"Small Business It Risk Assessment Form - Vinton County National Bank"

ADVERTISEMENT
ADVERTISEMENT

Download "Small Business It Risk Assessment Form - Vinton County National Bank"

286 times
Rate (4.4 / 5) 14 votes
Small Business IT Risk Assessment
Company name:
Completed by:
Date:
Where Do I Begin?
A risk assessment is an important step in protecting your customers, employees, and your business, and well as
complying with the law. This Information Technology Risk Assessment survey helps identity all of the information
assets you handle, the controls in place, and areas of high risk or threats. Steps for completing this risk
assessment:
Step 1:
Complete the questionnaire below. Use additional paper as needed to add notes or new survey questions.
Step 2:
Based on your responses apply a risk rating for each of the applicable categories.
Rate your risk on a scale of 1-5, with 1 being the least secure, and 5 the most secure.
Step 3:
List specific areas of high risk or threats, along with any new control that may be needed
Step 4:
Present your findings to management and the board, and implement new controls as needed.
Step 5:
Update your risk assessment at least once a year, comparing your results to previous versions
I. Company Information
Business primary address:
Phone:
Date company was formed:
Number of employees (FTE):
☐Corporation ☐Partnership ☐Individual ☐Other___________________
Type of business (check one):
Nature of business:
Website url(s):
☐Yes ☐No
Do you conduct business outside the US?
If yes, identify countries:
II. Management Supervision
Management and board supervision are essential for an effective information security program, and often mandated by
state and federal regulations.
☐Yes ☐No ☐N/A
Do you have a written information security plan?
☐Yes ☐No ☐N/A
Are you aware of, and in compliance with, any laws mandating information security?
☐Yes ☐No ☐N/A
Are adequate data protection procedures in place and monitored by management?
☐Yes ☐No ☐N/A
Do you use third party vendors for managing your network?
☐Yes ☐No ☐N/A
Do third party vendor contracts provide adequate controls?
☐Yes ☐No ☐N/A
Are third party contracts monitored at least annually?
☐Yes ☐No ☐N/A
Are sufficient procedures in place for incident reporting?
☐Yes ☐No ☐N/A
Do you have a business continuity plan and/or disaster recovery plan?
☐Yes ☐No ☐N/A
Do you deliver up-to-date security training to management and staff?
☐Yes ☐No ☐N/A
Is the Board actively involved with your information security plans and procedures?
Page | 1
Small Business IT Risk Assessment
Company name:
Completed by:
Date:
Where Do I Begin?
A risk assessment is an important step in protecting your customers, employees, and your business, and well as
complying with the law. This Information Technology Risk Assessment survey helps identity all of the information
assets you handle, the controls in place, and areas of high risk or threats. Steps for completing this risk
assessment:
Step 1:
Complete the questionnaire below. Use additional paper as needed to add notes or new survey questions.
Step 2:
Based on your responses apply a risk rating for each of the applicable categories.
Rate your risk on a scale of 1-5, with 1 being the least secure, and 5 the most secure.
Step 3:
List specific areas of high risk or threats, along with any new control that may be needed
Step 4:
Present your findings to management and the board, and implement new controls as needed.
Step 5:
Update your risk assessment at least once a year, comparing your results to previous versions
I. Company Information
Business primary address:
Phone:
Date company was formed:
Number of employees (FTE):
☐Corporation ☐Partnership ☐Individual ☐Other___________________
Type of business (check one):
Nature of business:
Website url(s):
☐Yes ☐No
Do you conduct business outside the US?
If yes, identify countries:
II. Management Supervision
Management and board supervision are essential for an effective information security program, and often mandated by
state and federal regulations.
☐Yes ☐No ☐N/A
Do you have a written information security plan?
☐Yes ☐No ☐N/A
Are you aware of, and in compliance with, any laws mandating information security?
☐Yes ☐No ☐N/A
Are adequate data protection procedures in place and monitored by management?
☐Yes ☐No ☐N/A
Do you use third party vendors for managing your network?
☐Yes ☐No ☐N/A
Do third party vendor contracts provide adequate controls?
