Question Bank
Manage assessment questions by domain and category
| ID | Question Text | Domain | Category | Type | Risk Weight | Status | Actions |
|---|---|---|---|---|---|---|---|
| 27 | Do you have detailed network diagrams? Documentation showing network topology and equipment |
Cyber Security | Network Infrastructure | YesNo | 1.5 | Active | |
| 28 | What type of firewall do you use? Manufacturer and model |
Cyber Security | Network Infrastructure | Text | 2.0 | Active | |
| 29 | Are your firewalls managed by a vendor or in-house? | Cyber Security | Network Infrastructure | MultipleChoice | 1.0 | Active | |
| 30 | Do you have redundant internet connections? Multiple ISP connections for failover |
Cyber Security | Network Infrastructure | YesNo | 1.5 | Active | |
| 31 | Is your wireless network password-protected? WiFi security enabled |
Cyber Security | Network Infrastructure | YesNo | 2.5 | Active | |
| 32 | What wireless security protocol do you use? | Cyber Security | Network Infrastructure | MultipleChoice | 2.0 | Active | |
| 33 | When was the WiFi password last changed? | Cyber Security | Network Infrastructure | Date | 1.0 | Active | |
| 34 | Do you have a separate guest WiFi network? Isolated network for visitors |
Cyber Security | Network Infrastructure | YesNo | 1.0 | Active | |
| 99 | Do you have a formal user access provisioning process? Documented procedures for granting access |
IT Assets & Investments | Access Controls | YesNo | 2.0 | Active | |
| 185 | Do you have a formal user access provisioning process? Documented procedures for granting access |
IT Assets & Investments | Access Controls | YesNo | 2.0 | Active | |
| 100 | Do you have a formal user deprovisioning process? Procedures for removing access when employees leave |
IT Assets & Investments | Access Controls | YesNo | 2.5 | Active | |
| 186 | Do you have a formal user deprovisioning process? Procedures for removing access when employees leave |
IT Assets & Investments | Access Controls | YesNo | 2.5 | Active | |
| 101 | How quickly is access removed when an employee terminates? | IT Assets & Investments | Access Controls | MultipleChoice | 2.5 | Active | |
| 187 | How quickly is access removed when an employee terminates? | IT Assets & Investments | Access Controls | MultipleChoice | 2.5 | Active | |
| 102 | Do you conduct regular access reviews? Periodic review of who has access to what |
IT Assets & Investments | Access Controls | YesNo | 2.0 | Active | |
| 188 | Do you conduct regular access reviews? Periodic review of who has access to what |
IT Assets & Investments | Access Controls | YesNo | 2.0 | Active | |
| 103 | How frequently are access reviews conducted? | IT Assets & Investments | Access Controls | MultipleChoice | 1.5 | Active | |
| 189 | How frequently are access reviews conducted? | IT Assets & Investments | Access Controls | MultipleChoice | 1.5 | Active | |
| 104 | Do you follow the principle of least privilege? Users only have minimum necessary access |
IT Assets & Investments | Access Controls | YesNo | 2.0 | Active | |
| 190 | Do you follow the principle of least privilege? Users only have minimum necessary access |
IT Assets & Investments | Access Controls | YesNo | 2.0 | Active | |
| 105 | Do you have a password policy? Requirements for password complexity and expiration |
IT Assets & Investments | Access Controls | YesNo | 2.0 | Active | |
| 191 | Do you have a password policy? Requirements for password complexity and expiration |
IT Assets & Investments | Access Controls | YesNo | 2.0 | Active | |
| 106 | What is your minimum password length requirement? Number of characters |
IT Assets & Investments | Access Controls | Numeric | 1.5 | Active | |
| 192 | What is your minimum password length requirement? Number of characters |
IT Assets & Investments | Access Controls | Numeric | 1.5 | Active | |
| 107 | How frequently are passwords required to change? | IT Assets & Investments | Access Controls | MultipleChoice | 1.0 | Active | |
| 193 | How frequently are passwords required to change? | IT Assets & Investments | Access Controls | MultipleChoice | 1.0 | Active | |
| 89 | Do you have a formal backup strategy? Documented backup procedures and schedules |
IT Assets & Investments | Backup & Disaster Recovery | YesNo | 3.0 | Active | |
| 175 | Do you have a formal backup strategy? Documented backup procedures and schedules |
IT Assets & Investments | Backup & Disaster Recovery | YesNo | 3.0 | Active | |
| 90 | How frequently are backups performed? | IT Assets & Investments | Backup & Disaster Recovery | MultipleChoice | 2.5 | Active | |
| 176 | How frequently are backups performed? | IT Assets & Investments | Backup & Disaster Recovery | MultipleChoice | 2.5 | Active | |
| 91 | Where are backups stored? | IT Assets & Investments | Backup & Disaster Recovery | MultipleChoice | 2.0 | Active | |
| 177 | Where are backups stored? | IT Assets & Investments | Backup & Disaster Recovery | MultipleChoice | 2.0 | Active | |
| 92 | Do you have offsite/cloud backups? Backups stored in different physical location |
