level of skill and forms part of an established annual process, including senior executive review. | The effectiveness of cyber security controls has been independently assessed by a party with the competent level of skill and signed-off in the last 18 months, but is not part of an ongoing process. | The effectiveness of cyber security controls has not yet been independently assessed by a party with the competent level of skill, but an assessment is scheduled within the next six months. | The effectiveness of cyber security controls has not been independently assessed by a party with the competent level of skill and there is no plan to do so. |
6 | What level of knowledge and skills exists at the senior executive level? | All senior executives have sufficient understanding to provide effective oversight of the firm's cyber security strategy and cyber risk management. At least one senior executive has specialist knowledge and skills which the other executives can draw on. | At least one senior executive has sufficient understanding to provide effective oversight of the firm's cyber security strategy and cyber risk management. Training is scheduled to develop other senior executives' capabilities in the next 12 months. | Senior executives are currently dependent on external knowledge and skills to provide effective oversight of the firm's cyber security strategy and cyber risk management. There is a plan to address this in the next 12 months. | No senior executives currently have the relevant knowledge and skills to provide effective oversight of the firm's cyber security strategy and cyber risk management. There are no plans in place to address this. |
7 | Are roles, accountabilities and responsibilities for delivering the cyber security strategy clearly defined, assigned and understood by senior executives? | All roles, accountabilities and responsibilities are clearly defined, documented and assigned. All senior executives are aware of these and their understanding is validated. | All roles, accountabilities and responsibilities are clearly defined, documented and assigned. Senior executives' awareness and understanding of these are assumed. | Some roles, accountabilities and responsibilities are defined and assigned. Senior executives' awareness and understanding of these are assumed. | Accountabilities and responsibilities are not defined or assigned to roles. |
8 | To what extent is management information (MI), including Key Risk Indicators (KRIs), used to inform decision makers on the performance of cyber security controls? | Senior executives regularly review MI on cyber security controls. This MI is used to support the discussion of cyber security and relevant decision making. | Second line staff, such as operational risk leads, regularly review MI on cyber security controls. This MI is used to support the discussion of cyber security and relevant decision making. | First line staff, such as technology or operational leads, regularly review MI on cyber security controls. This MI is used to support relevant decision making. | MI on cyber security controls is not regularly reviewed. |
9 | Is there an exercising programme in place to validate your organisation's ability to respond to cyber security incidents, and inform your cyber security framework? | An ongoing strategic exercising programme is in place to validate the organisation's effectiveness in responding to cyber incidents across staff and processes, the results of which inform the development of the cyber security framework. | Exercises are conducted on an annual basis to validate the organisation's effectiveness in responding to cyber incidents across staff and processes, the results of which inform the development of the cyber security framework. | Exercising has been undertaken to validate the organisation's effectiveness in responding to cyber incidents, but this has not been conducted in the last 12 months. | The organisation does not undertake exercising to validate its effectiveness in responding to cyber incidents. |
Identify | |||||
---|---|---|---|---|---|
Questions | A | B | C | D | |
10 | Are business functions understood? | All business functions have been identified and prioritised in terms of their criticality and their underlying technology and processes. This is reviewed on an ongoing basis and updated in accordance with risk and change management processes. | All business functions have been identified and prioritised in terms of their criticality and their underlying technology and processes. This is reviewed annually. | Critical business functions have been identified and prioritised in terms of their criticality. This is reviewed on an infrequent or ad-hoc basis. | Critical business functions have not been formally identified and prioritised along with their underlying technology and processes. |
11 | Is a current inventory of information assets with supporting systems maintained? | Information assets and systems are identified, prioritised, and documented in a single inventory on an ongoing basis. | Information assets and systems are identified, prioritised, and documented in single/multiple inventories which are reviewed at set intervals. | Information assets and systems are identified, prioritised, and documented, and these are reviewed on an ad-hoc/infrequent basis. | Information assets and systems have not been formally identified, prioritised and documented. |
12 | Do you understand who your third party providers are and the services they provide? | An accurate register is maintained of all third party providers and the services they provide. Processes and procedures are in place to ensure that new third parties and/or changes in existing services are captured within the register. | A register is maintained of all critical third party providers and the services they provide. Processes and procedures are in place to ensure that new critical third parties and/or changes in existing services provided are captured within the register. | A list is held of critical third party providers and the services they provide. | There is no centrally held list of third party providers and services. |
