Step 1 of 520%Your First Name*Your Last Name*Your Company*Your Job Title*Your Email Address* Your Phone NumberYour Industry*Select IndustryAccounting/FinanceAdvertising/Public RelationsAerospace/AviationArts/Entertainment/PublishingAutomotiveBanking/MortgageBusiness DevelopmentBusiness OpportunityClerical/AdministrativeConstruction/FacilitiesConsumer GoodsCustomer ServiceEducation/TrainingEnergy/UtilitiesEngineeringGovernment/MilitaryGreenHealthcareHospitality/TravelHuman ResourcesInstallation/MaintenanceInsuranceInternetJob Search AidsLaw Enforcement/SecurityLegalManagement/ExecutiveManufacturing/OperationsMarketingNon-Profit/VolunteerPharmaceutical/BiotechProfessional ServicesQA/Quality ControlReal EstateRestaurant/Food ServiceRetailSalesScience/ResearchSkilled LaborTechnologyTelecommunicationsTransportation/LogisticsOtherHiddenYour Business Zip CodeHiddenPartnerSelect PartnerSecurityStudioFRSecureLofflerNetgainBergan KDVEarthbendMagenicHiTechRK DixonXigentBankers EquipmentProcellisNetwork CenterCMK ResourcesExpedient TechnologyImpact GroupCNE ITMarcoDisruptiveProspectrApplied TechEmptyGolfSPC InternationalNorthStar Technology GroupCorporate TechnologiesComputer Technology SolutionsCitonBluegrass TechnologyCopeland BuhlKT ConnectionsAtom CreekBroadReach CommunicationsOlsen ThielenUnited Technology GroupCPS TechnologyCommon Knowledge TechnologyMytech PartnersInterbit DataE-N ComputersVanBoA Couple of GurusMinnesota Security ConsortiumHiddenReferrerSelect Referreralex-titzedrew-boekejohn-messlee-ann-villellapat-dillonsteve-marsdenmooresandy-forsbergkevin-orthevan-francenTerms and Conditions* I agree to SecurityStudio’s Agreements and Terms.HiddenTerms and Conditions version agreed toHiddenscore_text_goodA "Good" estimated S2SCORE® means that you have really spent time, money, and effort building a good information security program. The foundation of your program is laid, and now you're in "maintenance mode," although you still have some major projects and tasks to accomplish. The return on each information security dollar starts to diminish for organizations with a "Good" S2SCORE, so it's very important to spend each information security dollar wisely and to effectively communicate your information security measurement of risk. To accomplish this, schedule the full S2SCORE assessment with your partner, which will give you a clear picture of where to focus via a detailed Action Plan.Hiddenscore_text_excellentAn "Excellent" S2SCORE® is a rarity and something to take pride in. It's obvious that your organization has spent significant amounts of time, money, and effort to build a best-in-class information security program. You have the proper structures in place to maintain what you've painstakingly built, and now you can focus on 1) continuous improvement and 2) finding more tangible returns for your investment. Schedule the full S2SCORE assessment with your partner, which will give you a clear picture of where to focus via a detailed Action Plan, so you can share this with your customers, executive management, and boards of directors. A compromise of your defenses will always be a possibility, but you will likely detect such an event early on and be in a position to limit damages.Hiddenscore_text_fairA "Fair" estimated S2SCORE® means that you have done some really good things with respect to your organization's information security; however, significant gaps/risks still exist. Some of the foundational components of the program are in place, and it's time for the program to mature into a more formal business initiative. This is the point in the program where information security expenditures need to start providing real and tangible results. The question, "where should we spend our next information security dollar?" is an important one to support with facts instead of gut instinct. Start by scheduling the full S2SCORE assessment with your partner, which will give you a clear picture of where to focus via a detailed Action Plan. A compromise is still very much possible, but you are more likely to detect it and respond with some effectiveness. If executive management is involved with information security, which they probably are, continued improvement will only help them make better risk-based decisions.Hiddenscore_text_poorA "Poor" estimated S2SORE® means that you have significant areas of improvement for information security in your organization. Your information security program is not mature enough for sustained improvement, and a significant compromise is possible in the short term. Whether or not your organization would notice the threat, attack, and eventual compromise is not well known. Without significant improvements in your information