IT Assets & Investments | Backup & Disaster Recovery | YesNo | 2.5 | Active | |
| 178 | Do you have offsite/cloud backups? Backups stored in different physical location |
IT Assets & Investments | Backup & Disaster Recovery | YesNo | 2.5 | Active | |
| 93 | Are backups encrypted? | IT Assets & Investments | Backup & Disaster Recovery | YesNo | 2.0 | Active | |
| 179 | Are backups encrypted? | IT Assets & Investments | Backup & Disaster Recovery | YesNo | 2.0 | Active | |
| 94 | When was the last backup restoration test? Verification that backups can be recovered |
IT Assets & Investments | Backup & Disaster Recovery | Date | 2.5 | Active | |
| 180 | When was the last backup restoration test? Verification that backups can be recovered |
IT Assets & Investments | Backup & Disaster Recovery | Date | 2.5 | Active | |
| 95 | Do you have a Disaster Recovery Plan (DRP)? Documented procedures for disaster recovery |
IT Assets & Investments | Backup & Disaster Recovery | YesNo | 2.5 | Active | |
| 181 | Do you have a Disaster Recovery Plan (DRP)? Documented procedures for disaster recovery |
IT Assets & Investments | Backup & Disaster Recovery | YesNo | 2.5 | Active | |
| 96 | Do you have a Business Continuity Plan (BCP)? Plans to maintain operations during disruptions |
IT Assets & Investments | Backup & Disaster Recovery | YesNo | 2.0 | Active | |
| 182 | Do you have a Business Continuity Plan (BCP)? Plans to maintain operations during disruptions |
IT Assets & Investments | Backup & Disaster Recovery | YesNo | 2.0 | Active | |
| 97 | When was your DRP/BCP last tested? Tabletop exercise or full test |
IT Assets & Investments | Backup & Disaster Recovery | Date | 2.0 | Active | |
| 183 | When was your DRP/BCP last tested? Tabletop exercise or full test |
IT Assets & Investments | Backup & Disaster Recovery | Date | 2.0 | Active | |
| 98 | What is your Recovery Time Objective (RTO) for critical systems? Maximum acceptable downtime |
IT Assets & Investments | Backup & Disaster Recovery | MultipleChoice | 1.5 | Active | |
| 184 | What is your Recovery Time Objective (RTO) for critical systems? Maximum acceptable downtime |
IT Assets & Investments | Backup & Disaster Recovery | MultipleChoice | 1.5 | Active | |
| 108 | Do you have a formal Change Management process? Controlled process for making changes to IT systems |
IT Assets & Investments | Change & Incident Management | YesNo | 2.0 | Active | |
| 194 | Do you have a formal Change Management process? Controlled process for making changes to IT systems |
IT Assets & Investments | Change & Incident Management | YesNo | 2.0 | Active | |
| 109 | Do you have a Change Advisory Board (CAB)? Group that reviews and approves changes |
IT Assets & Investments | Change & Incident Management | YesNo | 1.5 | Active | |
| 195 | Do you have a Change Advisory Board (CAB)? Group that reviews and approves changes |
IT Assets & Investments | Change & Incident Management | YesNo | 1.5 | Active | |
| 110 | Are changes tested before production deployment? | IT Assets & Investments | Change & Incident Management | YesNo | 2.0 | Active | |
| 196 | Are changes tested before production deployment? | IT Assets & Investments | Change & Incident Management | YesNo | 2.0 | Active | |
| 111 | Do you have a formal Incident Management process? Procedures for handling IT incidents |
IT Assets & Investments | Change & Incident Management | YesNo | 2.0 | Active | |
| 197 | Do you have a formal Incident Management process? Procedures for handling IT incidents |
IT Assets & Investments | Change & Incident Management | YesNo | 2.0 | Active | |
| 112 | Do you track and categorize incidents by severity? | IT Assets & Investments | Change & Incident Management | YesNo | 1.5 | Active | |
| 198 | Do you track and categorize incidents by severity? | IT Assets & Investments | Change & Incident Management | YesNo | 1.5 | Active | |
| 113 | Do you conduct root cause analysis for major incidents? Investigation to prevent recurrence |
IT Assets & Investments | Change & Incident Management | YesNo | 1.5 | Active | |
| 199 | Do you conduct root cause analysis for major incidents? Investigation to prevent recurrence |
IT Assets & Investments | Change & Incident Management | YesNo | 1.5 | Active | |
| 82 | Have you conducted a HIPAA Security Rule assessment? Evaluation against HIPAA security requirements |
IT Assets & Investments | Compliance & Regulatory | YesNo | 3.0 | Active | |
| 168 | Have you conducted a HIPAA Security Rule assessment? Evaluation against HIPAA security requirements |
IT Assets & Investments | Compliance & Regulatory | YesNo | 3.0 | Active | |
| 83 | When was your last HIPAA Security Rule assessment? | IT Assets & Investments | Compliance & Regulatory | Date | 2.5 | Active | |
| 169 | When was your last HIPAA Security Rule assessment? | IT Assets & Investments | Compliance & Regulatory | Date | 2.5 | Active | |
| 84 | Do you have documented HIPAA policies and procedures? Written policies for HIPAA compliance |
IT Assets & Investments | Compliance & Regulatory | YesNo | 3.0 | Active | |
| 170 | Do you have documented HIPAA policies and procedures? Written policies for HIPAA compliance |
