Security Assessment
check-circle circle chevron-left chevron-right check x

Tell us about yourself

I currently have the following for my security program:

Check all that apply

Complete set of policies and procedures
Dedicated resource(s) assigned for security/compliance/privacy
Conducted a risk assessment
Regular security awareness training

I have implemented these cloud or on-prem infrastructure security controls:

Check all that apply

Environment Configuration Auditing
Audit trail / activity monitoring
Secure user access via IAM policies, password policies and multi-factor authentication (MFA)
Network security and remote access (e.g. VPC, security group, VPN)
Inventory of all authorized and unauthorized systems and resources

I have implemented these container security controls:

Skip if you not currently use Docker

Container image vulnerability scan
Secure container orchestration (e.g. Amazon ECS, Kubernetes)
Container activity monitoring

I do the following to protect sensitive data:

Check all that apply

I have defined classifications of data
I maintain an inventory of my data assets and have properly tagged them
Encrypt data at rest (e.g. database, S3, server volumes)
Encrypt data in transit (TLS v1.3)
Use strong key management
Limit internal user access to production data
Data backups

I do the following to build secure products/software:

Check all that apply

Security architecture and design considerations
Developer training
Scan for vulnerabilities in our open source dependencies
Secure coding and peer reviews
Dynamic application security testing
Penetration testing
Secure deployment to production
Application audit trail and monitoring
Web application firewall and/or DDoS protection

I protect my servers and workstations with:

Check all that apply

Anti-malware
Host intrusion detection/prevention
Host firewall
Strong access control / password policy for users and services
Vulnerability scanning and timely patching

Bonus!

Check all that apply

We use a centralized Identity and Access provider for Single Sign On (SSO) and multi-factor authentication (MFA)
We use an automated vulnerability management system
We have an incident response team and a process
We have a formal vendor risk management program
We have a security operations team and use automated tools to correlate events and monitor alerts
We have defined KPIs and metrics for our security program that we review and report on monthly or quarterly

SCORE

RATING

WHAT IS NEXT

Thank you for completing your security readiness scorecard.

Get enterprise-grade security without the cost and complexity.

Learn more...

Summary

I currently have the following for my security program:

Complete set of policies and procedures
Dedicated resource(s) assigned for security/compliance/privacy
Conducted a risk assessment
Regular security awareness training

I have implemented these cloud or on-prem infrastructure security controls:

Environment Configuration Auditing
Audit trail / activity monitoring
Secure user access via IAM policies, password policies and multi-factor authentication (MFA)
Network security and remote access (e.g. VPC, security group, VPN)
Inventory of all authorized and unauthorized systems and resources

I have implemented these container security controls:

Container image vulnerability scan
Secure container orchestration (e.g. Amazon ECS, Kubernetes)
Container activity monitoring

I do the following to protect sensitive data:

I have defined classifications of data
I maintain an inventory of my data assets and have properly tagged them
Encrypt data at rest (e.g. database, S3, server volumes)
Encrypt data in transit (TLS v1.3)
Use strong key management
Limit internal user access to production data
Data backups

I do the following to build secure products/software:

Security architecture and design considerations
Developer training
Scan for vulnerabilities in our open source dependencies
Secure coding and peer reviews
Dynamic application security testing
Penetration testing
Secure deployment to production
Application audit trail and monitoring
Web application firewall and/or DDoS protection

I protect my servers and workstations with:

Anti-malware
Host intrusion detection/prevention
Host firewall
Strong access control / password policy for users and services
Vulnerability scanning and timely patching

Bonus!

We use a centralized Identity and Access provider for Single Sign On (SSO) and multi-factor authentication (MFA)
We use an automated vulnerability management system
We have an incident response team and a process
We have a formal vendor risk management program
We have a security operations team and use automated tools to correlate events and monitor alerts
We have defined KPIs and metrics for our security program that we review and report on monthly or quarterly