Question Bank
Manage assessment questions by domain and category
| ID | Question Text | Domain | Category | Type | Risk Weight | Status | Actions |
|---|---|---|---|---|---|---|---|
| 77 | Do you have Data Loss Prevention (DLP) tools implemented? Prevents unauthorized sharing of sensitive data |
IT Governance & Controls | Data Loss Prevention | YesNo | 2.5 | Active | |
| 163 | Do you have Data Loss Prevention (DLP) tools implemented? Prevents unauthorized sharing of sensitive data |
IT Governance & Controls | Data Loss Prevention | YesNo | 2.5 | Active | |
| 78 | If yes, which DLP solution do you use? e.g., Microsoft DLP, Symantec, Digital Guardian |
IT Governance & Controls | Data Loss Prevention | Text | 1.0 | Active | |
| 164 | If yes, which DLP solution do you use? e.g., Microsoft DLP, Symantec, Digital Guardian |
IT Governance & Controls | Data Loss Prevention | Text | 1.0 | Active | |
| 79 | Do you have DLP policies for email? Scanning outbound emails for sensitive data |
IT Governance & Controls | Data Loss Prevention | YesNo | 2.0 | Active | |
| 165 | Do you have DLP policies for email? Scanning outbound emails for sensitive data |
IT Governance & Controls | Data Loss Prevention | YesNo | 2.0 | Active | |
| 80 | Do you have DLP policies for cloud storage (OneDrive/SharePoint)? | IT Governance & Controls | Data Loss Prevention | YesNo | 2.0 | Active | |
| 166 | Do you have DLP policies for cloud storage (OneDrive/SharePoint)? | IT Governance & Controls | Data Loss Prevention | YesNo | 2.0 | Active | |
| 81 | Do you have DLP policies for endpoint devices? Preventing data exfiltration via USB, print, etc. |
IT Governance & Controls | Data Loss Prevention | YesNo | 1.5 | Active | |
| 167 | Do you have DLP policies for endpoint devices? Preventing data exfiltration via USB, print, etc. |
IT Governance & Controls | Data Loss Prevention | YesNo | 1.5 | Active | |
| 229 | Do you use SPF (Sender Policy Framework)? Email authentication to prevent spoofing |
IT Governance & Controls | Email Security | YesNo | 2.0 | Active | |
| 230 | Do you use DKIM (DomainKeys Identified Mail)? Email authentication mechanism |
IT Governance & Controls | Email Security | YesNo | 2.0 | Active | |
| 231 | Do you use DMARC (Domain-based Message Authentication)? Email validation policy |
IT Governance & Controls | Email Security | YesNo | 2.0 | Active | |
| 232 | Do you have email encryption capabilities? Ability to send encrypted emails |
IT Governance & Controls | Email Security | YesNo | 2.0 | Active | |
| 233 | Do you scan email attachments for malware? | IT Governance & Controls | Email Security | YesNo | 2.5 | Active | |
| 234 | Do you have URL rewriting/sandboxing for email links? Protection against malicious links |
IT Governance & Controls | Email Security | YesNo | 2.0 | Active | |
| 235 | Do you use Microsoft Defender for Office 365 or similar? Advanced email threat protection |
IT Governance & Controls | Email Security | YesNo | 2.0 | Active | |
| 48 | Do you have antivirus/anti-malware software on all endpoints? Protection against viruses, malware, ransomware |
IT Governance & Controls | Endpoint Protection | YesNo | 3.0 | Active | |
| 134 | Do you have antivirus/anti-malware software on all endpoints? Protection against viruses, malware, ransomware |
IT Governance & Controls | Endpoint Protection | YesNo | 3.0 | Active | |
| 49 | Which antivirus solution do you use? e.g., Microsoft Defender, CrowdStrike, Sophos |
IT Governance & Controls | Endpoint Protection | Text | 1.5 | Active | |
| 135 | Which antivirus solution do you use? e.g., Microsoft Defender, CrowdStrike, Sophos |
IT Governance & Controls | Endpoint Protection | Text | 1.5 | Active | |
| 50 | Is your antivirus centrally managed and monitored? Central console for monitoring and alerts |
IT Governance & Controls | Endpoint Protection | YesNo | 2.0 | Active | |
| 136 | Is your antivirus centrally managed and monitored? Central console for monitoring and alerts |
IT Governance & Controls | Endpoint Protection | YesNo | 2.0 | Active | |
| 51 | When was the last time antivirus definitions were updated? Currency of threat signatures |
IT Governance & Controls | Endpoint Protection | Date | 2.0 | Active | |
| 137 | When was the last time antivirus definitions were updated? Currency of threat signatures |
IT Governance & Controls | Endpoint Protection | Date | 2.0 | Active | |
| 52 | Do you have Endpoint Detection and Response (EDR) capabilities? Advanced threat detection and response |
IT Governance & Controls | Endpoint Protection | YesNo | 2.0 | Active | |
| 138 | Do you have Endpoint Detection and Response (EDR) capabilities? Advanced threat detection and response |
IT Governance & Controls | Endpoint Protection | YesNo | 2.0 | Active | |
| 53 | Is MFA enabled for Microsoft 365/email access? Additional security beyond passwords for email |
IT Governance & Controls | Multi-Factor Authentication | YesNo | 3.0 | Active | |
| 139 | Is MFA enabled for Microsoft 365/email access? Additional security beyond passwords for email |
IT Governance & Controls | Multi-Factor Authentication | YesNo | 3.0 | Active | |
| 54 | What percentage of users have MFA enabled for email? 0-100% |
IT Governance & Controls | Multi-Factor Authentication | Numeric | 3.0 | Active | |