IT Assets & Investments | Compliance & Regulatory | YesNo | 3.0 | Active | |
| 85 | Do you have a designated HIPAA Security Officer? | IT Assets & Investments | Compliance & Regulatory | YesNo | 2.0 | Active | |
| 171 | Do you have a designated HIPAA Security Officer? | IT Assets & Investments | Compliance & Regulatory | YesNo | 2.0 | Active | |
| 86 | Do you have Business Associate Agreements (BAAs) with all vendors handling PHI? Required contracts with third parties |
IT Assets & Investments | Compliance & Regulatory | YesNo | 2.5 | Active | |
| 172 | Do you have Business Associate Agreements (BAAs) with all vendors handling PHI? Required contracts with third parties |
IT Assets & Investments | Compliance & Regulatory | YesNo | 2.5 | Active | |
| 87 | Have you conducted a risk assessment for Protected Health Information (PHI)? Analysis of threats to patient data |
IT Assets & Investments | Compliance & Regulatory | YesNo | 3.0 | Active | |
| 173 | Have you conducted a risk assessment for Protected Health Information (PHI)? Analysis of threats to patient data |
IT Assets & Investments | Compliance & Regulatory | YesNo | 3.0 | Active | |
| 88 | When was your last PHI risk assessment? | IT Assets & Investments | Compliance & Regulatory | Date | 2.0 | Active | |
| 174 | When was your last PHI risk assessment? | IT Assets & Investments | Compliance & Regulatory | Date | 2.0 | Active | |
| 236 | Do you have an access control system? Badge readers, biometric, key cards |
IT Assets & Investments | Physical Security | YesNo | 1.5 | Active | |
| 237 | Do you have video surveillance? Security cameras |
IT Assets & Investments | Physical Security | YesNo | 1.0 | Active | |
| 238 | How long is video surveillance footage retained? Number of days |
IT Assets & Investments | Physical Security | Numeric | 1.0 | Active | |
| 239 | Do you have a dedicated server room or network closet? | IT Assets & Investments | Physical Security | YesNo | 1.5 | Active | |
| 240 | Is access to the server room restricted? Limited to authorized personnel |
IT Assets & Investments | Physical Security | YesNo | 2.0 | Active | |
| 241 | Do you have environmental monitoring in the server room? Temperature, humidity, water detection |
IT Assets & Investments | Physical Security | YesNo | 1.0 | Active | |
| 242 | Do you have backup power (UPS/Generator)? | IT Assets & Investments | Physical Security | YesNo | 1.5 | Active | |
| 243 | Do you have a visitor sign-in process? Logging and escorting visitors |
IT Assets & Investments | Physical Security | YesNo | 1.0 | Active | |
| 244 | Are workstations physically secured when unattended? Screen locks, cable locks |
IT Assets & Investments | Physical Security | YesNo | 1.5 | Active | |
| 114 | Do you have a documented Information Security Policy? Overarching security policy |
IT Assets & Investments | Policies & Documentation | YesNo | 2.5 | Active | |
| 121 | How many workstations (desktops/laptops) does your organization have? Total count of employee computers |
IT Assets & Investments | Policies & Documentation | Numeric | 1.0 | Active | |
| 200 | Do you have a documented Information Security Policy? Overarching security policy |
IT Assets & Investments | Policies & Documentation | YesNo | 2.5 | Active | |
| 115 | Do you have a documented Acceptable Use Policy? Guidelines for acceptable use of IT resources |
IT Assets & Investments | Policies & Documentation | YesNo | 2.0 | Active | |
| 122 | What percentage of workstations are running Windows 10 or newer? Supported operating system versions |
IT Assets & Investments | Policies & Documentation | Numeric | 2.0 | Active | |
| 201 | Do you have a documented Acceptable Use Policy? Guidelines for acceptable use of IT resources |
IT Assets & Investments | Policies & Documentation | YesNo | 2.0 | Active | |
| 116 | Do you have a documented Data Classification Policy? How data should be categorized and protected |
IT Assets & Investments | Policies & Documentation | YesNo | 2.0 | Active | |
| 123 | Do you have a complete inventory of all IT assets? Documented list of all hardware and software |
IT Assets & Investments | Policies & Documentation | YesNo | 1.5 | Active | |
| 202 | Do you have a documented Data Classification Policy? How data should be categorized and protected |
IT Assets & Investments | Policies & Documentation | YesNo | 2.0 | Active | |
| 117 | Do you have a documented Incident Response Policy? | IT Assets & Investments | Policies & Documentation | YesNo | 2.0 | Active | |
| 124 | Do you use Remote Monitoring and Management (RMM) software? Centralized monitoring and management of endpoints |
IT Assets & Investments | Policies & Documentation | YesNo | 1.5 | Active | |
| 203 | Do you have a documented Incident Response Policy? | IT Assets & Investments | Policies & Documentation | YesNo | 2.0 | Active | |
| 118 | When were your IT policies last reviewed and updated? Policies should be reviewed annually |
IT Assets & Investments | Policies & Documentation | Date | 1.5 | Active | |
| 125 | If yes, which RMM solution do you use? e.g., NinjaRMM, Datto, ConnectWise |
