1. Do you have a designated individual responsible for cyber security at your Company who has relevant experience and certifications (usually 7+ years of Cyber Security experience and certifications such as the CISSP, CISA, or CEH)?
2. How often do you brief the board or executive leadership team on the status of the Cyber Security program, including control effectiveness, testing, and new risks or threats, and how it may impact your business?
3. How do you know what data you store and what systems are holding that data?
4. How often do you conduct Risk Assessments in your environment?
5. When a critical risk appears in the Risk Assessment, which of the below steps are used to mitigate the risk?
6. How often are manual network penetration tests conducted on your environment?
7. How often do you use an automated vulnerability scanner to identify external vulnerabilities that could be exploited by an attacker?
8. How often are applications (internal and externally facing) tested to make sure they do not contain insecure code?
9. What is the process to mitigate vulnerabilities addressed in the penetration tests?
10. How are employees trained on cyber security best practices and general awareness?
11. How do you confirm that vendors are meeting their cyber security contractual obligations?
12. How often are security policies reviewed and updated?
13. If an employee suspects a data breach has occurred, they would...
14. How often does Identity access management review access to sensitive customer data and applications?
15. When storing customer data, which measure do you use to make sure that the data is secure?
16. When sending customer data, how do you protect it in transit?
17. How do employees authenticate themselves when accessing a system where sensitive data is available?
18. When storing customer data, How often is the data assessed and deleted from the environment?
19. How does your IT department track any changes to the environment?
20. How does your organization monitor user’s activity and behaviors?