Type your email…

Home
About
Services
Blog
Newsletters
Contact
Search
Self Assessment

Cybersecurity Self Assessment

This cybersecurity self assessment provides a quick snapshot of your organization’s cybersecurity posture across areas such as governance, access control, vendor risk, and incident preparedness. It typically takes less than 10 minutes to complete and is designed to highlight potential strengths and areas that may need attention. This is not a security audit, certification, or compliance determination, and the results are provided for informational purposes only.

Quick Assessment

Δ

Email address

Industry

Staff Size (include volunteers with system access)

Any additional notes or context

1. Governance Oversight – Is cybersecurity formally reviewed with executive leadership or the board at least once per year?

a. No

b. Informally, but not structured

c. Yes, with reports and discussion

d. Yes, with defined metrics and roadmap tracking

e. Not sure or not visible to my role

2. Risk Discipline – Do you have a defined way to identify, prioritize, and track cybersecurity risks over time?

a. No formal process

b. Risks discussed but not documented

c. Risks documented and periodically reviewed

d. Cyber risks integrated into enterprise risk management

e. Not sure or not visible to my role

3. Regulatory and Contractual Awareness – Has your organization identified regulatory, contractual, donor, insurance, or grant related cybersecurity requirements that apply to you?

a. No

b. Some, but may not be all

c. Yes, identified but not formally tracked

d. Yes, identified and actively managed

e. Not sure or not visible to my role

4. Asset Visibility – Do you maintain a current inventory of hardware, software, and SaaS systems used by the organization?

a. No

b. Partial or outdated list

c. Maintained and periodically reviewed

d. Automated and tied to risk management

e. Not sure or not visible to my role

5. Data Awareness – Do you know where sensitive or regulated data is stored and who has access to it?

a. No

b. Partially

c. Yes, documented but not monitored

d. Yes, documented and actively monitored

e. Not sure or not visible to my role

6. Identity and Access – Control Is multi factor authentication required for all remote access and privileged accounts?

a. No

b. For some systems

c. For most critical systems

d. Enforced organization wide, phishing resistant

e. Not sure or not visible to my role

7. Vendor and Third-Party Risk – Do you evaluate cybersecurity practices of vendors that handle your data or provide critical services?

a. No

b. Informal review

c. Structured questionnaire or review

d. Formal vendor risk program with contract language

e. Not sure or not visible to my role

8. Security Awareness – Do employees and volunteers receive regular cybersecurity awareness training and phishing testing?

a. No formal training

b. Occasional awareness communications

c. Annual training

d. Ongoing training with regular phishing simulations and tracking

e. Not sure or not visible to my role

9. Security Monitoring – Capability Are systems, user activity, and network events monitored for suspicious behavior?

a. No formal monitoring

b. Basic monitoring such as antivirus alerts only

c. Logging and monitoring are in place

d. Centralized monitoring with defined review and response process

e. Not sure or not visible to my role

10. Incident Preparedness – Do you have a documented and tested incident response plan?

a. No

b. Documented but never tested

c. Documented and tested once

d. Documented and tested regularly on a scheduled cadence with leadership involvement

e. Not sure or not visible to my role

11. Backup and Recovery Confidence – Are backups performed, protected from ransomware, and tested for restoration?

a. Backups inconsistent or incomplete

b. Regular Backups exist but not tested

c. Regular Backups exist and tested occasionally

d. Regular Backups exist and tested / validated on a scheduled basis

e. Not sure or not visible to my role

12. Security Assessment and Validation – Does your organization regularly assess the effectiveness of its cybersecurity controls through activities such as vulnerability scanning, self-assessment, or penetration testing?

a. No formal assessments

b. Occasional or informal assessments

c. Regular vulnerability scanning or periodic assessments

d. Formal assessment program including penetration testing and tracked remediation

e. Not sure or not visible to my role

Responses will be personally reviewed and a brief summary with observations and suggested priorities will be sent to the email address you provide. The summary you receive reflects a limited review of the responses provided and should not be relied upon as the sole basis for security or compliance decisions. Information submitted will be used solely for the purpose of reviewing and responding to this assessment.

HopeNet CISO Services

LinkedIn

Copyright © 2024