security program, executive management's decisions regarding security may not be easily defended should an adverse event occur. It’s imperative that you schedule the full S2SCORE assessment with your partner, which will give you a clear picture of where to focus via a detailed Action Plan.Hiddenscore_text_verypoorA "Very Poor" estimated S2SCORE® usually means that you haven't taken the necessary basic steps to protect your organization from a variety of threats. The information security program lacks formality, and a significant compromise is likely in the short term. To make matters worse, depending upon the type of threat, the compromise may go unnoticed for an extended period of time. If a compromise were to become known, executive management may not have the necessary proof to defend the organization against civil actions. It’s imperative that you schedule the full S2SCORE assessment with your partner, which will give you a clear picture of where to focus via a detailed Action Plan.ADMINISTRATIVE CONTROLSControls that define the Information Security strategy, roles and responsibilities of workforce members.RISK MANAGEMENTPlease select all statements that apply to your organization:Risk management processes are formally established, managed, and agreed to by all organizational stakeholders. Yes No Not SureThe organization's approach to Information security risk management is comprehensive; accounting for administrative (people), physical, and technical threats and vulnerabilities. Yes No Not SureThe organization has transferred information security risk by obtaining insurance. Yes No Not SureINFORMATION SECURITY GOVERNANCEPlease select all statements that apply to your organization:The organization has defined a set of information security policies that are formally approved by executive management. Yes No Not SureInformation security policies have been formally reviewed within the last twelve (12) months or less. Yes No Not SureWe have identified and enabled a security manager, security officer, CISO or similar position within the organization. Yes No Not SureHUMAN RESOURCES SECURITYPlease select all statements that apply to your organization:Management actively endorses and complies with the organization's security policies. Yes No Not SureThe organization has developed and implemented a formal information security awareness, education, and training program. Yes No Not SureBackground checks are performed on employees, third-party and other associates in accordance with their roles and responsibilities, job function, and data sensitivity. Yes No Not SureASSET MANAGEMENTPlease select all statements that apply to your organization:An asset management (or similar) policy exists and accounts for all information assets (physical, software, and data) from acquisition through disposition/disposal. Yes No Not SureAsset and/or information classification requirements have been defined, including the acceptable controls for protection. Yes No Not SureA complete, up-to-date, and detailed inventory of all cloud services used by the organization is maintained. Yes No Not SureACCESS MANAGEMENTPlease select all statements that apply to your organization:Physical and logical access controls are intregated and formally considered in policy. Yes No Not SurePeriodic reviews of user accounts, privileged accounts, and service/system accounts are conducted according to a defined procedure. Yes No Not SureThe organization has formally defined practices for the use and protection of authentication information (passwords, PIN numbers, tokens, etc.) in policy. Yes No Not SureCRYPTOGRAPHYPlease select all statements that apply to your organization:Encryption requirements for protecting data at rest are documented and consistently followed. Yes No Not SureEncryption requirements for protecting data in transit are documented and consistently followed. Yes No Not SureRoles and responsibilities for the implementation of the encryption policy and key management are defined by management. Yes No Not SureSECURITY OPERATIONSPlease select all statements that apply to your organization:Required operational controls for information security are defined in policy and procedure, including (but not limited to) those for mobile device security, remote access/teleworking, systems configuration, change management, anti-malware, backups, event logging, vulnerability management, audit, network security, system acceptance testing, and vendor/third-party risk management. Yes No Not SureAll vendors have been formally assessed for the inherent and residual risks they pose to the organization. Yes No Not SureInternal information security audits are conducted on a regular basis. Yes