13 | Are hardware and software vulnerabilities proactively identified and documented with their risk assessment? | There is an established vulnerability detection process to discover, document and risk assess vulnerabilities on a ongoing basis. | There is an established vulnerability detection process to discover, document and risk assess vulnerabilities on at least a monthly basis. | There is a vulnerability detection process to discover, document and risk assess vulnerabilities on an ad-hoc/infrequent basis. | There is no vulnerability detection process in place. |
14 | Are end of life hardware and software assets identified and effectively managed prior to expiration? | An asset inventory (or similar) is held which tracks the end-of-life for each asset. Assets out of support are recognised as potential vulnerabilities and managed accordingly through the risk management framework. | An asset inventory (or similar) is held which tracks the end-of-life for each asset. Decisions about when to replace these are risk-based. | End-of-life for groups of assets are tracked. Decisions about when to replace these groups are risk-based. | There is no process to identify end-of-life hardware or software. |
Protect | |||||
---|---|---|---|---|---|
Questions | A | B | C | D | |
15 | Does all remote access to the corporate network and business applications require remote access? | All remote access to the corporate network and business applications requires at least two-factor authentication. | Remote access to the majority of corporate network and business applications requires at least two-factor authentication. | Remote access for a limited number of corporate network and business applications requires at least two-factor authentication. | Remote access to the majority of corporate network and business applications requires only single-factor authentication. |
16 | How is user access to data via systems managed? | Requests for enabling or modifying user access to data requires permission from the data owner. | Requests for enabling or modifying user access to data is managed by line manager approval. | Requests for enabling or modifying user access to data requires permission from the system owner only. | Requests for enabling or modifying user access to data is not managed centrally. |
17 | How is user access to data via systems reviewed? | All user access and permissions to data is reviewed on an ongoing and requirements basis, e.g. as part of the joiners-movers-leavers process. | All user access and permissions to data is reviewed on at least an annual basis. | User access to data is reviewed on an ad-hoc basis and does not specify a review of permissions. | User access reviews are not required by policy. |
18 | Are privileged rights understood, documented and reviewed in terms of assignment to system and user accounts? | All privileged rights are centrally managed and documented. Access privileges are reviewed by the system/business owner on an ongoing basis and as part of any joiner-movers-leavers process. | All privileged rights are documented. Access privileges are reviewed by the system/business owner at set intervals and as part of any joiner-movers-leavers process. | Privileged rights are centrally understood and enforced as part of a joiners-movers-leavers process. Reviews are conducted on an ad-hoc/infrequent basis. | There is no centralised view of privileged rights or their assignment. |
19 | Are appropriate controls in place to classify information in terms of criticality and sensitivity? | All information assets and documents are classified and labelled in line with policy. Labelling is enforced for user generated content (e.g. emails and documents, etc.). | All information assets and documents should be classified and labelled in line with policy. Labelling is reliant on the user. | All documents should be classified and labelled in line with policy. Labelling is reliant on the user. | There is no consistently applied classifying and labelling of information. |
20 | Are appropriate tools and processes in place to detect and prevent sensitive data from leaving the corporate network? | Tools and processes are in place to prevent unauthorised sensitive data from leaving the corporate network at all egress/ingress points. All incidents are investigated and escalated where appropriate. | Tools and processes are in place to monitor for unauthorised sensitive data leaving the corporate network at all egress/ingress points. All incidents are investigated and escalated where appropriate. | Tools and processes are in place to monitor for unauthorised sensitive data leaving the corporate network at some egress/ingress points. Incidents are investigated on a best endeavours basis. | There are no formalised tools or processes in place to monitor or prevent unauthorised sensitive data leaving the corporate network. |
21 | Which option best describes your backup process? | All data and system configurations are backed up and encrypted in line with business requirements, including at least one format which does not require continuous access to the network. | All data is backed up and encrypted in line with business requirements, including at least one format which does not require continuous access to the network. | Critical data is backed up. Backups are typically protected and stored offsite, but this is not a formal requirement. | Data is not consistently backed up. |
22 | Do you have effective processes and procedures in place to assess the security capabilities and management of cyber risk by third party providers? | All third party providers are reviewed in line with the risks they present at set intervals. Findings are recorded and acted upon as required. | All critical third party providers are reviewed in line with the risks they present at set intervals. Findings are recorded and acted upon as required. | All critical third party providers are reviewed at the on-boarding stage in line with the risks they present. Findings have been recorded. | No assessment of third party providers is undertaken specifically in relation to risks they present. |
