Step 1 of 5 20% Your First Name* Your Last Name* Your Company* Your Job Title* Your Email Address* Your Phone NumberYour Industry*Select IndustryAccounting/FinanceAdvertising/Public RelationsAerospace/AviationArts/Entertainment/PublishingAutomotiveBanking/MortgageBusiness DevelopmentBusiness OpportunityClerical/AdministrativeConstruction/FacilitiesConsumer GoodsCustomer ServiceEducation/TrainingEnergy/UtilitiesEngineeringGovernment/MilitaryGreenHealthcareHospitality/TravelHuman ResourcesInstallation/MaintenanceInsuranceInternetJob Search AidsLaw Enforcement/SecurityLegalManagement/ExecutiveManufacturing/OperationsMarketingNon-Profit/VolunteerPharmaceutical/BiotechProfessional ServicesQA/Quality ControlReal EstateRestaurant/Food ServiceRetailSalesScience/ResearchSkilled LaborTechnologyTelecommunicationsTransportation/LogisticsOtherHiddenYour Business Zip Code HiddenPartnerSelect PartnerSecurityStudioFRSecureLofflerNetgainBergan KDVEarthbendMagenicHiTechRK DixonXigentBankers EquipmentProcellisNetwork CenterCMK ResourcesExpedient TechnologyImpact GroupCNE ITMarcoDisruptiveProspectrApplied TechEmptyGolfSPC InternationalNorthStar Technology GroupCorporate TechnologiesComputer Technology SolutionsCitonBluegrass TechnologyCopeland BuhlKT ConnectionsAtom CreekBroadReach CommunicationsOlsen ThielenUnited Technology GroupCPS TechnologyCommon Knowledge TechnologyMytech PartnersInterbit DataE-N ComputersVanBoA Couple of GurusMinnesota Security ConsortiumHiddenReferrerSelect Referreralex-titzedrew-boekejohn-messlee-ann-villellapat-dillonsteve-marsdenmooresandy-forsbergkevin-orthevan-francenTerms and Conditions* I agree to SecurityStudio’s Agreements and Terms. HiddenTerms and Conditions version agreed to Hiddenscore_text_good A "Good" estimated S2SCORE® means that you have really spent time, money, and effort building a good information security program. The foundation of your program is laid, and now you're in "maintenance mode," although you still have some major projects and tasks to accomplish. The return on each information security dollar starts to diminish for organizations with a "Good" S2SCORE, so it's very important to spend each information security dollar wisely and to effectively communicate your information security measurement of risk. To accomplish this, schedule the full S2SCORE assessment with your partner, which will give you a clear picture of where to focus via a detailed Action Plan.Hiddenscore_text_excellent An "Excellent" S2SCORE® is a rarity and something to take pride in. It's obvious that your organization has spent significant amounts of time, money, and effort to build a best-in-class information security program. You have the proper structures in place to maintain what you've painstakingly built, and now you can focus on 1) continuous improvement and 2) finding more tangible returns for your investment. Schedule the full S2SCORE assessment with your partner, which will give you a clear picture of where to focus via a detailed Action Plan, so you can share this with your customers, executive management, and boards of directors. A compromise of your defenses will always be a possibility, but you will likely detect such an event early on and be in a position to limit damages.Hiddenscore_text_fair A "Fair" estimated S2SCORE® means that you have done some really good things with respect to your organization's information security; however, significant gaps/risks still exist. Some of the foundational components of the program are in place, and it's time for the program to mature into a more formal business initiative. This is the point in the program where information security expenditures need to start providing real and tangible results. The question, "where should we spend our next information security dollar?" is an important one to support with facts instead of gut instinct. Start by scheduling the full S2SCORE assessment with your partner, which will give you a clear picture of where to focus via a detailed Action Plan. A compromise is still very much possible, but you are more likely to detect it and respond with some effectiveness. If executive management is involved with information security, which they probably are, continued improvement will only help them make better risk-based decisions.Hiddenscore_text_poor A "Poor" estimated S2SORE® means that you have significant areas of improvement for information security in your organization. Your information security program is not mature enough for sustained improvement, and a significant compromise is possible in the short term. Whether or not your organization would notice the threat, attack, and eventual compromise is not well known. Without significant improvements in your information