RA-banner-nobutton3

Below is our Risk Level Evaluation.  It’s a 31 question high-level Privacy and Security Assessment Questionnaire and will take approximately 15 minutes to complete.  At the end we will ask for a company name to incorporate into the report and an email address to provide you with a detailed report immediately. The report is a graphical analysis that identifies your organization’s general high, medium and low risk areas.  For each question answered, the report will give you a risk level, a detailed explanation and full recommendations based on how you answered each question.  Enjoy!

General Questions
  • 1. To which of the following items of personal information do you have access (collect, store, transmit, view, etc.)? Please check all that apply
    Names All geographic subdivisions/addresses smaller than a State
    All elements of dates (except year) Telephone numbers
    Fax numbers Electronic mail addresses
    Social Security numbers/National insurance number / equivalent based upon country Credit card numbers
    Medical record numbers Health plan beneficiary numbers
    Account numbers Certificate/license numbers
    Vehicle identifiers and serial numbers, including license plate numbers Device identifiers and serial numbers
    Web Universal Resource Locators (URLs) Internet Protocol (IP) address numbers
    Biometric identifiers, including finger and voice prints Full face photographic images and any comparable images
    Genetic data
    Please list any previously unmentioned personal information items to which you have access (separate by commas). If there are no more, please leave blank.
    2. Select one of the following which most closely describes your company's access to personal information:
    You store the personal information on your own systems (e.g. servers, laptops, USB drives, etc.) and you also do business processing with personal information. The personal information *is* encrypted.
    You store the personal information on your own systems (e.g. servers, laptops, USB drives, etc.) and you also do business processing with the personal information. The personal information is *NOT* encrypted.
    You store the personal information in a type of outsourced data warehouse, but you do not access the data to do any business processing, and the data *is* encrypted. Personal information in your possession is never stored on endpoints (e.g. laptops, USB drives, etc.).
    You store the personal information for your client in a type of outsourced data warehouse, but you do not access the data to do any business processing, and the data is *NOT* encrypted.
    You access personal information on your client's system through some type of secured remote access connection (e.g. VPN or dedicated line), but you never store the personal information on any of your own systems or storage devices.
    You must go to your client's facilities to access the personal information, but you cannot remove any personal information or access it from a remote location.
    3. Name the formally designated person or position that serves as your organization's privacy and security officer, or otherwise has assigned responsibility for privacy and security. If none, leave blank.
    4. When was the last time you updated your documented privacy and information security policies and procedures?
    Less than 12 months ago
    1 - 2 years ago
    3 - 5 years ago
    More than 5 years ago
    We do not have any documented policies or procedures.
    5. Describe how the privacy and information security policies and procedures are communicated to all personnel, and made available for them to review at any time. Check all that apply.
    A. Via Email B. Put on Company Intranet
    C. Put on Internet Site D. Distribute Printed Copies
    E. Make Available in Management Policy Binders F. Give Access via SIMBUS360! portal
    G. Some Other Method H. Policies and procedures are not communicated or provided
    6. Do you provide both regular training and ongoing awareness communications for information security and privacy for all your workers?
    Yes
    No, we've not provided training or awareness communications.
    We have done some training, but not regularly. And we do not provide awareness communications.
    We do some awareness communications, but not formal training.
    7. When was the most recent information security and privacy training provided?
    Less than 6 months ago
    6 - 12 months ago
    1 - 2 years ago
    More than 2 years ago
    We've never done any formal training or providing formal training modules.
    8. When was the most recent information security risk assessment performed? NOTE: This high level security assessment you are currently taking is NOT a full, comprehensive security risk assessment, so do not count this as your most recent security risk assessment.
    Less than 12 months ago
    1 - 2 years ago
    3 - 5 years ago
    More than 5 years ago
    We've never done a risk assessment
    9. When was the last time you performed a vulnerability or penetration scan on your networks and systems? NOTE: These are typically automated scans, and are not the same as a full security risk assessment
    Less than 12 months ago
    1 - 2 years ago
    3 - 5 years ago
    More than 5 years ago
    We've never performed a vulnerability assessment or penetration scan on our networks and systems.
    10. Do you require all types of sensitive information, including personal information and health information, to be encrypted when it is sent through public networks and when it is stored on mobile computers and mobile storage devices?
    Yes
    No
    In some storage or through public networks, but not both, or in some cases but not others.
    11. Do you require information, in all forms, to be disposed of using secure methods?
    Yes
    No
    For some forms, but not all
    12. Do you have a documented security event monitoring, security incident plan, and breach response and notification plan, and teams or staff to support the plan?
    Yes
    No
    We have half of these, but have more work to do.
    We've thought about having such plans, and know who to call, but nothing is formally documented.
    13. External Parties: Do you outsource any activities involving (personal information) or any other type of confidential information?
    Yes
    No
    Not Sure
    14. If yes to above, does your organization have security agreements in place with each of these third parties? NOTE: These are often included as addendums to, or within security and privacy clauses within, your service contracts with them.
    Yes
    No
    Not sure; we may have some in place but probably not all
    15. Do you follow a process to identify new data protection legal requirements? (e.g., new state breach notification requirements , updates to data protection regulations, etc.)?
    Yes
    No
    We try to do what we're supposed to, but it is not a formal comprehensively documented procedure
    We have an outside lawyer that we depend upon to tell us our legal requirements. We do not know if they have a formally documented procedure to do so, though, and hope that they would let us know when some new data protection requirement comes up.