23 | Are proportionate measures in place to ensure that third parties with ongoing access to your network are appropriately managed? | Third party access to infrastructure and information is identified and documented, and proportionate controls implemented as a result e.g. periodic due diligence exercises, compliance audits, non-disclosure agreements, vetting/screening, contractual agreements. | Third party access to critical infrastructure and information is understood, and proportionate controls have been implemented e.g. periodic due diligence exercises, compliance audits, non-disclosure agreements, vetting/screening, contractual agreements. | Third party access to critical infrastructure and information is understood, and the organisation has measures in place to monitor (but not actively manage) this. | There are no measures currently in place to manage third party access to infrastructure or information. |
24 | Is cyber security incorporated in change management and design processes, as well as service and product development? | Cyber security is a fundamental part of all change processes and is considered within the business strategy. | Cyber security is a fundamental part of change processes relating to critical systems, services and products. | Cyber security is considered but not formally embedded as a part of change processes relating to critical systems, services and products. | Cyber security is not regularly considered in the context of change. |
25 | Are baseline system security configuration standards and hardening procedures in place to facilitate consistent application of security requirements to operating systems, databases, applications, devices, etc.? | Baseline security standards are documented and applied. Assets are monitored on an continuous basis for compliance against these standards. | Baseline security standards are documented and applied. Assets are checked at set intervals for compliance against these standards. | Baseline security standards are documented and applied. Assets either have not been checked for compliance against these standards, or are checked on an ad-hoc/infrequent basis. | Baseline security standards are not maintained. |
26 | Do you use monitoring and/or filtering solutions to restrict network traffic to or from ingress/egress points which might present a risk to the organisation? | The organisation proactively restricts or blocks access to all ingress/egress points. Filters are reviewed and regularly updated. | The organisation proactively restricts or blocks access to sensitive ingress/egress points. Filters are regularly updated. | The organisation proactively monitors access to ingress/egress points. Filters are regularly updated. | Monitoring or filtering solutions are not widely used. |
27 | Do you employ multiple layers of security to ensure that the corporate network is segregated effectively and protected from externally facing systems (e.g. firewalls and multiple AV vendors)? | A defence-in-depth strategy is employed creating multiple layers of security, including network segregation and application white listing. The organisation does not rely on a single solution for any of its cyber defences. | A defence-in-depth strategy is employed creating multiple layers of security. In most instances the organisation does not rely on a single solution for its cyber defences. | There are a few points where security is a single layer, but these do not relate to any critical systems. | The organisation typically relies on single vendors and solutions to protect the business. |
28 | Are staff provided with cyber security training ? | All staff are provided with mandatory cyber security training as part of an ongoing programme. Levels of understanding are measured and gaps in knowledge are identified and used to adapt or prompt additional training. | All staff are provided with mandatory cyber security training at set intervals. Levels of understanding are measured and are used to prompt additional training. | Staff have access to cyber security training but it is not mandatory. | There is no training provided on cyber security. |
29 | Do you take a risk based approach to identifying your high risk staff and is additional cyber security training provided as needed to these members of staff? | High risk staff are identified and reviewed on a ongoing basis. Additional bespoke training is provided. | High risk staff are identified and additional training is provided at set intervals. | High risk staff are identified but no additional training is provided. | High risk staff are not identified. |
30 | Is appropriate screening and/or background checks conducted on new appointments and when employees change roles? | Staff screening is conducted upon employment and when employees change roles. Similar checks, following a recognised standard, are conducted on all staff at regular intervals throughout their employment, including those with access to critical systems. | Staff screening is conducted upon employment, and some further screening is conducted when senior or privileged roles are filled. | Staff screening is conducted upon employment. | References are checked upon employment. |
31 | Are physical access controls implemented, maintained and tested regularly across your organisation's facilities? | Physical access controls are implemented and maintained for all facilities. Access reviews are completed on an ongoing basis. | Physical access controls are implemented and maintained for all facilities. Access reviews are completed at set intervals. | Physical access controls are implemented and maintained for some facilities. Access reviews are completed on an ad-hoc/infrequent basis. | Physical access controls are implemented and maintained for some facilities. Access reviews are not conducted. |