IT Assets & Investments | Policies & Documentation | Text | 1.0 | Active | |
| 204 | When were your IT policies last reviewed and updated? Policies should be reviewed annually |
IT Assets & Investments | Policies & Documentation | Date | 1.5 | Active | |
| 119 | Do employees acknowledge IT policies annually? Signed acknowledgment of policy awareness |
IT Assets & Investments | Policies & Documentation | YesNo | 1.5 | Active | |
| 126 | Are workstations encrypted? BitLocker, FileVault, or other encryption |
IT Assets & Investments | Policies & Documentation | YesNo | 2.5 | Active | |
| 205 | Do employees acknowledge IT policies annually? Signed acknowledgment of policy awareness |
IT Assets & Investments | Policies & Documentation | YesNo | 1.5 | Active | |
| 120 | Do you have an Information Security Framework adopted? e.g., NIST CSF, ISO 27001, CIS Controls |
IT Assets & Investments | Policies & Documentation | MultipleChoice | 2.0 | Active | |
| 127 | Do end users have local administrator rights on their workstations? Elevated privileges that can increase security risk |
IT Assets & Investments | Policies & Documentation | YesNo | 2.5 | Active | |
| 206 | Do you have an Information Security Framework adopted? e.g., NIST CSF, ISO 27001, CIS Controls |
IT Assets & Investments | Policies & Documentation | MultipleChoice | 2.0 | Active | |
| 128 | Do you have a Mobile Device Management (MDM) solution? Management of mobile phones and tablets |
IT Assets & Investments | Policies & Documentation | YesNo | 2.0 | Active | |
| 129 | If yes, which MDM solution do you use? e.g., Intune, Jamf, MobileIron |
IT Assets & Investments | Policies & Documentation | Text | 1.0 | Active | |
| 216 | Do you have a vendor risk management program? Process for assessing third-party vendors |
IT Assets & Investments | Vendor Risk Management | YesNo | 2.0 | Active | |
| 217 | Do you conduct security assessments of vendors before engagement? Due diligence before contracting |
IT Assets & Investments | Vendor Risk Management | YesNo | 2.0 | Active | |
| 218 | How frequently do you review vendor security posture? | IT Assets & Investments | Vendor Risk Management | MultipleChoice | 1.5 | Active | |
| 219 | Do you have a vendor inventory with criticality ratings? List of all vendors and their importance |
IT Assets & Investments | Vendor Risk Management | YesNo | 1.5 | Active | |
| 220 | Do you require vendors to have cyber insurance? | IT Assets & Investments | Vendor Risk Management | YesNo | 1.0 | Active | |
| 221 | Do you review vendor SOC 2 reports or other security certifications? | IT Assets & Investments | Vendor Risk Management | YesNo | 1.5 | Active | |
| 77 | Do you have Data Loss Prevention (DLP) tools implemented? Prevents unauthorized sharing of sensitive data |
IT Governance & Controls | Data Loss Prevention | YesNo | 2.5 | Active | |
| 163 | Do you have Data Loss Prevention (DLP) tools implemented? Prevents unauthorized sharing of sensitive data |
IT Governance & Controls | Data Loss Prevention | YesNo | 2.5 | Active | |
| 78 | If yes, which DLP solution do you use? e.g., Microsoft DLP, Symantec, Digital Guardian |
IT Governance & Controls | Data Loss Prevention | Text | 1.0 | Active | |
| 164 | If yes, which DLP solution do you use? e.g., Microsoft DLP, Symantec, Digital Guardian |
IT Governance & Controls | Data Loss Prevention | Text | 1.0 | Active | |
| 79 | Do you have DLP policies for email? Scanning outbound emails for sensitive data |
IT Governance & Controls | Data Loss Prevention | YesNo | 2.0 | Active | |
| 165 | Do you have DLP policies for email? Scanning outbound emails for sensitive data |
IT Governance & Controls | Data Loss Prevention | YesNo | 2.0 | Active | |
| 80 | Do you have DLP policies for cloud storage (OneDrive/SharePoint)? | IT Governance & Controls | Data Loss Prevention | YesNo | 2.0 | Active | |
| 166 | Do you have DLP policies for cloud storage (OneDrive/SharePoint)? | IT Governance & Controls | Data Loss Prevention | YesNo | 2.0 | Active | |
| 81 | Do you have DLP policies for endpoint devices? Preventing data exfiltration via USB, print, etc. |
IT Governance & Controls | Data Loss Prevention | YesNo | 1.5 | Active | |
| 167 | Do you have DLP policies for endpoint devices? Preventing data exfiltration via USB, print, etc. |
IT Governance & Controls | Data Loss Prevention | YesNo | 1.5 | Active | |
| 229 | Do you use SPF (Sender Policy Framework)? Email authentication to prevent spoofing |
IT Governance & Controls | Email Security | YesNo | 2.0 | Active | |
| 230 | Do you use DKIM (DomainKeys Identified Mail)? Email authentication mechanism |
IT Governance & Controls | Email Security | YesNo | 2.0 | Active | |
| 231 | Do you use DMARC (Domain-based Message Authentication)? Email validation policy |
IT Governance & Controls | Email Security | YesNo | 2.0 | Active | |
| 232 | Do you have email encryption capabilities? Ability to send encrypted emails |
IT Governance & Controls | Email Security | YesNo | 2.0 | Active | |
| 233 | Do you scan email attachments for malware? | IT Governance & Controls | Email Security | YesNo | 2.5 | Active | |
