FISASCORE Estimator Step 1 of 7 14% Your First Name*Your Last Name*Your Company*Your Job Title*Your Email Address* Your Phone NumberYour Industry*Accounting/FinanceAdvertising/Public RelationsAerospace/AviationArts/Entertainment/PublishingAutomotiveBanking/MortgageBusiness DevelopmentBusiness OpportunityClerical/AdministrativeConstruction/FacilitiesConsumer GoodsCustomer ServiceEducation/TrainingEnergy/UtilitiesEngineeringGovernment/MilitaryGreenHealthcareHospitality/TravelHuman ResourcesInstallation/MaintenanceInsuranceInternetJob Search AidsLaw Enforcement/SecurityLegalManagement/ExecutiveManufacturing/OperationsMarketingNon-Profit/VolunteerPharmaceutical/BiotechProfessional ServicesQA/Quality ControlReal EstateRestaurant/Food ServiceRetailSalesScience/ResearchSkilled LaborTechnologyTelecommunicationsTransportation/LogisticsOtherYour Business Zip CodePartnerSelect PartnerLofflerFRSecureNetgainBergan KDVEarthbendMagenicHiTechRK DixonXigentBankers EquipmentProcellisNetwork CenterCMK ResourcesExpedient TechnologyImpact GroupCNE ITSecurityStudioReferrerSelect Referreralex-titzediana-lavalledrew-boekejohn-messlee-ann-villellapat-dillonrob-eibertsteve-marsdenmooresThis is an estimated FISASCORE* I understand this is only an estimated FISASCORE. Administrative ControlsControls that define the Information Security strategy, roles and responsibilities of workforce members.Information Security GovernancePlease select all statements that apply to your organization: We have a set of Information Security policies that are documented and formally approved by executive management. Our Information Security policies have been formally reviewed within the last twelve (12) months or less. We have identified a security manager, security officer, CISO or similar position within the organization. Human Resources SecurityPlease select all statements that apply to your organization: Our employees, contractors, and third-party resources regularly receive security awareness training. Users with administrative privileges receive specialized instruction or training. We have a consistent process for adjusting/removing information security permissions during and after employee termination or change of employment. Asset ManagementPlease select all statements that apply to your organization: We maintain a hardware and software inventory for our organization. We have defined and implemented a method of encrypting data stored on removable media. Storage devices we use are securely stored and disposed of if they contain sensitive information. Access ManagementPlease select all statements that apply to your organization: We have an access control policy that requires the formal authorization for all access requests. We regularly conduct reviews of user accounts and access rights according to a defined process. The use of shared accounts is prohibited. We provide training on how to select and secure passwords to employees, contractors, and anyone with access to our systems. CryptographyPlease select all statements that apply to your organization: Our users are formally trained on the use and importance of data encryption to protect the confidentiality and integrity of information. Administrative Controls...Part 2Controls that define the Information Security strategy, roles and responsibilities of workforce members.Security OperationsPlease select all statements that apply to your organization: We require access controls for mobile devices that access our organization's information (email, files, databases, etc). Remote Access activities of our users are audited periodically or are monitored on a continual basis. Changes to our IT systems that affect security are formally controlled. Anti-Virus, Spam Guard, ad-ware, spy-ware, etc. are used in our organization and are up-to-date. We have developed and implemented backups for our information which meets the needs of our business operations. Event and security logs are consistently reviewed. A patch management process has been implemented and includes a testing process for new patches. We have procedures to follow in the event of an information security incident. Business Continuity ManagementPlease select all statements that apply to your organization: We have developed a formal business continuity plan (BCP) or disaster recovery (DR) process. Our disaster plan is communicated to all involved team members and executive management. CompliancePlease select all statements that apply to your organization: Reviews of our information security policies, processes, procedures, and practices are performed by an independent reviewer on at least an annual basis. Physical ControlsPhysical Controls are the security controls that can often be touched and provide physical security to protect your information assets.Secure AreasPlease select all statements that apply to your organization: Disaster recovery sites, redundant equipment, and back-up media are stored at a safe distance from our primary data center facility to avoid damage from a disaster affecting the main site. We require our employees to authorize, issue identification badges, log, escort, and supervise guests and vendors in secure areas. Equipment and Data ProtectionPlease select all statements that apply to your organization: All of our sensitive equipment or systems are protected from access by unauthorized people. Our computers are configured (using session timeouts, screensaver variables, etc.) to protect from unauthorized access or misuse. Technical Controls (Internal)Network ConnectivityPlease select all statements that apply to your organization: We have a formal process to manage our firewalls and network security devices. All configurations are reviewed periodically to be sure they are consistent with intended configuration. Traffic between public networks and our internal networks is reviewed for the presence of malware. Web content filtering is employed and is monitored to confirm effectiveness. Remote AccessPlease select all statements that apply to your organization: Multi-factor authentication is used for remote access to our network(s). We consistently monitor remote access connection attempts and traffic. Third-party remote access connections are only enabled after an adequate review of the third-party's information security protections. Servers and StoragePlease select all statements that apply to your organization: Critical servers are equipped with additional protections such as a local firewall, additional monitoring, file integrity monitoring, and/or host-based intrusion prevention. Client SystemsPlease select all statements that apply to your organization: Workstations are built and deployed according to defined secure standard or hardened build. Users do not have local administrative privileges on their workstations. Technical Controls (Internal)...Part 2Mobile DevicesPlease select all statements that apply to your organization: Laptops are equipped with software firewalls that are enabled when connected to untrusted networks. Whole-disk encryption is employed to protect all data stored on laptop hard drives. Logging, Alerting, and MonitoringPlease select all statements that apply to your organization: We have automated logging and alerting for all critical security events for our applications and systems. Our techincal team is alerted automatically when there is an issue. The logs and events from our automated system are protected from manipulation by our technical teams and are isolated to ensure that only authorized individuals can review and modify any data. Vulnerability ManagementPlease select all statements that apply to your organization: We have a formal process to ensure that patches, updates and vulnerabilities are resolved within 30 days in our applications and systems. We use automated tools to search for vulnerable systems. From this data we provide measurements and reporting on the success of our vulnerability management tasks. Technical Controls (External)Best Practices for Public Facing Applications and SystemsPlease select all statements that apply to your organization: We restrict/block network access between the systems that support our public-facing applications and our internal systems. Network-based intrusion detection/prevention systems (IDS/IPS) are deployed to protect our public systems from internet-based attacks. Penetration testing has been conducted against all of our externally-facing systems within the past 12 months. Your results have been delivered to a SecurityStudio partner, and someone will contact you to discuss your score and the steps you need to take to initiate the full FISASCORE assessment.