General Information

Step 1 - 18

* required fields

Do you have an internal IT staff? *

Are your IT systems on-premises, in a public cloud (AWS, Azure), or both? *

Do you currently implement other compliance frameworks? (800-53, DFARS, PCI, etc.) *

Do you have any formal, written security policies? *

Access Control

Step 2 - 18

Access Control activities ensure that access granted to organizational systems and information is commensurate with defined access requirements. Access requirements are developed based on the organization's needs balanced with the security requirements needed to protect the organization's assets.

Do you establish system access requirements? *

Do you control internal system access? *

Do you control remote system access? *

Do you limit data access to authorized users and processes? *

Asset Management

Step 3 - 18

Asset Management activities ensure that technology assets are identified, inventoried, and managed in accordance with defined requirements.

Do you identify and document assets? *

Do you manage asset inventory? *

Audit and Accountability

Step 4 - 18

Audit and Accountability is defined as a chronological record that reconstructs and examines the sequence of activities surrounding or leading to a specific operation, procedure, or event in a security-relevant transaction from inception to final result to ensure that the actions of an entity may be traced uniquely to that entity.

Do you define audit requirements? *

Do you perform auditing? *

Do you identify and protect audit information? *

Do you review and manage audit logs? *

Awareness Training

Step 5 - 18

Awareness and Training activities in an organization help to ensure staff are aware of security risks associated with their activities and roles as well as provides information security-related training that is required for employees to carry out their duties and responsibilities.

Do you conduct security awareness activities? *

Do you perform auditing? *

Configuration Management

Step 6 - 18

Configuration Management activities focus on defining the configuration and change management processes.

Do you conduct security awareness activities? *

Do you perform auditing? *