Welcome to our fully functional beta site. We welcome all comments
Security Quiz
How is Your Organization's Risk Posture?

Your Verify Risk Maturity Score is ...

Display Form
Remember, your business information is not an asset unless it's secure. Until then, it can be a serious liability. To find out how secure your organization is today, visit SecurityAssessments.ca or simply fill out the form below. To qualify as an exclusive FlexProtect Risk Advisor client and cardmember benefits, your firm must maintain a minimum risk maturity score of 2.
 
Each level is characterized by your organization's risk posture, preparedness and performance in key process areas (KPA) including your Goals, Commitment, Ability, Measurement and Verification. The 5 levels are:
 
1. Incomplete (initial, ad-hoc implementation)
2. Repeatable (process-based, accountable)
3. Consistent (well-documented, disciplined)
4. Managed (rigorous, scalable)
5. Optimal (verifiably mature)
 
Note that most firms, groups or departments may wish to focus on a particular level as a goal and progress through the distinct steps to achieve desired maturity over time, by leveraging project-based initiatives or operational risk expertise.
 
 
CAPTCHA
Send now

How Effective are Your Company's Security & Privacy Initiatives?


This is a quick and confidential security self-assessment covering 20 key areas of information security and risk management. These are not optional; they should be a part of your business. This free assessment is designed to run within your browser, so we do not have access to your answers. We will only see your answers if you choose to share the results with us.
 
FlexSecure Verify is our renowned risk assessment methodology and the industry's best choice for security and privacy auditing, penetration testing and analysis. This quiz is a free self-assessment that serves as an introduction to our respected flagship service.

Most companies know the high level aspects of these and implement them in a very superficial and ineffective way, leading directly to a false sense of security. Don't let that happen to you. Be honest: all answers are relative to how you believe you're doing. The real-time score in the right margin of this page will help you get an idea of how you're doing. It will paint an increasingly accurate picture as you complete the assessment. Enjoy!


1. Secure Backup

Are all your backup procedures verifiably secure?
Is all confidential data encrypted without exception?
Are all backups regularly tested (not just during disasters)?
Has your off-site security provider signed off on your policies?
Is your offsite backup process professionally audited?


2. Incident management

Are visitor management policies adequately enforced?
Are there incident detection, reporting & management policies?
Could incidents be taking place without your knowledge?
Are all staff aware of the procedures to follow in all cases?
Are your incident management procedures tested annually?


3. Disaster Recovery & Business Continuity

Do you know your exact critical system downtime/recovery time?
Are 3rd parties/partners aware of your key BCP/DR policies?
Has a proper BIA been conducted within the past year?
Have Hazards, Threats, Risks and Assets been documented?
Are employees aware and empowered in urgent DR situations?


4. Physical Security & Access Control

Has your physical access control been 'penetration tested'?
Are anti-theft measures in effect for all key systems/laptops?
Are all data centres, offices and vaults properly assessed?
Is there an accurate count of all active keys & access cards?
Is management aware of the key environmental controls?


5. Security Awareness

Is every staff member accountable and aware?
Are monthly training & awareness sessions being conducted?
Do you share security knowledge within the company?
Does your training program evolve to cover emerging issues?
Is there an appointed 'chief security officer' (CSO)?


6. Network Security

Is your Intrusion Detection System effectively used 24/7?
Are all access points, wifi and remote actively monitored?
Is your network equipment securely implemented & updated?
Have your hosting provider & ISP provided security audit logs?
Is your network security audited internally and externally?


7. Policy Enforcement

Are your policies designed by experts, templated, or ad-hoc?
Do you track policy compliance within the organization?
Do all employees know how to access to all relevant policies?
Is the CSO accountable and responsible for all security?
Is your data classification policy clearly understood by all?


8. Agreements & SLA

Are your 3rd party agreements as tight as your internal policies?
Are all service providers properly audited on an annual basis?
Do your agreements include performance clauses & tracked KPI?
Do you have a recurring review process for all service contracts?
Are all employee agreements signed and regularly baselined?


9. Teleworking and Mobile Security

Do you enforce security policies for teleworkers & mobile users?
Can you say that your employees have not recently lost a computing device?
Have you addressed the threats to mobile and off-site data?
Is remote VPN access only allowed from secure computers?
Is your off-site sensitive data always encrypted?


10. Risk Assessments

Are your prepared for a security or privacy audit?
Are standards-compliant audit reports important to you?
Do you commission regular independent security assessments?
Are the issues of risk assessments remedied without delay?
Do you automate many aspects of recurring assessments?


11. Operations and Secure Infrastructure

Does your technology acquisition plan emphasize security?
Do you test the technology you depend on for security flaws?
Do you independently test the security of custom solutions?
Are all controls and associated risks documented/reviewed?
Does your security committee include the right people mix?


12. Privacy Compliance

Is the firm's privacy compliance independently assessed?
Do you have documented privacy controls in place?
Are all staff aware of all applicable privacy legislation?
Does your web site's privacy policy cover all key elements?
Do you conduct regular privacy impact assessments?


13. Security Marketing

Do you know how to leverage & market security investments?
Do you know how to communicate key risk differentiators?
Do you believe security & privacy investments have a tangible ROI?
Do your communications & media relations include security?
Does your steering committee understand and leverage risk?


14. Information Risk Management

Does your security strategy follow industry standards?
Has an information risk management plan been implemented?
Can accountability be precisely assigned to individuals?
Does management sign off and support all security activities?
Are there preventive, detective and corrective controls in place?


15. Application and Web Security

Have you quantified the threats to your Web presence?
Are you protected against this week's security threats?
Do you independently test the security of sites & applications?
Are your employees aware of application security risks?
Do you request to see audit reports from 3rd party providers?


16. Data Confidentiality

Do you have a confidentiality policy that covers all key data?
Do you use different types of encryption for different purposes?
Are all employees comfortable using encryption software?
Are all your confidentiality clauses legally enforceable?
Is all your confidential data encrypted right now?


17. Data Integrity

Do you have measures in place to guarantee data integrity?
Does your security monitoring include changes to key data?
Is there an integrity verification performed by management?
Do access control measures prevent unauthorized chages?
Do your data integrity controls extend to backups?


18. Systems Security

Have all your servers been professionally hardened?
Is all your IDS activity monitored on a frequent basis?
Are patches and critical updates a top priority?
Are your data centre & server room secure at all times?
Do you have a current independent audit report for all these?


19. Workstation Security

Do group policies enforce policies for all workstations?
Are users educated about safe Web surfing & data transfers?
Is anti-malware covering trojans and keyloggers installed?
Do mobile workstations include anti-theft & privacy devices?
Do all offices follow a clean desk, clear screen policy?


20. Administrative Security

Is all admin staff educated about social engineering threats?
Are domain names and ID theft protection key issues?
Information disclosure policies are enforced by admin staff?
Are admin staff and management aware of best practices?
Are office equipment security risks documented/shared?

Informatica  ©1989-2012 All rights reserved. Reprint rights available by written request only.
Informatica reserves all rights to its proprietary content. FlexProtect, FlexSecure and WorkLife are tradenames and service marks of Informatica Corporation.
All Informatica activities and initiatives are subject to our Privacy Policy and bound by our Code of Professional Ethics.