| 234 | Do you have URL rewriting/sandboxing for email links? Protection against malicious links |
IT Governance & Controls | Email Security | YesNo | 2.0 | Active | |
| 235 | Do you use Microsoft Defender for Office 365 or similar? Advanced email threat protection |
IT Governance & Controls | Email Security | YesNo | 2.0 | Active | |
| 48 | Do you have antivirus/anti-malware software on all endpoints? Protection against viruses, malware, ransomware |
IT Governance & Controls | Endpoint Protection | YesNo | 3.0 | Active | |
| 134 | Do you have antivirus/anti-malware software on all endpoints? Protection against viruses, malware, ransomware |
IT Governance & Controls | Endpoint Protection | YesNo | 3.0 | Active | |
| 49 | Which antivirus solution do you use? e.g., Microsoft Defender, CrowdStrike, Sophos |
IT Governance & Controls | Endpoint Protection | Text | 1.5 | Active | |
| 135 | Which antivirus solution do you use? e.g., Microsoft Defender, CrowdStrike, Sophos |
IT Governance & Controls | Endpoint Protection | Text | 1.5 | Active | |
| 50 | Is your antivirus centrally managed and monitored? Central console for monitoring and alerts |
IT Governance & Controls | Endpoint Protection | YesNo | 2.0 | Active | |
| 136 | Is your antivirus centrally managed and monitored? Central console for monitoring and alerts |
IT Governance & Controls | Endpoint Protection | YesNo | 2.0 | Active | |
| 51 | When was the last time antivirus definitions were updated? Currency of threat signatures |
IT Governance & Controls | Endpoint Protection | Date | 2.0 | Active | |
| 137 | When was the last time antivirus definitions were updated? Currency of threat signatures |
IT Governance & Controls | Endpoint Protection | Date | 2.0 | Active | |
| 52 | Do you have Endpoint Detection and Response (EDR) capabilities? Advanced threat detection and response |
IT Governance & Controls | Endpoint Protection | YesNo | 2.0 | Active | |
| 138 | Do you have Endpoint Detection and Response (EDR) capabilities? Advanced threat detection and response |
IT Governance & Controls | Endpoint Protection | YesNo | 2.0 | Active | |
| 53 | Is MFA enabled for Microsoft 365/email access? Additional security beyond passwords for email |
IT Governance & Controls | Multi-Factor Authentication | YesNo | 3.0 | Active | |
| 139 | Is MFA enabled for Microsoft 365/email access? Additional security beyond passwords for email |
IT Governance & Controls | Multi-Factor Authentication | YesNo | 3.0 | Active | |
| 54 | What percentage of users have MFA enabled for email? 0-100% |
IT Governance & Controls | Multi-Factor Authentication | Numeric | 3.0 | Active | |
| 140 | What percentage of users have MFA enabled for email? 0-100% |
IT Governance & Controls | Multi-Factor Authentication | Numeric | 3.0 | Active | |
| 55 | Is MFA enabled for VPN or remote access? | IT Governance & Controls | Multi-Factor Authentication | YesNo | 2.5 | Active | |
| 141 | Is MFA enabled for VPN or remote access? | IT Governance & Controls | Multi-Factor Authentication | YesNo | 2.5 | Active | |
| 56 | Is MFA enabled for administrative accounts? Privileged access protection |
IT Governance & Controls | Multi-Factor Authentication | YesNo | 3.0 | Active | |
| 142 | Is MFA enabled for administrative accounts? Privileged access protection |
IT Governance & Controls | Multi-Factor Authentication | YesNo | 3.0 | Active | |
| 57 | Is MFA enabled for your EHR/Practice Management system? | IT Governance & Controls | Multi-Factor Authentication | YesNo | 2.5 | Active | |
| 143 | Is MFA enabled for your EHR/Practice Management system? | IT Governance & Controls | Multi-Factor Authentication | YesNo | 2.5 | Active | |
| 58 | Do you use Conditional Access policies? Context-based access controls (location, device, risk) |
IT Governance & Controls | Multi-Factor Authentication | YesNo | 1.5 | Active | |
| 144 | Do you use Conditional Access policies? Context-based access controls (location, device, risk) |
IT Governance & Controls | Multi-Factor Authentication | YesNo | 1.5 | Active | |
| 222 | Do you use Network Access Control (NAC)? Restricts network access to authorized devices |
IT Governance & Controls | Network Security Controls | YesNo | 2.0 | Active | |
| 223 | Do you segment your network? VLANs or other segmentation for security |
IT Governance & Controls | Network Security Controls | YesNo | 2.0 | Active | |
| 224 | Is patient/clinical data on a separate network segment? Isolation of sensitive data |
IT Governance & Controls | Network Security Controls | YesNo | 2.5 | Active | |
| 225 | Do you use a Web Application Firewall (WAF)? Protection for web applications |
IT Governance & Controls | Network Security Controls | YesNo | 1.5 | Active | |
| 226 | Do you have Intrusion Detection/Prevention System (IDS/IPS)? Monitoring for malicious network activity |
IT Governance & Controls | Network Security Controls | YesNo | 2.0 | Active | |
| 227 | Do you use VPN for remote access? Encrypted remote connectivity |
IT Governance & Controls | Network Security Controls | YesNo | 2.5 | Active | |