security program, executive management's decisions regarding security may not be easily defended should an adverse event occur. It’s imperative that you schedule the full S2SCORE assessment with your partner, which will give you a clear picture of where to focus via a detailed Action Plan.Hiddenscore_text_verypoor A "Very Poor" estimated S2SCORE® usually means that you haven't taken the necessary basic steps to protect your organization from a variety of threats. The information security program lacks formality, and a significant compromise is likely in the short term. To make matters worse, depending upon the type of threat, the compromise may go unnoticed for an extended period of time. If a compromise were to become known, executive management may not have the necessary proof to defend the organization against civil actions. It’s imperative that you schedule the full S2SCORE assessment with your partner, which will give you a clear picture of where to focus via a detailed Action Plan.ADMINISTRATIVE CONTROLSControls that define the Information Security strategy, roles and responsibilities of workforce members.RISK MANAGEMENTPlease select all statements that apply to your organization:Risk management processes are formally established, managed, and agreed to by all organizational stakeholders. Yes No Not Sure The organization's approach to Information security risk management is comprehensive; accounting for administrative (people), physical, and technical threats and vulnerabilities. Yes No Not Sure The organization has transferred information security risk by obtaining insurance. Yes No Not Sure INFORMATION SECURITY GOVERNANCEPlease select all statements that apply to your organization:The organization has defined a set of information security policies that are formally approved by executive management. Yes No Not Sure Information security policies have been formally reviewed within the last twelve (12) months or less. Yes No Not Sure We have identified and enabled a security manager, security officer, CISO or similar position within the organization. Yes No Not Sure HUMAN RESOURCES SECURITYPlease select all statements that apply to your organization:Management actively endorses and complies with the organization's security policies. Yes No Not Sure The organization has developed and implemented a formal information security awareness, education, and training program. Yes No Not Sure Background checks are performed on employees, third-party and other associates in accordance with their roles and responsibilities, job function, and data sensitivity. Yes No Not Sure ASSET MANAGEMENTPlease select all statements that apply to your organization:An asset management (or similar) policy exists and accounts for all information assets (physical, software, and data) from acquisition through disposition/disposal. Yes No Not Sure Asset and/or information classification requirements have been defined, including the acceptable controls for protection. Yes No Not Sure A complete, up-to-date, and detailed inventory of all cloud services used by the organization is maintained. Yes No Not Sure ACCESS MANAGEMENTPlease select all statements that apply to your organization:Physical and logical access controls are intregated and formally considered in policy. Yes No Not Sure Periodic reviews of user accounts, privileged accounts, and service/system accounts are conducted according to a defined procedure. Yes No Not Sure The organization has formally defined practices for the use and protection of authentication information (passwords, PIN numbers, tokens, etc.) in policy. Yes No Not Sure CRYPTOGRAPHYPlease select all statements that apply to your organization:Encryption requirements for protecting data at rest are documented and consistently followed. Yes No Not Sure Encryption requirements for protecting data in transit are documented and consistently followed. Yes No Not Sure Roles and responsibilities for the implementation of the encryption policy and key management are defined by management. Yes No Not Sure SECURITY OPERATIONSPlease select all statements that apply to your organization:Required operational controls for information security are defined in policy and procedure, including (but not limited to) those for mobile device security, remote access/teleworking, systems configuration, change management, anti-malware, backups, event logging, vulnerability management, audit, network security, system acceptance testing, and vendor/third-party risk management. Yes No Not Sure All vendors have been formally assessed for the inherent and residual risks they pose to the organization. Yes No Not Sure Internal information security audits are conducted on a regular basis. Yes No Not