No Not SureINCIDENT MANAGEMENTPlease select all statements that apply to your organization:The organization follows a formal process to report information security events, such as loss of service, loss of equipment, loss of facilities, system malfunctions, system overloads, human errors, and non-compliances with policies or guidelines. Yes No Not SureIncident response procedures are tested on a periodic basis. Yes No Not SureThe criteria and conduct for forensic investigations is defined and the protection of evidence is formally accounted for. Yes No Not SureBUSINESS CONTINUITY MANAGEMENTPlease select all statements that apply to your organization:The organization has developed a formal business continuity plan (BCP) or disaster recovery (DR) process. Yes No Not SureCritical business assets and their dependencies have been identified and accounted for in recovery plans. Yes No Not SureRecovery plans are tested on a periodic basis, and have been tested within the past twelve (12) months. Yes No Not SureCOMPLIANCEPlease select all statements that apply to your organization:All relevant statutory, regulatory, and contractual requirements have been explicitly defined and documented (e.g. GDPR, state breach notification laws, Massachusetts state law, HIPAA, GLBA, PCI, et al.) Yes No Not SureThe frequency, scope, and method(s) for independent security reviews are documented. Yes No Not SureInformation security policies and/or procedures that are specific to financial systems have been developed and implemented. Yes No Not SurePHYSICAL CONTROLSPhysical Controls are the security controls that can often be touched and provide physical security to protect your information assets.FACILITY SECURITYPlease select all statements that apply to your organization:Formal physical security policies and procedures exist, are up-to-date, and include the specific requirements for physical security and safety planning. Yes No Not SureFacility physical security risk assessments and/or security audits are conducted on a regular basis. Yes No Not SurePublic and non-public entrances are clearly marked and/or obvious. Yes No Not SureNon-public entrances are sufficiently secured with effective and auditable controls. Yes No Not SurePublic spaces are covered by camera surveillance. Yes No Not SureThe date and time of entry and departure of visitors is recorded. Yes No Not SureA listing of all restricted areas within and around the facility has been compiled and maintained. Yes No Not SurePublic, delivery, or loading areas are staffed. Yes No Not SureIncoming materials are inspected for evidence of tampering and if such tampering is discovered it is immediately reported to security personnel. Yes No Not SureEQUIPMENT AND INFORMATIONPlease select all statements that apply to your organization:All sensitive equipment and systems are located in a secure area(s). Yes No Not SureAreas containing sensitive equipment and systems are physically secured (e.g., all walls run deck-to-deck, doors are solid w/o vents, doors open outward and slam shut, a raised floors do not run under the doorway, locks and cardkey access are in place, and camera surveillance is employed). Yes No Not SureFire suppression systems are adequate, code-compliant, and protected (within a secure location). Yes No Not SureUninterruptible power supplies (UPS) are used on all sensitive equipment and systems, and sufficient runtime (>10 minutes) is provided. Yes No Not SureAll network closets and/or wiring rooms are secured. Yes No Not SureCabling is tidy, tied down, and labeled. Yes No Not SureMaintenance personnel have been subjected to background checks. Yes No Not SureHousekeeping personnel are actively supervised and monitored during their actitivities. Yes No Not SureDocumented policy and procedures define clear desk and clear screen requirements for securing sensitive and critical business information during and after work hours. Yes No Not SureTECHNICAL CONTROLS (INTERNAL)Internal technical controls are used to protect internal information resources, focusing on all technical controls that aren't associated with the traditional perimeter.NETWORK CONNECTIVITYPlease select all statements that apply to your organization:Connectivity between public networks and the organization's internal networks can only be obtained by passing through a firewall (or other packet filtering and control device). Yes No Not SureTraffic between public networks and internal networks is reviewed for the presence of malware. Yes No Not SureThe internal network (LAN) is segmented according to system/information sensitivity and/or criticality using firewall rules or VLANs with Access Control Lists (ACLs). Yes No Not SureREMOTE