NAME *


    1.0 Do you document all your business vendors?

    2.0 Do you currently have a full set of IT policies and procedures?

    3.0 Do you have a written document describing each of your critical IT assets, the impact of their failure on the business, and how quickly you can recover them?

    4.0 Do you have a written Business Continuity strategy? In the event of a major facilities or hardware loss, how will you continue to conduct business?

    Please provide them

    Have they been tested within the last 2 years?

    If Yes, please provide evidence of test.

    5.0 Do you have a written Backup Policy that details when the backups run, how often the backups are verified, and how long the backups should be retained?

    6.0 Does your company receive, store, or send Protected Health Information (PHI) or Personally Identifiable Information (PII)?

    Do you utilize both encryption for data at rest, as well as for data in transit?

    Please detail what cloud service you use to store PHI/PII

    7.0 Do you require Information Security training for your employees?

    8.0 Do you receive threat intelligence information from sharing sources such as the Information Sharing and Analysis Center (ISAC)?

    9.0 Do you have a listing of all user accounts?

    After user termination, do you disable accounts?
    How long after termination do you disable accounts?

    10.0 Do any of your users have admin access?

    11.0 Are background checks performed?

    12.0 Do you use a Mobile Device Management (MDM) solution to control and revoke access to company data and software on personal devices?

    What MDM solution do you utilize?

    13.0 Do you have a way of distinguishing levels of access for employees based on various factors such as job role, location, and/or device?

    14.0 Do you utilize Multi-Factor Authentication (MFA) for any/all of the following assets?

    Please select if any:


    15.0 Please provide a list of all external domain names used by your company, including any sub-domains, forwarded domains, and affiliated websites.

    16.0 Do you conduct any form of e-commerce or sales through your website or another vendor?

    Are your sites secured with an SSL certificate?

    Have you performed a PCI DSS compliance audit of your site?


    17.0 What type of email solution does your organization utilize?

    18.0 Do you utilize an anti-spam solution for your email system?

    What anti-spam solution do you utilize?

    19.0 Do you utilize any other Advanced Email Security solution in addition to an Anti-Spam system (Example Microsoft ATP, Mail Assure, Barracuda Email Security Gateway)?

    What solution do you use?

    20.0 Do you have a way to send encrypted emails?

    What solution do you use?

    21.0 Do you utilize a Data Loss Prevention (DLP) solution to prevent users from leaking sensitive data?

    What DLP solution do you use?


    22.0 Do you use a firewall between your internal network and the internet?

    Have you changed the default username and password for your firewall?

    23.0 Do you have a redundant ISP connection?

    24.0 Do you segregate internal network traffic based upon datatype (Data, Voice, Management)?

    25.0 Do you utilize Wi-Fi for your business?

    What authentication method do your use for your WiFi (WEP, WPA2, RADIUS)?
    Have you changed the default username/password for your device?
    How do you store/protect the wireless access password?

    26.0 Do you have an intrusion detection product in place today?

    What DLP solution do you use?

    27.0 Do you scan your environment for rogue access points?

    28.0 Are you monitoring your IT environment for anomalous events?

    29.0 Do you perform vulnerability scans of your environment?

    Do you perform internal and external scans?
    How often are the scans performed?

    Please provide the latest vulnerability scan report


    30.0 Do you use any kind of Remote Monitoring & Management tool to manage your workstations?

    Who has access to the RMM tool?

    Does your RMM tool retain any of the following logs?

    31.0 How are Microsoft software updates scheduled and reviewed?

    Who has access to the RMM tool?

    32.0 How are 3rd party application updates scheduled and reviewed?

    Who has access to the RMM tool?

    Similar to Windows updates themselves, 3rd party applications also frequently release updates (Adobe Reader, Java, Slack, Notepad++, etc.). To keep your systems secure it is important to update these programs in a timely manner. CNS can help with this by taking over management of your 3rd party application updates and automating them.

    33.0 Do you maintain active support agreements with your application vendors?

    34.0 How long before your computer screen is set to lock when not in use?

    Who has access to the RMM tool?

    35.0 Do you allow the use of USB ports on your workstations/laptops?

    36.0 Are user credentials shared?

    How are user credentials shared?

    37.0 Do you have an inventory of devices such as printers, scanners, and computers on your network?

    38.0 Do you provide surge protection to your PCs?

    39.0 Do all computers use a trusted anti-virus/anti-malware application?

    How often does this solution update?

    40.0 Do you utilize a form of endpoint encryption for your computers?

    What software do you utilize?

    41.0 If applicable, describe your virtualization status (VMWare, Microsoft Hyper-V, Physical, etc.)

    Currently Using

    42.0 Are your servers protected from power outages via a secondary power source such as a UPS?


    43.0 Is your physical office locked when vacant?

    44.0 Do you maintain a Sign-In log when visitors come to your office?

    45.0 How are hard copy documents handled before disposal?