FISASCORE® Estimator FISASCORE Estimator Step 1 of 5 20% Your First Name*Your Last Name*Your Company*Your Job Title*Your Email Address* Your Phone NumberYour Industry*Select IndustryAccounting/FinanceAdvertising/Public RelationsAerospace/AviationArts/Entertainment/PublishingAutomotiveBanking/MortgageBusiness DevelopmentBusiness OpportunityClerical/AdministrativeConstruction/FacilitiesConsumer GoodsCustomer ServiceEducation/TrainingEnergy/UtilitiesEngineeringGovernment/MilitaryGreenHealthcareHospitality/TravelHuman ResourcesInstallation/MaintenanceInsuranceInternetJob Search AidsLaw Enforcement/SecurityLegalManagement/ExecutiveManufacturing/OperationsMarketingNon-Profit/VolunteerPharmaceutical/BiotechProfessional ServicesQA/Quality ControlReal EstateRestaurant/Food ServiceRetailSalesScience/ResearchSkilled LaborTechnologyTelecommunicationsTransportation/LogisticsOtherYour Business Zip CodePartnerSelect PartnerSecurityStudioFRSecureLofflerNetgainBergan KDVEarthbendMagenicHiTechRK DixonXigentBankers EquipmentProcellisNetwork CenterCMK ResourcesExpedient TechnologyImpact GroupCNE ITMarcoDisruptiveProspectrApplied TechEmptyGolfSPC InternationalNorthStar Technology GroupCorporate TechnologiesCorporate Technology SolutionsCitonReferrerSelect Referreralex-titzedrew-boekejohn-messlee-ann-villellapat-dillonsteve-marsdenmooresandy-forsbergkevin-orthevan-francenThis is an estimated FISASCORE* I understand this is only an estimated FISASCORE. score_text_goodA "Good" estimated FISASCORE® means that you have really spent time, money, and effort building a good information security program. The foundation of your program is laid, and now you're in "maintenance mode," although you still have some major projects and tasks to accomplish. The return on each information security dollar starts to diminish for organizations with a "Good" FISASCORE, so it's very important to spend each information security dollar wisely and to effectively communicate your information security measurement of risk. To accomplish this, schedule the full FISASCORE assessment with your partner, which will give you a clear picture of where to focus via a detailed Action Plan.score_text_excellentAn "Excellent" FISASCORE® is a rarity and something to take pride in. It's obvious that your organization has spent significant amounts of time, money, and effort to build a best-in-class information security program. You have the proper structures in place to maintain what you've painstakingly built, and now you can focus on 1) continuous improvement and 2) finding more tangible returns for your investment. Schedule the full FISASCORE assessment with your partner, which will give you a clear picture of where to focus via a detailed Action Plan, so you can share this with your customers, executive management, and boards of directors. A compromise of your defenses will always be a possibility, but you will likely detect such an event early on and be in a position to limit damages.score_text_fairA "Fair" estimated FISASCORE® means that you have done some really good things with respect to your organization's information security; however, significant gaps/risks still exist. Some of the foundational components of the program are in place, and it's time for the program to mature into a more formal business initiative. This is the point in the program where information security expenditures need to start providing real and tangible results. The question, "where should we spend our next information security dollar?" is an important one to support with facts instead of gut instinct. Start by scheduling the full FISASCORE assessment with your partner, which will give you a clear picture of where to focus via a detailed Action Plan. A compromise is still very much possible, but you are more likely to detect it and respond with some effectiveness. If executive management is involved with information security, which they probably are, continued improvement will only help them make better risk-based decisions.score_text_poorA "Poor" estimated FISASCORE® means that you have significant areas of improvement for information security in your organization. Your information security program is not mature enough for sustained improvement, and a significant compromise is possible in the short term. Whether or not your organization would notice the threat, attack, and eventual compromise is not well known. Without significant improvements in your information security program, executive management's decisions regarding security may not be easily defended should an adverse event occur. It’s imperative that you schedule the full FISASCORE assessment with your partner, which will give you a clear picture of where to focus via a detailed Action Plan.score_text_verypoorA "Very Poor" estimated FISASCORE® usually means that you haven't taken the necessary basic steps to protect your organization from a variety of threats. The information security program lacks formality, and a significant compromise is likely in the short term. To make matters worse, depending upon the type of threat, the compromise may go unnoticed for an extended period of time. If a compromise were to become known, executive management may not have the necessary proof to defend the organization against civil actions. It’s imperative that you schedule the full FISASCORE assessment with your partner, which will give you a clear picture of where to focus via a detailed Action Plan.ADMINISTRATIVE CONTROLSControls that define the Information Security strategy, roles and responsibilities of workforce members.RISK MANAGEMENTPlease select all statements that apply to your organization:Risk management processes are formally established, managed, and agreed to by all organizational stakeholders.YesNoNot SureThe organization's approach to Information security risk management is comprehensive; accounting for administrative (people), physical, and technical threats and vulnerabilities.YesNoNot SureThe organization has transferred information security risk by obtaining insurance.YesNoNot SureINFORMATION SECURITY GOVERNANCEPlease select all statements that apply to your organization:The organization has