☐Yes ☐No ☐N/A
Are third party contracts monitored at least annually?
☐Yes ☐No ☐N/A
Are sufficient procedures in place for incident reporting?
☐Yes ☐No ☐N/A
Do you have a business continuity plan and/or disaster recovery plan?
☐Yes ☐No ☐N/A
Do you deliver up-to-date security training to management and staff?
☐Yes ☐No ☐N/A
Is the Board actively involved with your information security plans and procedures?
Page | 1
Rate your Management Supervision risk on a scale of 1-5, with 1 being the least secure, and 5 the most secure:
☐1
☐2
☐3
☐4
☐5
Least Secure
Most Secure
Reason for the rating:
List areas of high risk (threats):
List new controls needed:
III. Personnel Security
Pre-employment screening, such as background checks, should be conducted for individuals that will handle sensitive
information.
☐Yes ☐No ☐N/A
Do you perform background checks on all employees with access to sensitive information?
☐Yes ☐No ☐N/A
Do background checks include criminal history?
☐Yes ☐No ☐N/A
Are photo IDs required for employment?
☐Yes ☐No ☐N/A
Are photo IDs or visitor badges worn in the workplace?
☐Yes ☐No ☐N/A
Do you delete security access immediately upon employee termination?
Rate your Personnel Security risk on a scale of 1-5, with 1 being the least secure, and 5 the most secure:
☐1
☐2
☐3
☐4
☐5
Least Secure
Most Secure
Reason for the rating:
List areas of high risk (threats):
List new controls needed:
Page | 2
IV. Physical Security
This section helps identity the physical security controls in place, and determine if any physical weaknesses exist for
protecting sensitive information
☐Yes ☐No ☐N/A
Is access to the building(s) securely maintained during business hours and after hours?
☐Yes ☐No ☐N/A
Are sufficient locks maintained on all doors, windows, and entrances?
☐Yes ☐No ☐N/A
Do you have a security alarm system?
☐Yes ☐No ☐N/A
Do you have security cameras on premise?
☐Yes ☐No ☐N/A
Are employees and/or visitors required to wear badges?
☐Yes ☐No ☐N/A
Is the building(s) adequately protected against fire?
☐Yes ☐No ☐N/A
Does the building(s) have a fire alarm system?
☐Yes ☐No ☐N/A
Is the building(s) protected with sprinklers?
☐Yes ☐No ☐N/A
Are sensitive files and documents stored in fireproof files or vaults?
☐Yes ☐No ☐N/A
Is the building(s) adequately protected against water damage?
☐Yes ☐No ☐N/A
Is access to network equipment such as servers and storage media containing sensitive data
physically protected? (Check all that apply)
☐ Areas are restricted to authorized employees only
☐ Software permission controls
List other physical security issues for your business:
Rate your Physical Security risk on a scale of 1-5, with 1 being the least secure, and 5 the most secure:
☐1
☐2
☐3
☐4
☐5
Least Secure
Most Secure
Reason for the rating:
List areas of high risk (threats):
List new controls needed:
Page | 3
V. Identify Your Information Assets
Using the list of common types of information assets below, identify all types of consumer, employee and business
information that your company handles. Mark the level of risk (Low, Medium, or High) for each item, or N/A if it is not
applicable to your business. Use the following risk level descriptions as a guideline:
Level 1: Low Risk
Information you handle for customers, personnel, and your business that is publicly available.
Level 2: Medium Risk
This level of information generally includes information that is not Personally Identifiable
Information (PII), or information that would not harm your customers, employees, or your
business such as, phone numbers, office policies, vendor information, etc.
Level 3: High Risk
Highly sensitive information your business handles or has access to such as customer records,
personnel files, credit/debit card numbers or other payment information, financial reports,
passwords, PIN, social security numbers, etc. Note: If this type of information is used by your
company and is present on websites, computer systems, mobile devices or emails, it must be
rated as Level 3: High Risk.