Sure INCIDENT MANAGEMENTPlease select all statements that apply to your organization:The organization follows a formal process to report information security events, such as loss of service, loss of equipment, loss of facilities, system malfunctions, system overloads, human errors, and non-compliances with policies or guidelines. Yes No Not Sure Incident response procedures are tested on a periodic basis. Yes No Not Sure The criteria and conduct for forensic investigations is defined and the protection of evidence is formally accounted for. Yes No Not Sure BUSINESS CONTINUITY MANAGEMENTPlease select all statements that apply to your organization:The organization has developed a formal business continuity plan (BCP) or disaster recovery (DR) process. Yes No Not Sure Critical business assets and their dependencies have been identified and accounted for in recovery plans. Yes No Not Sure Recovery plans are tested on a periodic basis, and have been tested within the past twelve (12) months. Yes No Not Sure COMPLIANCEPlease select all statements that apply to your organization:All relevant statutory, regulatory, and contractual requirements have been explicitly defined and documented (e.g. GDPR, state breach notification laws, Massachusetts state law, HIPAA, GLBA, PCI, et al.) Yes No Not Sure The frequency, scope, and method(s) for independent security reviews are documented. Yes No Not Sure Information security policies and/or procedures that are specific to financial systems have been developed and implemented. Yes No Not Sure PHYSICAL CONTROLSPhysical Controls are the security controls that can often be touched and provide physical security to protect your information assets.FACILITY SECURITYPlease select all statements that apply to your organization:Formal physical security policies and procedures exist, are up-to-date, and include the specific requirements for physical security and safety planning. Yes No Not Sure Facility physical security risk assessments and/or security audits are conducted on a regular basis. Yes No Not Sure Public and non-public entrances are clearly marked and/or obvious. Yes No Not Sure Non-public entrances are sufficiently secured with effective and auditable controls. Yes No Not Sure Public spaces are covered by camera surveillance. Yes No Not Sure The date and time of entry and departure of visitors is recorded. Yes No Not Sure A listing of all restricted areas within and around the facility has been compiled and maintained. Yes No Not Sure Public, delivery, or loading areas are staffed. Yes No Not Sure Incoming materials are inspected for evidence of tampering and if such tampering is discovered it is immediately reported to security personnel. Yes No Not Sure EQUIPMENT AND INFORMATIONPlease select all statements that apply to your organization:All sensitive equipment and systems are located in a secure area(s). Yes No Not Sure Areas containing sensitive equipment and systems are physically secured (e.g., all walls run deck-to-deck, doors are solid w/o vents, doors open outward and slam shut, a raised floors do not run under the doorway, locks and cardkey access are in place, and camera surveillance is employed). Yes No Not Sure Fire suppression systems are adequate, code-compliant, and protected (within a secure location). Yes No Not Sure Uninterruptible power supplies (UPS) are used on all sensitive equipment and systems, and sufficient runtime (>10 minutes) is provided. Yes No Not Sure All network closets and/or wiring rooms are secured. Yes No Not Sure Cabling is tidy, tied down, and labeled. Yes No Not Sure Maintenance personnel have been subjected to background checks. Yes No Not Sure Housekeeping personnel are actively supervised and monitored during their actitivities. Yes No Not Sure Documented policy and procedures define clear desk and clear screen requirements for securing sensitive and critical business information during and after work hours. Yes No Not Sure TECHNICAL CONTROLS (INTERNAL)Internal technical controls are used to protect internal information resources, focusing on all technical controls that aren't associated with the traditional perimeter.NETWORK CONNECTIVITYPlease select all statements that apply to your organization:Connectivity between public networks and the organization's internal networks can only be obtained by passing through a firewall (or other packet filtering and control device). Yes No Not Sure Traffic between public networks and internal networks is reviewed for the presence of malware. Yes No Not Sure The internal network (LAN) is segmented according to system/information sensitivity and/or criticality using firewall rules or VLANs with Access Control Lists (ACLs). Yes No Not Sure REMOTE