Cybersecurity Maturity Quiz How mature is your company's cybersecurity posture? Take Infracore's quiz and find out! (It should only take a few minutes, and there's no obligation.) Name 1. How often does your HR department audit user accounts? Never When someone in IT or HR notices a discrepancy Quarterly Monthly HR systems are integrated with IT to automatically disable user accounts upon termination 2. Who makes IT controls decisions? Not sure if we have any IT controls Our outsourced IT partner Our internal IT lead (IT Manager, Director, VP) A C-level executive Our IT Steering Committee consisting of all stakeholders Hint 3. The average age of PCs/Laptops in our company is... We don't keep track We replace them when they stop working By policy, nothing is more than 5 years old By policy, nothing is more than 3 years old We replace on a regular recurring cycle 4. IT tasks and requests are managed using... We don’t have a process IT team members manage their requests and tasks individually Email distribution list Ticketing system Integrated helpdesk system Hint 5. Last year’s IT budget as a percentage of operating expenses was... 1% 2% 3% 4% 5% or more 6. A third party IT security audit was last performed... Never Performed only to satisfy a request by a potential client, prepare for a compliance need, etc. Performed annually, and remediation projects initiated Performed annually, and remediation projects completed with high urgency Performed under the supervision of a CISO with board oversight on cyber insurance needs to correspond with amount of risk tolerance 7. Who can install software on employee computers? No restrictions, as far as we know Any employee with a valid domain login Employees have full control of their own computers A member of our IT team Designated IT team members through a credential vaulting system 8. Our approach to software patching is... No patching (we don’t want things to break) Default patching levels setup with each system Users are responsible for patching their own computers, and systems are patched by IT All computers and systems are patched manually based on a companywide policy All computers and systems are patched using a centralized patch management system with reporting and alerting capabilities 9. A central alerting and monitoring system... Doesn’t exist at my company Exists for a few critical systems only Is configured to alert downtime for critical systems, services and connectivity Is configured to alert downtime for all systems, services and connectivity Is running 24/7/365 and alerts IT in real time to data loss events and network intrusions 10. If a hacker gained access to the system... We might not find out for weeks We’d find out eventually, when our clients or employees stumbled upon warning signs IT would discover indications of compromise within a few days IT would know about it within hours IT would be alerted in real-time and engaged an existing Incident Response Plan 11. Rate your employees' computer use practices... We have no formal training on what to do (or not to do) We provide some training when hired Employees know to notify IT if they experience sometime out of the ordinary Employees are trained to detect phishing attacks and other end-user threats Employees operate according to an acceptable computer use policy that they understand and review as part of annual training 12. Physical access to the building is... Open - anyone can come and go as they please Protected by the receptionist, if one is available Always locked, and a physical/digital key is required to get in and out (no logging) Always locked, and access is granted only through digital access keys that are logged Always locked, and physically guarded by personnel or video surveillance 13. Business continuity through a downtime event is guaranteed by... Luck Restoration of backups Critical systems are restored by adhering to a business continuity plan (not tested) Critical systems are restored by adhering to a business continuity plan (tested yearly) Fully redundant systems and a yearly tested business continuity plan 14. Employee separations can generally be characterized as... Unorganized and prone to errors Reactive Generally smooth, as long as existing procedures are followed Well-coordinated by HR and IT according to documented processes (no periodic audits) Well-coordinated by HR and IT according to documented processes with periodic audits throughout the year 15. How does your company ensure employees don’t share files with outside parties or terminated users do not retain digital assets? We have no way of knowing – files are likely shared We trust our people – we believe files aren’t shared Our employees are trained regarding the dangers of sharing / copying of company data – they shouldn’t be sharing files Our IT department has our systems locked down fairly well – files aren’t shared We have DLP systems that alert on the transfer of protected information outside of company-owned assets 16. Is multi-factor authentication implemented? MFA gets in the way of productivity, so we decided not to implement Employees have the option to activate MFA if they want to use it MFA is setup for our email and collaboration suite (Microsoft 365, Google Workspace, etc.) MFA is setup on all systems used by our company All systems are managed through a single sign-on solution with different levels of access control 17. Are non-company-owned computers allowed to access email? Yes Our policy is "No", but we don't audit / enforce this policy Allowed only through the web interface Allowed only on company-owned assets with remote wipe capabilities Our company owns all devices that can access corporate data and employees cannot login from other devices 18. How are employees trained in computer security? No training is provided By watching security videos during onboarding We have a yearly security training program Role-based security training conducted throughout the year using a training platform Our steering committee determines active threats, and recommends employee training that includes testing and follow-ups where additional training is needed 19. What is the process for implementing a new information service or cloud service? Anyone can sign up for any service they need Employees are encouraged to inform IT when installing a new application or service Employees get verbal approval from their manager A permission form needs to be filled out, and approval granted by our IT department Our IT steering committee goes through a formal needs assessment and service acquisition for all IT-related systems 20. What compliance framework(s) does your company adhere to? None Each department is responsible for setting up their own policies We conform to the policies identified by our IT department and external auditors (SOX, etc.) NIST, CSF or CIS The framework required by our regulatory and/or contractual agreements (NIST 800-53, NIST 800-171, PCI DSS, HITRUST, etc.) Click the button below to see where your organization falls on the Cybersecurity Maturity chart! Time is Up! Time's up