| 228 | If yes, what type of VPN? | IT Governance & Controls | Network Security Controls | MultipleChoice | 1.0 | Active | |
| 66 | Do you conduct regular vulnerability scans? Automated scanning for security weaknesses |
IT Governance & Controls | Security Assessments & Testing | YesNo | 2.5 | Active | |
| 152 | Do you conduct regular vulnerability scans? Automated scanning for security weaknesses |
IT Governance & Controls | Security Assessments & Testing | YesNo | 2.5 | Active | |
| 67 | How frequently are vulnerability scans conducted? | IT Governance & Controls | Security Assessments & Testing | MultipleChoice | 2.0 | Active | |
| 153 | How frequently are vulnerability scans conducted? | IT Governance & Controls | Security Assessments & Testing | MultipleChoice | 2.0 | Active | |
| 68 | Do you conduct penetration testing? Simulated attacks by security professionals |
IT Governance & Controls | Security Assessments & Testing | YesNo | 2.0 | Active | |
| 154 | Do you conduct penetration testing? Simulated attacks by security professionals |
IT Governance & Controls | Security Assessments & Testing | YesNo | 2.0 | Active | |
| 69 | When was your last penetration test? | IT Governance & Controls | Security Assessments & Testing | Date | 2.5 | Active | |
| 155 | When was your last penetration test? | IT Governance & Controls | Security Assessments & Testing | Date | 2.5 | Active | |
| 70 | Who conducts your penetration testing? | IT Governance & Controls | Security Assessments & Testing | MultipleChoice | 1.5 | Active | |
| 156 | Who conducts your penetration testing? | IT Governance & Controls | Security Assessments & Testing | MultipleChoice | 1.5 | Active | |
| 71 | Do you have a process to remediate findings from security assessments? Tracking and fixing identified vulnerabilities |
IT Governance & Controls | Security Assessments & Testing | YesNo | 2.0 | Active | |
| 157 | Do you have a process to remediate findings from security assessments? Tracking and fixing identified vulnerabilities |
IT Governance & Controls | Security Assessments & Testing | YesNo | 2.0 | Active | |
| 72 | Do you provide security awareness training to employees? Education on security best practices and threats |
IT Governance & Controls | Security Awareness Training | YesNo | 2.5 | Active | |
| 158 | Do you provide security awareness training to employees? Education on security best practices and threats |
IT Governance & Controls | Security Awareness Training | YesNo | 2.5 | Active | |
| 73 | How frequently is security awareness training conducted? | IT Governance & Controls | Security Awareness Training | MultipleChoice | 2.0 | Active | |
| 159 | How frequently is security awareness training conducted? | IT Governance & Controls | Security Awareness Training | MultipleChoice | 2.0 | Active | |
| 74 | Do you conduct simulated phishing campaigns? Testing employee response to phishing emails |
IT Governance & Controls | Security Awareness Training | YesNo | 2.0 | Active | |
| 160 | Do you conduct simulated phishing campaigns? Testing employee response to phishing emails |
IT Governance & Controls | Security Awareness Training | YesNo | 2.0 | Active | |
| 75 | How frequently are phishing simulations conducted? | IT Governance & Controls | Security Awareness Training | MultipleChoice | 1.5 | Active | |
| 161 | How frequently are phishing simulations conducted? | IT Governance & Controls | Security Awareness Training | MultipleChoice | 1.5 | Active | |
| 76 | Do you track metrics from security awareness training? Completion rates, phishing click rates, etc. |
IT Governance & Controls | Security Awareness Training | YesNo | 1.0 | Active | |
| 162 | Do you track metrics from security awareness training? Completion rates, phishing click rates, etc. |
IT Governance & Controls | Security Awareness Training | YesNo | 1.0 | Active | |
| 209 | Have you experienced any security incidents in the past 24 months? Breaches, ransomware, data loss, etc. |
IT Governance & Controls | Security Incident History | YesNo | 2.0 | Active | |
| 210 | Have you ever had a ransomware incident? | IT Governance & Controls | Security Incident History | YesNo | 2.5 | Active | |
| 211 | Have you ever had a data breach involving PHI/PII? | IT Governance & Controls | Security Incident History | YesNo | 3.0 | Active | |
| 212 | Were any incidents reported to regulatory authorities? HHS OCR, State AG, etc. |
IT Governance & Controls | Security Incident History | YesNo | 2.0 | Active | |
| 213 | Do you have cyber insurance? | IT Governance & Controls | Security Incident History | YesNo | 1.5 | Active | |
| 214 | If yes, what is your cyber insurance coverage limit? Dollar amount |
IT Governance & Controls | Security Incident History | Numeric | 1.0 | Active | |
| 215 | Have you ever filed a cyber insurance claim? | IT Governance & Controls | Security Incident History | YesNo | 1.5 | Active | |
| 59 | Do you have centralized logging for security events? Aggregated logs from systems, applications, network devices |
IT Governance & Controls | Security Monitoring & Response | YesNo | 2.0 | Active | |