defined a set of information security policies that are formally approved by executive management.YesNoNot SureInformation security policies have been formally reviewed within the last twelve (12) months or less.YesNoNot SureWe have identified and enabled a security manager, security officer, CISO or similar position within the organization.YesNoNot SureHUMAN RESOURCES SECURITYPlease select all statements that apply to your organization:Management actively endorses and complies with the organization's security policies.YesNoNot SureThe organization has developed and implemented a formal information security awareness, education, and training program.YesNoNot SureBackground checks are performed on employees, third-party and other associates in accordance with their roles and responsibilities, job function, and data sensitivity.YesNoNot SureASSET MANAGEMENTPlease select all statements that apply to your organization:An asset management (or similar) policy exists and accounts for all information assets (physical, software, and data) from acquisition through disposition/disposal.YesNoNot SureAsset and/or information classification requirements have been defined, including the acceptable controls for protection.YesNoNot SureA complete, up-to-date, and detailed inventory of all cloud services used by the organization is maintained.YesNoNot SureACCESS MANAGEMENTPlease select all statements that apply to your organization:Physical and logical access controls are intregated and formally considered in policy.YesNoNot SurePeriodic reviews of user accounts, privileged accounts, and service/system accounts are conducted according to a defined procedure.YesNoNot SureThe organization has formally defined practices for the use and protection of authentication information (passwords, PIN numbers, tokens, etc.) in policy.YesNoNot SureCRYPTOGRAPHYPlease select all statements that apply to your organization:Encryption requirements for protecting data at rest are documented and consistently followed.YesNoNot SureEncryption requirements for protecting data in transit are documented and consistently followed.YesNoNot SureRoles and responsibilities for the implementation of the encryption policy and key management are defined by management.YesNoNot SureSECURITY OPERATIONSPlease select all statements that apply to your organization:Required operational controls for information security are defined in policy and procedure, including (but not limited to) those for mobile device security, remote access/teleworking, systems configuration, change management, anti-malware, backups, event logging, vulnerability management, audit, network security, system acceptance testing, and vendor/third-party risk management.YesNoNot SureAll vendors have been formally assessed for the inherent and residual risks they pose to the organization.YesNoNot SureInternal information security audits are conducted on a regular basis.YesNoNot SureINCIDENT MANAGEMENTPlease select all statements that apply to your organization:The organization follows a formal process to report information security events, such as loss of service, loss of equipment, loss of facilities, system malfunctions, system overloads, human errors, and non-compliances with policies or guidelines.YesNoNot SureIncident response procedures are tested on a periodic basis.YesNoNot SureThe criteria and conduct for forensic investigations is defined and the protection of evidence is formally accounted for.YesNoNot SureBUSINESS CONTINUITY MANAGEMENTPlease select all statements that apply to your organization:The organization has developed a formal business continuity plan (BCP) or disaster recovery (DR) process.YesNoNot SureCritical business assets and their dependencies have been identified and accounted for in recovery plans.YesNoNot SureRecovery plans are tested on a periodic basis, and have been tested within the past twelve (12) months.YesNoNot SureCOMPLIANCEPlease select all statements that apply to your organization:All relevant statutory, regulatory, and contractual requirements have been explicitly defined and documented (e.g. GDPR, state breach notification laws, Massachusetts state law, HIPAA, GLBA, PCI, et al.)YesNoNot SureThe frequency, scope, and method(s) for independent security reviews are documented.YesNoNot SureInformation security policies and/or procedures that are specific to financial systems have been developed and implemented.YesNoNot Sure PHYSICAL CONTROLSPhysical Controls are the security controls that can often be touched and provide physical security to protect your information assets.FACILITY SECURITYPlease select all statements that apply to your organization:Formal physical security policies and procedures exist, are up-to-date, and include the specific requirements for physical security and safety planning.YesNoNot SureFacility physical security risk assessments and/or security audits are conducted on a regular basis.YesNoNot SurePublic and non-public entrances are clearly marked and/or obvious.YesNoNot SureNon-public entrances are sufficiently secured with effective and auditable controls.YesNoNot SurePublic spaces are covered by camera surveillance.YesNoNot SureThe date and time of entry and departure of visitors is recorded.YesNoNot SureA listing of all restricted areas within and around the facility has been compiled and maintained.YesNoNot SurePublic, delivery, or loading areas are staffed.YesNoNot SureIncoming materials are inspected for evidence of tampering and if such tampering is discovered it is immediately reported to security personnel.YesNoNot SureEQUIPMENT AND INFORMATIONPlease select all statements that apply to your organization:All sensitive equipment and systems are located in a secure area(s).YesNoNot SureAreas containing sensitive equipment and systems are physically secured (e.g., all walls run deck-to-deck, doors are solid w/o vents, doors open outward and slam shut, a raised floors do not run under the doorway, locks and cardkey access are in place, and camera surveillance is employed).YesNoNot SureFire suppression systems are adequate, code-compliant, and protected (within a secure location).YesNoNot SureUninterruptible