    16. Check all the following standards and regulations for which you can verify compliance:
    A.HIPAA/HITECH B. ISO/IEC 27001
    C.PCI-DSS D.COPPA
    E. Applicable U.S. state breach notice laws F. EU Data Protection Directive
    G. Canada's PIPEDA and Privacy Act H. Australia's Privacy Laws
    I. APEC Privacy Guidelines J. Other
    K. None
    17. Does your organization perform background checks to examine and assess a potential, or current, employee's and contractor's work and criminal history?
    Yes
    No
    We are a small organization of 1-5 persons and are not planning to hire anyone in the future, so this action is not applicable to our business.
    18. Are your employees required to sign a non-disclosure agreement upon hire, and then again annually?
    Yes
    No
    We are a small organization of 1-5 persons and are not planning to hire anyone in the future, so this action is not applicable to our business.
    19. Do you have a formal process to manage the termination and or transfer of employees?
    Yes
    No
    We are a small organization of 1-5 persons and are not planning to hire anyone in the future, so this action is not applicable to our business.
    20. Do you have physical security controls (e.g., door locks, building alarms, security cameras, etc.) to prevent unauthorized access to facilities, a facility security plan, and physical controls on mobile computing devices?
    Yes
    No
    We are a small organization of 1-5 persons, we all work from our homes, and are not planning to hire anyone in the future, so this action is not applicable to our business.N/A or partially
    21. Do you have controls on systems and networks that host, process and / or transfer personal information and other types of sensitive information, including the use of firewalls and controls for protecting network devices from unauthorized access and data-theft?
    Yes
    We have some of these controls in place, but not all of them.
    No, we have one or none of these types of controls in place.
    We use a managed systems provider (MSP) that is responsible for and manages all the systems and networks we use for our business. So this action is not applicable to our business; it is the responsibility of the MSP .
    22. Are connections to your networks and systems logged and monitored?
    Yes
    We do some logging, but we don't log everything involving all types of access to personal information on systems and networks.
    No
    We use a managed services provider (MSP) so we are not sure, but we think they are.
    23. Do you have a formal access authorization process based on 'least privilege' (employees are granted the least amount of access to information and systems possible in order to perform their assigned duties) and need to know (access permissions are granted based upon the legitimate business need of the user to access the information)?
    Yes
    We have a loose rule about this, but we do not have a formal access authorization procedure in place.
    No
    We are a small organization of 1-5 persons, we all need access to all data to run our business and fulfill business obligations, and are not planning to hire anyone in the future, so this action is not applicable to our business.
    24. Do you require each user ID to be unique and not shared with others, and have a process to disable and remove the IDs when the user leaves the organization?
    Yes
    For the most part. But we have one or a very few IDs we share.
    No
    We are a small organization of 1-5 persons, and we all work together to make our business work. We will not have anyone leaving the business, and are not planning to hire anyone in the future, so this action is not applicable to our business.
    25. Have you implemented anti-malware (e.g., anti-virus, spam filters, etc.) software on your computers and supporting systems?
    Yes
    We have some anti-malware tools in place on our systems and personal computers, but we should implement more to cover everything.
    No
    We use a managed services provider (MSP) to do all our computing activities, so they need to have anti-malware in place, not us.
    26. Media handling: Do procedures exist to protect documents (e.g., paper files, prescription labels, print materials, etc.) and computer media (e.g., tapes, disks, CD-ROMs, etc.), from unauthorized disclosure, modification, removal, and destruction? Is sensitive data encrypted when stored on laptop, desktop and server hard drives, flash drives, backup tapes, etc. ? If the answer is "No" to either of these questions, answer "No".
    Yes
    No
    We use a managed services provider (MSP) to do all our computing activities, so they need to have media handling procedures in place, not us.
    27. Segregation of Computing Environments: Are development, test and production environments separated from operational IT environments to protect production (actively used) applications from inadvertent changes or disruption? Are the data files of your business clients segregated from one another? If the answer to either question is "No" indicate "No" as your answer. Or, is this not applicable at your organization?
    Yes
    No
    We use a managed systems provider (MSP) and are not sure, but we think they are.
    We are a small organization of 1-5 persons, do not use an MSP, and we do not create software, so this action is not applicable to our business.
    28. Segregation of Duties: Are duties separated, where appropriate, to reduce the opportunity for unauthorized modification, unintentional modification or misuse of the organization's IT assets? Or, is this not applicable at your organization?
    Yes
    No
    We are a small (e.g., 1 - 5 person) business and we all know each other well and perform many different duties, so this action is not feasible to our business.
    29. Change Management: Do formal change management procedures exist for networks, systems, desktops, software releases, deployments, and software vulnerability (e.g., virus or spyware) patching activities? Or, is this not applicable at your organization?
    Yes
    No
    We use a managed systems provider (MSP) and are not sure, but we think they are.
    30. How would you evaluate your current implementation of all of the above controls?
    Just getting started, but have some of the controls fully implemented.
    Have around half to most of the controls implemented, but still have some work to do
    Have fully implemented all the controls and is now managing ongoing compliance.
    31. Could you provide documentation (e.g., information security policies, supporting business documentation, etc.) for all the controls above within 24 hours or request?
    Yes
    For most of the controls above, but some would take longer
    No, we still need to do a lot of documentation, but we're working on it.
Basic Information About Your Company :
  • Company Name  (Optional,but we use this to personalize your printable report)
  • Contact Name  (Optional,but we use this to personalize your printable report)
Final Step: Enter your email so we can send you your results and some helpful compliance tools
  • Email (Required)