ACCESSPlease select all statements that apply to your organization:Multi-factor authentication is used for remote access to our network(s). Yes No Not SureRemote access connection attempts and traffic are consistently monitored. Yes No Not SureThird-party remote access connections are only enabled after an adequate review of the third-party's information security protections. Yes No Not SureDIRECTORY SERVICESPlease select all statements that apply to your organization:User account audits are conducted periodically to ensure that user accounts are sufficiently disabled and/or deleted. Yes No Not SureService accounts are audited periodically and are secured according to a documented standard or procedure. Yes No Not SureInactivity timeouts, account lockouts, system log settings, and strong authentication requirements are all enforced consistently with Group Policy (or other means). Yes No Not SureSERVERS AND STORAGEPlease select all statements that apply to your organization:All server systems are equipped with anti-malware protection, and validation of it's effectiveness is monitored consistently. Yes No Not SureCritical servers are equipped with additional protections such as a local firewall, additional monitoring, file integrity monitoring, and/or host-based intrusion prevention. Yes No Not SureServer systems cannot be used to perform other services such as checking email, Internet browsing, etc. Yes No Not SureCLIENT SYSTEMSPlease select all statements that apply to your organization:All client systems (workstations and laptops) are equipped with malware protection software. Yes No Not SureUsers do not have local administrative privileges on their workstations. Yes No Not SureWorkstations are built and deployed according to defined secure standard or hardened build. Yes No Not SureMOBILE DEVICESPlease select all statements that apply to your organization:The number and assignment of all mobile devices throughout the organization is well-known, defined, and/or documented. Yes No Not SureWhole-disk/media encryption is employed to protect data stored on all mobile devices (laptops, smartphones, tablets et al.). Yes No Not SureOnly explicitly approved wireless network usage is permitted on mobile devices. Yes No Not SureLOGGING, ALERTING, AND MONITORINGPlease select all statements that apply to your organization:Performance data for critical systems is consistently logged and monitored. Yes No Not SureInformation security-related events are consistently logged and monitored on all critical systems. Yes No Not SureA separate, isolated logging system is employed to collect and protect log files. Yes No Not SureVULNERABILITY MANAGEMENTPlease select all statements that apply to your organization:Specific timelines and thresholds for vulnerability management have been set by management and are consistently met in practice. Yes No Not SureAuthenticated vulnerability scanning is conducted on a monthly (or more frequent) basis, and vulnerabilities are classified according to the CVSS score. Yes No Not SureCritical-severity vulnerabilities are known and are consistently remediated/mitigated with 14 days of their discovery. Yes No Not SureBACKUP AND RECOVERYPlease select all statements that apply to your organization:A backup inventory (of what is backed up and how often) is available. Yes No Not SureBackup data is stored in a location that is sufficiently distanced from the primary operational facility. Yes No Not SureBackups are periodically tested and validated. Yes No Not SureTECHNICAL CONTROLS (EXTERNAL)External technical controls are focused on keeping the threats out of the internal technical environment. These controls make up the traditional perimeter, usually delineated with a firewall (or similar).BEST PRACTICESPlease select all statements that apply to your organization:Firewall rules are reviewed on a regularly scheduled basis, according to a documented review process. Yes No Not SureNetwork-based intrusion detection/prevention systems (IDS/IPS) are deployed to protect our public systems from internet-based attacks. Yes No Not SurePenetration testing has been conducted against all of our externally-facing systems within the past 12 months. Yes No Not SureVULNERABILITY MANAGEMENTPlease select all statements that apply to your organization:External vulnerability scans are conducted on a quarterly basis, or more often. Yes No Not SureWithin the past month, it has been confirmed that there are no critical-severity vulnerabilities exposed to the Internet. Yes No Not SureAll web applications are scanned for vulnerabilities each time a change is made. Yes No Not SureCommentsThis field is for validation purposes and should be left unchanged.Δ