power supplies (UPS) are used on all sensitive equipment and systems, and sufficient runtime (>10 minutes) is provided.YesNoNot SureAll network closets and/or wiring rooms are secured.YesNoNot SureCabling is tidy, tied down, and labeled.YesNoNot SureMaintenance personnel have been subjected to background checks.YesNoNot SureHousekeeping personnel are actively supervised and monitored during their actitivities.YesNoNot SureDocumented policy and procedures define clear desk and clear screen requirements for securing sensitive and critical business information during and after work hours.YesNoNot Sure TECHNICAL CONTROLS (INTERNAL)Internal technical controls are used to protect internal information resources, focusing on all technical controls that aren't associated with the traditional perimeter.NETWORK CONNECTIVITYPlease select all statements that apply to your organization:Connectivity between public networks and the organization's internal networks can only be obtained by passing through a firewall (or other packet filtering and control device).YesNoNot SureTraffic between public networks and internal networks is reviewed for the presence of malware.YesNoNot SureThe internal network (LAN) is segmented according to system/information sensitivity and/or criticality using firewall rules or VLANs with Access Control Lists (ACLs).YesNoNot SureREMOTE ACCESSPlease select all statements that apply to your organization:Multi-factor authentication is used for remote access to our network(s).YesNoNot SureRemote access connection attempts and traffic are consistently monitored.YesNoNot SureThird-party remote access connections are only enabled after an adequate review of the third-party's information security protections.YesNoNot SureDIRECTORY SERVICESPlease select all statements that apply to your organization:User account audits are conducted periodically to ensure that user accounts are sufficiently disabled and/or deleted.YesNoNot SureService accounts are audited periodically and are secured according to a documented standard or procedure.YesNoNot SureInactivity timeouts, account lockouts, system log settings, and strong authentication requirements are all enforced consistently with Group Policy (or other means).YesNoNot SureSERVERS AND STORAGEPlease select all statements that apply to your organization:All server systems are equipped with anti-malware protection, and validation of it's effectiveness is monitored consistently.YesNoNot SureCritical servers are equipped with additional protections such as a local firewall, additional monitoring, file integrity monitoring, and/or host-based intrusion prevention.YesNoNot SureServer systems cannot be used to perform other services such as checking email, Internet browsing, etc.YesNoNot SureCLIENT SYSTEMSPlease select all statements that apply to your organization:All client systems (workstations and laptops) are equipped with malware protection software.YesNoNot SureUsers do not have local administrative privileges on their workstations.YesNoNot SureWorkstations are built and deployed according to defined secure standard or hardened build.YesNoNot SureMOBILE DEVICESPlease select all statements that apply to your organization:The number and assignment of all mobile devices throughout the organization is well-known, defined, and/or documented.YesNoNot SureWhole-disk/media encryption is employed to protect data stored on all mobile devices (laptops, smartphones, tablets et al.).YesNoNot SureOnly explicitly approved wireless network usage is permitted on mobile devices.YesNoNot SureLOGGING, ALERTING, AND MONITORINGPlease select all statements that apply to your organization:Performance data for critical systems is consistently logged and monitored.YesNoNot SureInformation security-related events are consistently logged and monitored on all critical systems.YesNoNot SureA separate, isolated logging system is employed to collect and protect log files.YesNoNot SureVULNERABILITY MANAGEMENTPlease select all statements that apply to your organization:Specific timelines and thresholds for vulnerability management have been set by management and are consistently met in practice.YesNoNot SureAuthenticated vulnerability scanning is conducted on a monthly (or more frequent) basis, and vulnerabilities are classified according to the CVSS score.YesNoNot SureCritical-severity vulnerabilities are known and are consistently remediated/mitigated with 14 days of their discovery.YesNoNot SureBACKUP AND RECOVERYPlease select all statements that apply to your organization:A backup inventory (of what is backed up and how often) is available.YesNoNot SureBackup data is stored in a location that is sufficiently distanced from the primary operational facility.YesNoNot SureBackups are periodically tested and validated.YesNoNot Sure TECHNICAL CONTROLS (EXTERNAL)External technical controls are focused on keeping the threats out of the internal technical environment. These controls make up the traditional perimeter, usually delineated with a firewall (or similar).BEST PRACTICESPlease select all statements that apply to your organization:Firewall rules are reviewed on a regularly scheduled basis, according to a documented review process.YesNoNot SureNetwork-based intrusion detection/prevention systems (IDS/IPS) are deployed to protect our public systems from internet-based attacks.YesNoNot SurePenetration testing has been conducted against all of our externally-facing systems within the past 12 months.YesNoNot SureVULNERABILITY MANAGEMENTPlease select all statements that apply to your organization:External vulnerability scans are conducted on a quarterly basis, or more often.YesNoNot SureWithin the past month, it has been confirmed that there are no critical-severity vulnerabilities exposed to the Internet.YesNoNot SureAll web applications are scanned for vulnerabilities each time a change is made.YesNoNot SureNameThis field is for validation purposes and should be left unchanged. Your results have been delivered to a SecurityStudio partner, and someone will contact you to discuss your score and the steps you need to take to initiate the full FISASCORE assessment.