Detect | |||||
---|---|---|---|---|---|
Questions | A | B | C | D | |
32 | Do you have the ability to monitor for and detect anomalous activities and/or events? | Event information is collected in real time, or near real time which is then collated, aggregated and analysed. Any alerts, anomalies or suspicious activities are investigated as they are detected. The integrity of this information is protected. | Event information from critical systems is collected in real time, or near real time which is then collated, aggregated and analysed. Any alerts, anomalies or suspicious activities are investigated as they are detected. The integrity of this information is protected. | Event information from some systems is collected in real time, or near real time which is then collated, aggregated and analysed. Any alerts, anomalies or suspicious activities are investigated as they are detected. | No capabilities have been established to monitor and detect anomalous activities and/or events on an ongoing basis. |
33 | Are remote access attempts recorded and alerts exist for potential alicious activity? | All access attempts are recorded and alerts exist for potentially malicious activity for all corporate network and business applications that are remotely accessible. | All access attempts are recorded and alerts exist for potentially malicious activity for critical corporate network and business applications that are remotely accessible. | Successful access attempts are recorded and alerts exist for potentially malicious activity for a limited number of corporate network and business applications that are remotely accessible. | There is no visibility of remote access attempts. |
34 | Do detective systems extend to monitoring personnel operating on the corporate network, including unauthorised connections or devices? | Expected activity for roles performed are profiled. Active monitoring takes place to identify deviation from expected patterns. Unauthorised connections are blocked. | Staff behaviour is monitored generally but specific individuals are not identified. Unauthorised connections are blocked. | Data loss prevention software to monitor outgoing communications from staff is employed, but no other monitoring is carried out. | Staff activity is not monitored |
35 | How are known and documented vulnerabilities remediated in line with risk? | Vulnerabilities are remediated in line with the risks they present via the enterprise risk framework. Remediation is validated and assured as part of this process. There is an effective management process in place for accepted vulnerabilities. | Vulnerabilities are remediated in line with the risks they present. Remediation is validated and assured as part of this process. There is an effective management process in place for accepted vulnerabilities. | Vulnerabilities are remediated in line with the risks they present. | There is no consistent process for remediating vulnerabilities. |
36 | Do you carry out penetration tests to identify vulnerabilities that may affect your systems, networks, people or processes? | The organisation operates a strategic programme of threat intelligence-led end-to-end penetration tests, including against an industry recognised testing framework (e.g. CBEST or STAR) and aligned to long term business objectives. | The organisation undertakes threat intelligence-led end-to-end penetration tests against an industry recognised testing framework (e.g. CBEST or STAR). | The organisation undertakes testing against the wider enterprise or single applications, but these tend to be targeted in scope and/or are not threat intelligence-led. | The organisation does not regularly carry out penetration testing. |
37 | Are detection systems integrated within the organisation's incident response process? | Detection systems are linked directly to the incident response process, and automated alerting exists to trigger response actions if required. This is in place 24/7. | Detection systems are included within the incident response process. If the systems trigger an alert, the incident process is invoked manually. This is in place 24/7. | Detection systems are included within the incident response process. If the systems trigger an alert, the incident process is invoked manually. This is only available during business hours. | Detection systems have not been integrated into the incident response process. |
38 | Is there a process for gathering, analysing and sharing information on cyber threats? | There is a formalised process in place for analysing cyber threat intelligence. This encompasses information gathering from a diverse range of sources, collation and analysis, and defined links to business decision making. The process also articulates how intelligence should be shared with peers and other relevant parties. | There is a formalised process in place for analysing cyber threat intelligence. This encompasses information gathering from multiple sources, collation, analysis and dissemination to internal and external stakeholders. | There is an informal or nascent process in place for analysing cyber threat intelligence. This encompasses information gathering, analysis and dissemination. | There is no process in place for the utilisation of cyber threat intelligence. |
39 | Is cyber threat intelligence used to inform your cyber security strategy and framework? | Cyber threat intelligence is actionable, timely, targeted to specific audiences and used to support decision-making at all levels of the business (strategic through to tactical). | Cyber threat intelligence is actionable, timely and used to support a specific group (or groups) of business stakeholders. | Cyber threat intelligence is used to inform situational awareness and contextual understanding. | Cyber threat intelligence is not regularly used to inform decision making. |
Respond | |||||
---|---|---|---|---|---|
Questions | A | B | C | D | |
