Welcome to your
Cyber Security Self-Assessment

Our organization has clearly defined roles and responsibilities for managing our IT infrastructure.

We have a sufficient number of skilled staff for the management of our current IT network.

Our organization takes cybersecurity threats and prevention very seriously.

Our organization has dedicated staff to monitor and resolve network security issues, in addition to regular IT staff.

Our organization has a formalized commitment to provide ongoing technical training to our dedicated network security staff.

Cybersecurity training is provided to new and existing IT employees.

Cybersecurity awareness training is provided to all employees, including those outside the IT department.

We have identified critical areas within our organization and the cyber security risks that may compromise them.

Our organization has taken steps to reduce cybersecurity risks to our critical areas of business.

Our organization has documented processes and schedules to conduct regular cyber risk assessments that consider risks to and from processes, data, technology and people (i.e. employees, customers and other external parties) across all our business lines and departments.

Our organization is quick to take action to mitigate newly discovered cyber risks from assessments.

Our organization conducts regular vulnerability hardware and software scans and testing for client, server, and network infrastructure to identify security control gaps.

Our organization is prepared in the event of cyber attacks that require some or all systems to be fully restored from backup. (Malware, ransomware, worms).

Our organization keeps critical and confidential information secure and encrypted from regular user access.

Our organization maintains a current enterprise-wide documentation of all users, devices, applications, and network maps.

Our organization records a history of security event information regarding but not limited to, security breaches, suspicious files, unauthorized user access, password change logs, new accounts, removal of accounts, etc.

Regarding Data Loss Detection / Prevention:

Our organization has implemented tools to prevent unauthorized data leaving the enterprise; monitor outgoing high-risk traffic to detect unauthorized data access and transportation.

Regarding Cyber Incident Detection & Mitigation:

Our organization has implemented the following security tools with automated updates, and enterprise-wide application:

Regarding Software Security:

Our organization has processes to obtain, test and automatically deploy security patches and updates in a timely manner across all devices on our network.

Regarding Network Infrastructure:

Our organization has implemented network boundary monitoring and protection.

Our organization has implemented layered network security solutions.

Our organization has implemented processes and tools to secure mobile devices on our wireless networks.

Regarding Standard Security Configuration and Management:

Our organization documents, implements and enforces security configuration standards to all hardware and software assets on the network.

Our organization restricts the use of unauthorized/unregistered software and hardware through policy and automated tools, including mobile devices.

Regarding Network Access Control & Management

Our organization has the tools and software to automatically detect and block unauthorized network access (e.g. including wired, wireless and remote access).

Our organization tightly controls and manages the use of administrative privileges.

Our organization has documented procedures for monitoring, analyzing and responding to cyber security incidents.

Our organization has an internal communication plan to address cybersecurity incidents that includes communication with key internal stakeholders (e.g. relevant business units / call centres, senior management, risk management, Board of Directors, etc.).

Our organization has an established post incident review process.