ACCESSPlease select all statements that apply to your organization:Multi-factor authentication is used for remote access to our network(s). Yes No Not Sure Remote access connection attempts and traffic are consistently monitored. Yes No Not Sure Third-party remote access connections are only enabled after an adequate review of the third-party's information security protections. Yes No Not Sure DIRECTORY SERVICESPlease select all statements that apply to your organization:User account audits are conducted periodically to ensure that user accounts are sufficiently disabled and/or deleted. Yes No Not Sure Service accounts are audited periodically and are secured according to a documented standard or procedure. Yes No Not Sure Inactivity timeouts, account lockouts, system log settings, and strong authentication requirements are all enforced consistently with Group Policy (or other means). Yes No Not Sure SERVERS AND STORAGEPlease select all statements that apply to your organization:All server systems are equipped with anti-malware protection, and validation of it's effectiveness is monitored consistently. Yes No Not Sure Critical servers are equipped with additional protections such as a local firewall, additional monitoring, file integrity monitoring, and/or host-based intrusion prevention. Yes No Not Sure Server systems cannot be used to perform other services such as checking email, Internet browsing, etc. Yes No Not Sure CLIENT SYSTEMSPlease select all statements that apply to your organization:All client systems (workstations and laptops) are equipped with malware protection software. Yes No Not Sure Users do not have local administrative privileges on their workstations. Yes No Not Sure Workstations are built and deployed according to defined secure standard or hardened build. Yes No Not Sure MOBILE DEVICESPlease select all statements that apply to your organization:The number and assignment of all mobile devices throughout the organization is well-known, defined, and/or documented. Yes No Not Sure Whole-disk/media encryption is employed to protect data stored on all mobile devices (laptops, smartphones, tablets et al.). Yes No Not Sure Only explicitly approved wireless network usage is permitted on mobile devices. Yes No Not Sure LOGGING, ALERTING, AND MONITORINGPlease select all statements that apply to your organization:Performance data for critical systems is consistently logged and monitored. Yes No Not Sure Information security-related events are consistently logged and monitored on all critical systems. Yes No Not Sure A separate, isolated logging system is employed to collect and protect log files. Yes No Not Sure VULNERABILITY MANAGEMENTPlease select all statements that apply to your organization:Specific timelines and thresholds for vulnerability management have been set by management and are consistently met in practice. Yes No Not Sure Authenticated vulnerability scanning is conducted on a monthly (or more frequent) basis, and vulnerabilities are classified according to the CVSS score. Yes No Not Sure Critical-severity vulnerabilities are known and are consistently remediated/mitigated with 14 days of their discovery. Yes No Not Sure BACKUP AND RECOVERYPlease select all statements that apply to your organization:A backup inventory (of what is backed up and how often) is available. Yes No Not Sure Backup data is stored in a location that is sufficiently distanced from the primary operational facility. Yes No Not Sure Backups are periodically tested and validated. Yes No Not Sure TECHNICAL CONTROLS (EXTERNAL)External technical controls are focused on keeping the threats out of the internal technical environment. These controls make up the traditional perimeter, usually delineated with a firewall (or similar).BEST PRACTICESPlease select all statements that apply to your organization:Firewall rules are reviewed on a regularly scheduled basis, according to a documented review process. Yes No Not Sure Network-based intrusion detection/prevention systems (IDS/IPS) are deployed to protect our public systems from internet-based attacks. Yes No Not Sure Penetration testing has been conducted against all of our externally-facing systems within the past 12 months. Yes No Not Sure VULNERABILITY MANAGEMENTPlease select all statements that apply to your organization:External vulnerability scans are conducted on a quarterly basis, or more often. Yes No Not Sure Within the past month, it has been confirmed that there are no critical-severity vulnerabilities exposed to the Internet. Yes No Not Sure All web applications are scanned for vulnerabilities each time a change is made. Yes No Not Sure NameThis field is for validation purposes and should be left unchanged.