40 | Do your response plans include proactive communications with customers, third parties, authorities, media, etc.? | A communications plan and stakeholder map exists that has been developed and tested for use in a cyber incident. | A communications plan and stakeholder map exists that has been developed for use in a cyber incident. | A communications plan exists which is designed to be used for all incidents. | There is no formal communications plan for incidents. |
41 | Do incident response procedures/policies include how and when regulators and/or stakeholders should be informed of incidents? | The obligation to notify regulators and key stakeholders of incidents is included within incident response procedures along with set thresholds or triggers. | The obligation to notify regulators and key stakeholders of incidents is included within incident response procedures. | There is awareness of how and when regulators and key stakeholders should be notified of incidents, however this is not formally documented. | Obligations to report incidents to regulators and other key stakeholders are not widely understood across the organisation. |
42 | Does your incident response plan require you to share information on incidents and near-misses with industry peers (e.g. through CiSP)? | The incident response plan defines a specific requirement for information to be shared proactively through trusted channels, along with a named individual or team responsible for delivering this requirement. Information is shared as soon as is practically possible during or after an incident. | The incident response plan defines a specific requirement for information to be shared proactively through trusted channels. Information is typically shared after the conclusion of an incident. | The incident response plan does not specifically define proactive information sharing as a requirement; however this is done on an ad-hoc basis depending on the nature of the incident. | Information relating to incidents is not typically shared outside of the organisation. |
43 | Do you have thresholds that are aligned to impacts which determine the response when cyber security events or incidents occur? | Defined thresholds exist, aligned to impacts, which determine the response to an incident. These have been approved by business and supporting functions, and are formally documented as part of operational procedures. Thresholds are reviewed on a regular basis or after an event/incident. | Defined thresholds exist, aligned to impacts, which determine the response to an incident. These have been approved by the business and supporting IT functions and are formally documented as part of operational procedures. | Defined thresholds exist to help determine the response to an incident, but these are not formally documented or aligned to impacts. | There are no defined thresholds. Responses to incidents are determined on an ad‐hoc basis. |
44 | Do you undertake in-depth investigations following a cyber security event or incident? | Processes are in place to carry out investigations and forensic analysis following an incident where required. Protective and detective controls are specifically engineered to facilitate the investigative process. | Processes are in place to carry out investigations and forensic analysis following an incident where required. | Processes are in place to carry out investigations following an incident where required. There is no forensic capability. | There are no processes in place to carry out investigation following an incident. |
Recover | |||||
---|---|---|---|---|---|
Questions | A | B | C | D | |
45 | Do you have a process in place to recover systems and data from an incident? | Processes are in place to recover systems and data in-line with business requirements. These processes are tested regularly against possible scenarios, findings are risk assessed with appropriate actions taken. The confidentiality, integrity and availability of these systems and data is maintained throughout the process. | Processes are in place to recover systems and data in-line with business requirements. These processes are tested regularly, findings are risk assessed with appropriate actions taken. The confidentiality, integrity and availability of these systems and data is maintained throughout the process. | Processes are in place to recover systems and data, however they are not all aligned to business requirements. These processes are not regularly or comprehensively tested. | There are no established policies and procedures in place for the recovery of data or systems. |
46 | Do you have a process in place that incorporates lessons learned from cyber security events and incidents? | Incident response and risk management processes incorporate lessons learned from incidents, near-misses and external events. These are used to inform improvements at all levels of the organisation ( e.g. cyber security strategy through to incident response procedures). | Incident response and risk management processes incorporate lessons learned from incidents. These are used to inform improvements at operational levels of the organisation. | Incident response and risk management processes incorporate lessons learned from incidents. These may be used to inform improvements at operational levels of the organisation but not on a consistent basis. | Processes do not consistently incorporate lessons learned. |
47 | Have you engaged with critical third parties to understand the risks that exist between both parties, and taken steps to ensure that recovery activities are clearly understood by both parties? | Proactive relationships exist with critical third parties. There is assurance that response and recovery plans for all parties are understood, appropriate and tested. | Critical third parties have been engaged to discuss cyber risk. The organisation does not proactively share details of its recovery planning with third parties or involve them in testing. | There has been some limited engagement with third parties to map potential cyber risks. | There is no active engagement with third parties on cyber risk. |