| 145 | Do you have centralized logging for security events? Aggregated logs from systems, applications, network devices |
IT Governance & Controls | Security Monitoring & Response | YesNo | 2.0 | Active | |
| 60 | Do you use a Security Information and Event Management (SIEM) system? Security monitoring and alerting platform |
IT Governance & Controls | Security Monitoring & Response | YesNo | 2.0 | Active | |
| 146 | Do you use a Security Information and Event Management (SIEM) system? Security monitoring and alerting platform |
IT Governance & Controls | Security Monitoring & Response | YesNo | 2.0 | Active | |
| 61 | If yes, which SIEM solution do you use? e.g., Splunk, Microsoft Sentinel, LogRhythm |
IT Governance & Controls | Security Monitoring & Response | Text | 1.0 | Active | |
| 147 | If yes, which SIEM solution do you use? e.g., Splunk, Microsoft Sentinel, LogRhythm |
IT Governance & Controls | Security Monitoring & Response | Text | 1.0 | Active | |
| 62 | Do you have a Security Operations Center (SOC) monitoring your environment? Internal or outsourced 24/7 security monitoring |
IT Governance & Controls | Security Monitoring & Response | YesNo | 2.0 | Active | |
| 148 | Do you have a Security Operations Center (SOC) monitoring your environment? Internal or outsourced 24/7 security monitoring |
IT Governance & Controls | Security Monitoring & Response | YesNo | 2.0 | Active | |
| 63 | If yes, is the SOC internal or outsourced? | IT Governance & Controls | Security Monitoring & Response | MultipleChoice | 1.0 | Active | |
| 149 | If yes, is the SOC internal or outsourced? | IT Governance & Controls | Security Monitoring & Response | MultipleChoice | 1.0 | Active | |
| 64 | Do you have an Incident Response Plan? Documented procedures for security incidents |
IT Governance & Controls | Security Monitoring & Response | YesNo | 2.5 | Active | |
| 150 | Do you have an Incident Response Plan? Documented procedures for security incidents |
IT Governance & Controls | Security Monitoring & Response | YesNo | 2.5 | Active | |
| 65 | When was your Incident Response Plan last tested? Tabletop exercise or simulation |
IT Governance & Controls | Security Monitoring & Response | Date | 1.5 | Active | |
| 151 | When was your Incident Response Plan last tested? Tabletop exercise or simulation |
IT Governance & Controls | Security Monitoring & Response | Date | 1.5 | Active | |
| 22 | What email platform do you use? | IT Infrastructure | Business Applications | MultipleChoice | 1.5 | Active | |
| 23 | Which Microsoft 365 license level do you have? Different licenses provide different security features |
IT Infrastructure | Business Applications | MultipleChoice | 1.5 | Active | |
| 24 | Do you have email security scanning before messages reach mailboxes? Advanced threat protection for email |
IT Infrastructure | Business Applications | YesNo | 2.5 | Active | |
| 25 | What accounting software do you use? e.g., QuickBooks, Sage, NetSuite |
IT Infrastructure | Business Applications | Text | 1.0 | Active | |
| 26 | Do you use Single Sign-On (SSO) across your applications? Centralized authentication for multiple systems |
IT Infrastructure | Business Applications | YesNo | 1.5 | Active | |
| 17 | What is your primary Electronic Health Record (EHR) or Practice Management system? e.g., CRIO, Epic, Cerner, Athenahealth |
IT Infrastructure | Practice Management Systems | Text | 2.0 | Active | |
| 18 | Is your EHR/Practice Management system cloud-based or on-premise? | IT Infrastructure | Practice Management Systems | MultipleChoice | 1.0 | Active | |
| 19 | Does your EHR/Practice Management system have multi-factor authentication (MFA)? Additional security layer beyond passwords |
IT Infrastructure | Practice Management Systems | YesNo | 2.5 | Active | |
| 20 | When was the last security review of your EHR system? Most recent security assessment or audit |
IT Infrastructure | Practice Management Systems | Date | 2.0 | Active | |
| 21 | How many users have administrative access to the EHR system? Users with elevated privileges |
IT Infrastructure | Practice Management Systems | Numeric | 1.5 | Active | |
| 13 | Do you have a formal IT strategy document? Written plan aligning IT with business objectives |
IT Organization & Support Structure | IT Strategy & Planning | YesNo | 1.5 | Active | |
| 14 | Do you have an IT roadmap for the next 12-24 months? Planned IT initiatives and projects |
IT Organization & Support Structure | IT Strategy & Planning | YesNo | 1.5 | Active | |
| 15 | Do you have a formal IT budget? Approved budget for IT operations and capital expenses |
IT Organization & Support Structure | IT Strategy & Planning | YesNo | 1.5 | Active | |
| 16 | Do you track IT Key Performance Indicators (KPIs)? Metrics to measure IT performance and effectiveness |
IT Organization & Support Structure | IT Strategy & Planning | YesNo | 1.0 | Active | |
| 44 | Do you have an automated patch management system? Automated deployment of OS and application updates |
IT Organization & Support Structure | Patching & Updates | YesNo | 2.0 | Active | |
| 130 | Do you have an automated patch management system? Automated deployment of OS and application updates |