Customer and Employee Information
Level of Risk
☐1-Low
☐2-Medium
☐3-High
☐N/A
Individual addresses/phone numbers
☐1-Low
☐2-Medium
☐3-High
☐N/A
Email addresses
☐1-Low
☐2-Medium
☐3-High
☐N/A
Date of birth
☐1-Low
☐2-Medium
☐3-High
☐N/A
SSN
☐1-Low
☐2-Medium
☐3-High
☐N/A
Password/PIN
☐1-Low
☐2-Medium
☐3-High
☐N/A
Photos/signatures
☐1-Low
☐2-Medium
☐3-High
☐N/A
Account information
☐1-Low
☐2-Medium
☐3-High
☐N/A
Purchase/transaction history
☐1-Low
☐2-Medium
☐3-High
☐N/A
Criminal history
☐1-Low
☐2-Medium
☐3-High
☐N/A
Employee records
☐1-Low
☐2-Medium
☐3-High
☐N/A
Medical records
☐1-Low
☐2-Medium
☐3-High
☐N/A
Financial/banking
☐1-Low
☐2-Medium
☐3-High
☐N/A
Legal documents
☐1-Low
☐2-Medium
☐3-High
☐N/A
Credit/debit card information
☐1-Low
☐2-Medium
☐3-High
☐N/A
ACH/electronic payments
☐1-Low
☐2-Medium
☐3-High
☐N/A
Paper checks
List other highly sensitive customer/employee information:
Business Information
Level of Risk
☐1-Low
☐2-Medium
☐3-High
☐N/A
Public information/brochures
☐1-Low
☐2-Medium
☐3-High
☐N/A
Press releases
☐1-Low
☐2-Medium
☐3-High
☐N/A
Social media postings
☐1-Low
☐2-Medium
☐3-High
☐N/A
Office policies
☐1-Low
☐2-Medium
☐3-High
☐N/A
Vendor information
Page | 4
☐1-Low
☐2-Medium
☐3-High
☐N/A
Management/board member credentials
☐1-Low
☐2-Medium
☐3-High
☐N/A
Management/board reports
☐1-Low
☐2-Medium
☐3-High
☐N/A
Email correspondence
☐1-Low
☐2-Medium
☐3-High
☐N/A
Purchase orders
☐1-Low
☐2-Medium
☐3-High
☐N/A
Accounting/financial
☐1-Low
☐2-Medium
☐3-High
☐N/A
Marketing/sales
☐1-Low
☐2-Medium
☐3-High
☐N/A
Legal/contracts
☐1-Low
☐2-Medium
☐3-High
☐N/A
Medical/insurance records
☐1-Low
☐2-Medium
☐3-High
☐N/A
Trade secrets/patents
List other highly confidential information that is the lifeblood of a company:
Public-Facing Website
Level of Risk
Identify and rate all information you collect and/or share with customers via a Website?
☐1-Low
☐2-Medium
☐3-High
☐N/A
Personal information (names, address, phone, etc.)
☐1-Low
☐2-Medium
☐3-High
☐N/A
Account information
☐1-Low
☐2-Medium
☐3-High
☐N/A
Purchase/transaction history
☐1-Low
☐2-Medium
☐3-High
☐N/A
Accept online credit/debit card payments
☐1-Low
☐2-Medium
☐3-High
☐N/A
Online enrollment or application forms
☐1-Low
☐2-Medium
☐3-High
☐N/A
Financial information
☐1-Low
☐2-Medium
☐3-High
☐N/A
Medical records
☐1-Low
☐2-Medium
☐3-High
☐N/A
Legal documents
List other sensitive information located on customer-facing Website(s)
VI. Network Security
All of the sensitive information assets listed in the previous section must be protected.
This section will help to define your company’s network security strengths and vulnerabilities, and assign a risk rating for the
level of security provided.
If you use a third-party to manage networks, you may need to verify controls with them.
Basic Network Controls
☐Yes ☐No ☐N/A
Do you use firewalls, routers and other devises to protect your network?
☐Yes ☐No ☐N/A
Are firewalls, routers, and other devices securely configured to control access?
Have the following configuration steps been completed?
☐Yes ☐No ☐N/A
Changed the default admin passwords
☐Yes ☐No ☐N/A
Removed unneeded services
Do you use updated anti-virus and anti-spyware software:
Page | 5