How much revenue does your company generate on average each month? We never store this data and if you decline to answer, we'll just use some example data to show you how it may impact your business.
Do you sell goods or services on your web site where you collect a customer's credit card for payment?
Do you have an internal email server such as Exchange Server?
Do you share files on your internal company network?
If your company has Wireless ethernet (aka WIFI) and you can access the corporate network WITHOUT using a VPN, you should answer "yes"
If you use a VPN when traveling to access the internal network resources, answer "yes"
e.g. Like a patient or customer portal, dashboard?
e.g. Do you offshore your development?
Unless you redirect your customers to your credit card processor or to paypal, if customers type in their credit card number on your web site, even if it's an iframe, you should answer "yes" here. If you redirect to Paypal or another processor and do not accept credit cards, then you can answer no.
If you accept credit cards but do not store the credit card number, you can answer no. If you buffer the data or batch process it in any way, even if you later destroy it, you should answer "yes" here.
Do you collect first names, last names and email together on your web site and store them?
Do you store, process or transmit any medical data such as patient name, hostpital or doctor information or diagnosis? If so, you should answer "yes"
Do you store, process or transmit any social security number data?
This is the average number of transactions per month involving your sensitive data e.g. how many records are added, updated, changed or accessed
This is the largest number of records of sensitive data. So if you have 10,000 credit cards (numbers or tokens to numbers) and 25,000 medical records, you would enter 25,000 here.
Your company has important information that needs to be kept private. From payroll information to personnel files, there are records that not only may be worth a little bit of money, they can also land companies into hot water. Losing important personnel data can lead to lawsuits and damage to a company's reputation.
Outside of your regular IT team, do you have a dedicated role specifically for implementing and testing security within your company?
Do you have an outside auditor come in periodically to perform an assessment of your security, IT governance and policies? Answer "yes" only if they monitor and test all of these, otherwise "no"
Do you have an outside auditor specifically audit your compliance with Title 2 CFR's related to storing /processing / transmitting electronic protected health information? Aka a "HIPAA audit"?
Does your company perform a SOC 2 Type II / SSAE 16 compliance audit administered and signed by an outside accounting firm? And do they audit your IT controls and policies? (Only answer "yes" if you can answer "yes" to both of those questions)
If you are performing self-assessments, the answer is "no" here.
Do you have an outside agency perform penetration testing at least annually and every time you make a major change to your web site software and/or infrastructure?
Do you have a tool or outside vendor perform daily vulnerability scans of your internal and external web site and networks? If the frequency is less than daily, answer no