IT Organization & Support Structure | Patching & Updates | YesNo | 2.0 | Active | |
| 45 | How frequently are Windows updates deployed? | IT Organization & Support Structure | Patching & Updates | MultipleChoice | 2.0 | Active | |
| 131 | How frequently are Windows updates deployed? | IT Organization & Support Structure | Patching & Updates | MultipleChoice | 2.0 | Active | |
| 46 | How frequently are third-party application updates deployed? | IT Organization & Support Structure | Patching & Updates | MultipleChoice | 2.0 | Active | |
| 132 | How frequently are third-party application updates deployed? | IT Organization & Support Structure | Patching & Updates | MultipleChoice | 2.0 | Active | |
| 47 | Do you test patches before deployment? Validation in test environment before production |
IT Organization & Support Structure | Patching & Updates | YesNo | 1.0 | Active | |
| 133 | Do you test patches before deployment? Validation in test environment before production |
IT Organization & Support Structure | Patching & Updates | YesNo | 1.0 | Active | |
| 7 | Do you have a ticketing system to track IT support requests? System for logging, tracking, and resolving IT issues |
IT Organization & Support Structure | Support Model & Processes | YesNo | 2.0 | Active | |
| 8 | If yes, which ticketing system do you use? e.g., ServiceNow, Zendesk, Jira Service Desk |
IT Organization & Support Structure | Support Model & Processes | Text | 1.0 | Active | |
| 9 | Do you have documented Service Level Agreements (SLAs) with IT providers? Written agreements defining response/resolution times |
IT Organization & Support Structure | Support Model & Processes | YesNo | 1.5 | Active | |
| 10 | What are your standard IT support hours? | IT Organization & Support Structure | Support Model & Processes | MultipleChoice | 1.0 | Active | |
| 11 | Is 24/7 on-call support available? After-hours emergency support availability |
IT Organization & Support Structure | Support Model & Processes | YesNo | 1.5 | Active | |
| 12 | Do you have documented IT policies and procedures? Written guidelines for IT operations and standards |
IT Organization & Support Structure | Support Model & Processes | YesNo | 2.0 | Active | |
| 1 | Does your organization have internal IT staff? Dedicated employees on payroll responsible for IT functions |
IT Organization & Support Structure | Team Structure | YesNo | 1.5 | Active | |
| 2 | If yes, how many internal IT staff members do you have? Total count of IT personnel |
IT Organization & Support Structure | Team Structure | Numeric | 1.0 | Active | |
| 3 | Do you use a Managed Service Provider (MSP) for IT support? Third-party vendor providing ongoing IT services |
IT Organization & Support Structure | Team Structure | YesNo | 2.0 | Active | |
| 4 | If yes, what is the name of your MSP? | IT Organization & Support Structure | Team Structure | Text | 1.0 | Active | |
| 5 | How many employees does your primary MSP have? Helps assess vendor capacity and risk |
IT Organization & Support Structure | Team Structure | Numeric | 1.5 | Active | |
| 6 | Is there a single point of contact who oversees all IT service providers? Central coordination for IT vendors and services |
IT Organization & Support Structure | Team Structure | YesNo | 1.5 | Active | |
| 35 | How many workstations (desktops/laptops) does your organization have? Total count of employee computers |
IT Organization & Support Structure | Workstations & Endpoints | Numeric | 1.0 | Active | |
| 36 | What percentage of workstations are running Windows 10 or newer? Supported operating system versions |
IT Organization & Support Structure | Workstations & Endpoints | Numeric | 2.0 | Active | |
| 37 | Do you have a complete inventory of all IT assets? Documented list of all hardware and software |
IT Organization & Support Structure | Workstations & Endpoints | YesNo | 1.5 | Active | |
| 38 | Do you use Remote Monitoring and Management (RMM) software? Centralized monitoring and management of endpoints |
IT Organization & Support Structure | Workstations & Endpoints | YesNo | 1.5 | Active | |
| 39 | If yes, which RMM solution do you use? e.g., NinjaRMM, Datto, ConnectWise |
IT Organization & Support Structure | Workstations & Endpoints | Text | 1.0 | Active | |
| 40 | Are workstations encrypted? BitLocker, FileVault, or other encryption |
IT Organization & Support Structure | Workstations & Endpoints | YesNo | 2.5 | Active | |
| 41 | Do end users have local administrator rights on their workstations? Elevated privileges that can increase security risk |
IT Organization & Support Structure | Workstations & Endpoints | YesNo | 2.5 | Active | |
| 42 | Do you have a Mobile Device Management (MDM) solution? Management of mobile phones and tablets |
IT Organization & Support Structure | Workstations & Endpoints | YesNo | 2.0 | Active | |
| 43 | If yes, which MDM solution do you use? e.g., Intune, Jamf, MobileIron |
IT Organization & Support Structure | Workstations & Endpoints | Text | 1.0 | Active |
Showing 242 of 242 questions
242 Active
0 Inactive