Small Business Security Assessment The purpose of this short security questionnaire is to help you evaluate security controls in your small business. Securezoo will provide instant results and security guidance you may use to help secure your small business or startup. 1) Does your organization have information security policies (to include Acceptable Use) that are published, reviewed annually and communicated to your employees?*YesNo 2) Do you have a security awareness training program for your employees and contractors? If yes, are your employees required to take information security awareness training upon hire AND also each year? (if answer to either question is No, select No) *YesNo 3) Do you have and maintain an asset inventory for all of your technology assets (e.g., computers, software, POS terminals, etc.), with documented owners? If yes, do you periodically perform a physical review to verify assets match inventory to ensure no unauthorized changes or removal? (If answer to either of 2 questions is No, select No. Otherwise select Yes) *YesNo 4) Do you periodically review IDs and access to your sensitive systems and data to ensure appropriate individuals have access to only the systems/data that’s required to meet business needs? If Yes, do you remove access when no longer needed (e.g. employee leaves the firm or changes roles)? (if answer to either question is No, select No) *YesNo 5) Do you encrypt (e.g., using AES256, TDES algorithms) sensitive personal information or customer data while stored on: - Laptops? - Server/network hard drives? - Cloud-based storage? (If answer to any of 3 questions is No AND you use this method, select No. Otherwise select Yes) *YesNo 6) Do you encrypt sensitive personal information or customer data when moved/transferred outside your company using any of the following methods: E-mail (e.g. built-in e-mail encryption with TLS, PKZip with AES256 encryption)? Client browser connectivity to website that requires authentication (e.g. HTTPS)? File transfers to external servers or Cloud-based storage (e.g. HTTPS, sFTP, SSH)? (If answer to any of 3 questions is No AND you use this method, select No. Otherwise select Yes) *YesNo 7) Do you have current anti-virus/anti-malware software running on your workstations and servers?*YesNo 8) Do you check and patch your software on a periodic basis and at least monthly or quarterly? Software includes Operating Systems (e.g., Windows, iOS, UNIX) and business software (e.g., MS Office, Adobe Reader/Acrobat and Java).*YesNo 9) If your business has a website hosted on the internet (for customer or employee access), do you scan your website for vulnerabilities when new web content is published and also periodically (e.g., quarterly OR after each major change to the website)? If you don’t have a company website, select Yes.*YesNo 10) Do you have a business continuity plan that includes the following components? Backup process to ensure data and systems can be recovered to ensure availability? Disaster Recovery Plan (DRP) for critical applications/systems to recover in the event of disaster? Evaluation of each critical application to understand business impact and priority for recovery? (If answer to any of 3 questions is No, select No. Otherwise select Yes) *YesNo 11) Do you assess or audit your security controls to include above on a periodic basis (e.g. monthly, quarterly, or annually)? *YesNo 12) Does your organization perform background checks on new employees and contractors prior to hiring them? *YesNo 13) Have you configured your wireless router in your business with the following controls? Changed router default password to strong password or long passphrase that is different from factory setting? Configured guest wireless network (for visitors) separate from the wireless network used by your employees to conduct company business. Disabled Universal Plug-and-Play (UPnP)? Kept your router up to date with firmware updates on a regular basis? (If answer to any of 4 questions is No, select No. Otherwise select Yes) *YesNo 14) Do you follow good password use and password management safeguards to include the following? Use strong passwords for login accounts: 8 or more characters with at least 1 uppercase letter, 1 lowercase letter, 1 number and 1 symbol (e.g., #, $, @, %, etc.) OR use long passphrase of 15 or more characters? Change default passwords on any vendor provided device or application (such as servers, software, network devices, printers, etc.)? Change passwords on user or privilege accounts every 90 days? (If answer to any of 3 questions is No, select No. Otherwise select Yes) *YesNo 15) Does your company make sure users don't login to their desktops/laptops with administrator accounts to conduct company business (such as sending/receiving email, running company software, browsing internet)? In other words, make sure they use a normal login account with no local administrative privileges? *YesNoSubmitReset
