The purpose of the quick risk assessment in this book is to give you a pulse check for your organization. The purpose is not to replace the more detailed risk assessment procedures detailed in this chapter. Use this quick assessment to give yourself and management a down-and-dirty review of what your organization, business partners, or vendors look like from an information security perspective. When presenting the output of this quick assessment you should ensure that you let your management know that this is a pulse check, and that they should expect more to come from an information security risk perspective.

Instructions:

• Yes: 5 points
• Unsure: 5 points
• No: 0 points

Answer the following questions with the preceding numerical scores. Once completed, add up your answers to determine your score. Compare your score to the following range to determine your risk rating:

• Does your organization use an internal unsecured guest wireless network?
• Does your organization allow the use of personal devices on the organizational network?
• Does your organization allow high-risk information systems connected to the internet?
• Does your organization have the ability to securely dispose of sensitive hardcopy media and are your employees trained on how to dispose of the media?
• Does your organization allow regular users (non-IT users) privileged (administrative) access to any network device or computer?
• Does your organization allow the use of unrestricted Universal Serial Bus (USB) connections?
• Do employees or customers access internal information systems from remote locations with a VPN?
• Does your organization have information security policies and are they fully enforced?
• Does your organization use cloud-based software or storage?
• Does your organization allow the use of personal devices for business use or on a company network?
• Does your organization use information systems to store personally identifiable information of customers or employees?
• Does your organization have third-party suppliers, vendors, or partners that are network interconnected?
• Does your organization conduct business with foreign countries?
• Does your organization have an acceptable use policy and do you fully enforce the policy?
• Does your organization install anti-malware software and is that software properly configured, updated, and monitored?
• Does your organization have a password expiration policy and is that policy fully enforced?
• Does your organization conduct information security awareness training for every user that that has access to organizational information systems?
• Does your organization store sensitive information that could potentially compromise its ability to continue business if ex-filtrated (intellectual property, government information, financial records, payment card data, and so on)?
• Does your organization control access into and out of your building utilizing a mechanism to positively ID everyone?
• Has your organization implemented and tested disaster recovery capabilities for critical systems?

Quick risk assessment scoring:

• Critical risk: 55-100
• High risk: 30-50
• Moderate risk: 15-25
• Low risk: 0-10