Cyber Scorecard

Use this scorecard to assess your compliance with regulations and best practices. There are 4 sections in the assessment, and your answers will be scored.

Information Security Policy
My company has a published information security policy, approved by management.
The policy is formally communicated to all employees, and any updates to the policy are formally communicated to all employees.
The information security policy has an assigned owner, who is responsible for maintaining and reviewing it according to a written review policy.
The review process requires that a review should take place in response to significant security incidents, vulnerabilities, legislation, and changes to the organization or its technology.
Responsibilities for all IT processes and for protecting the IT infrastructure are clearly defined and assigned to individuals.
Policy Specifics
The information policy requires that all data be encrypted, and an employee is responsible for ensuring compliance.
All data sources, including hard drives, SD cards, USB sticks, disks, tapes, and printer caches, are destroyed or securely erased before being discarded.
All employees with access to information are required to take security awareness training on a regular basis.
Access to data is governed by an access control policy, and granted on a “need to know” basis. Any reasonable exceptions to the policy are documented.
Published procedures guide the company’s response to natural disasters, theft, data theft, cyber attacks, and loss of power or infrastructure.
Checks and Balances
Employees who are responsible for information security have up-to-date written checklists or catalogs of items for which they are responsible.
Compliance with the security policy, and other policies and procedures, is supported by software that is customized to the specific up-to-date policies and procedures of the company.
Automated continuity plans are in place to reassign critical tasks in the event that an employee is sick, can no longer work, resigns, or is terminated.
Management can immediately see, and will be alerted, if a person assigned to a critical task fails to complete that task.
Management can immediately see, and will be alerted, if an employee fails to complete security awareness training, or other training required by policies and procedures.
The company conducts regular internal audits to ensure compliance with policies and procedures. Audits are consistently documented and can be quickly accessed and compared.
Compliance with local, state, and national regulations, are tracked by software. Management can access reports on the company’s compliance over time.
Legally mandated compliance data and training records are demonstrably tamper-proof, and hosted by a 3rd party who can verify that data was not tampered.
The information security policy and IT procedures are regularly reviewed by a 3rd party with expertise in cyber security.
Backups are regularly restored in a test environment and verified to be usable at any time with minimal data loss.
Continuity plans are regularly tested, including plans for loss or sickness of an employee, natural disaster, theft, data theft, and loss of power or other infrastructure.
The IT infrastructure is periodically tested for weak passwords and missing or obsolete encryption.
Failure of any verification process, including backups, continuity plans, or IT security, is required by policy to be immediately reported to management.
Company Name