| 140 | What percentage of users have MFA enabled for email? 0-100% |
IT Governance & Controls | Multi-Factor Authentication | Numeric | 3.0 | Active | |
| 55 | Is MFA enabled for VPN or remote access? | IT Governance & Controls | Multi-Factor Authentication | YesNo | 2.5 | Active | |
| 141 | Is MFA enabled for VPN or remote access? | IT Governance & Controls | Multi-Factor Authentication | YesNo | 2.5 | Active | |
| 56 | Is MFA enabled for administrative accounts? Privileged access protection |
IT Governance & Controls | Multi-Factor Authentication | YesNo | 3.0 | Active | |
| 142 | Is MFA enabled for administrative accounts? Privileged access protection |
IT Governance & Controls | Multi-Factor Authentication | YesNo | 3.0 | Active | |
| 57 | Is MFA enabled for your EHR/Practice Management system? | IT Governance & Controls | Multi-Factor Authentication | YesNo | 2.5 | Active | |
| 143 | Is MFA enabled for your EHR/Practice Management system? | IT Governance & Controls | Multi-Factor Authentication | YesNo | 2.5 | Active | |
| 58 | Do you use Conditional Access policies? Context-based access controls (location, device, risk) |
IT Governance & Controls | Multi-Factor Authentication | YesNo | 1.5 | Active | |
| 144 | Do you use Conditional Access policies? Context-based access controls (location, device, risk) |
IT Governance & Controls | Multi-Factor Authentication | YesNo | 1.5 | Active | |
| 222 | Do you use Network Access Control (NAC)? Restricts network access to authorized devices |
IT Governance & Controls | Network Security Controls | YesNo | 2.0 | Active | |
| 223 | Do you segment your network? VLANs or other segmentation for security |
IT Governance & Controls | Network Security Controls | YesNo | 2.0 | Active | |
| 224 | Is patient/clinical data on a separate network segment? Isolation of sensitive data |
IT Governance & Controls | Network Security Controls | YesNo | 2.5 | Active | |
| 225 | Do you use a Web Application Firewall (WAF)? Protection for web applications |
IT Governance & Controls | Network Security Controls | YesNo | 1.5 | Active | |
| 226 | Do you have Intrusion Detection/Prevention System (IDS/IPS)? Monitoring for malicious network activity |
IT Governance & Controls | Network Security Controls | YesNo | 2.0 | Active | |
| 227 | Do you use VPN for remote access? Encrypted remote connectivity |
IT Governance & Controls | Network Security Controls | YesNo | 2.5 | Active | |
| 228 | If yes, what type of VPN? | IT Governance & Controls | Network Security Controls | MultipleChoice | 1.0 | Active | |
| 66 | Do you conduct regular vulnerability scans? Automated scanning for security weaknesses |
IT Governance & Controls | Security Assessments & Testing | YesNo | 2.5 | Active | |
| 152 | Do you conduct regular vulnerability scans? Automated scanning for security weaknesses |
IT Governance & Controls | Security Assessments & Testing | YesNo | 2.5 | Active | |
| 67 | How frequently are vulnerability scans conducted? | IT Governance & Controls | Security Assessments & Testing | MultipleChoice | 2.0 | Active | |
| 153 | How frequently are vulnerability scans conducted? | IT Governance & Controls | Security Assessments & Testing | MultipleChoice | 2.0 | Active | |
| 68 | Do you conduct penetration testing? Simulated attacks by security professionals |
IT Governance & Controls | Security Assessments & Testing | YesNo | 2.0 | Active | |
| 154 | Do you conduct penetration testing? Simulated attacks by security professionals |
IT Governance & Controls | Security Assessments & Testing | YesNo | 2.0 | Active | |
| 69 | When was your last penetration test? | IT Governance & Controls | Security Assessments & Testing | Date | 2.5 | Active | |
| 155 | When was your last penetration test? | IT Governance & Controls | Security Assessments & Testing | Date | 2.5 | Active | |
| 70 | Who conducts your penetration testing? | IT Governance & Controls | Security Assessments & Testing | MultipleChoice | 1.5 | Active | |
| 156 | Who conducts your penetration testing? | IT Governance & Controls | Security Assessments & Testing | MultipleChoice | 1.5 | Active | |
| 71 | Do you have a process to remediate findings from security assessments? Tracking and fixing identified vulnerabilities |
IT Governance & Controls | Security Assessments & Testing | YesNo | 2.0 | Active | |
| 157 | Do you have a process to remediate findings from security assessments? Tracking and fixing identified vulnerabilities |
IT Governance & Controls | Security Assessments & Testing | YesNo | 2.0 | Active | |
| 72 | Do you provide security awareness training to employees? Education on security best practices and threats |
IT Governance & Controls | Security Awareness Training | YesNo | 2.5 | Active | |
| 158 | Do you provide security awareness training to employees? Education on security best practices and threats |
IT Governance & Controls | Security Awareness Training | YesNo | 2.5 | Active | |
| 73 | How frequently is security awareness training conducted? | IT Governance & Controls | Security Awareness Training | MultipleChoice | 2.0 | Active | |
| 159 | How frequently is security awareness training conducted? | IT Governance & Controls | Security Awareness Training | MultipleChoice | 2.0 | Active | |
| 74 | Do you conduct simulated phishing campaigns? Testing employee response to phishing emails |
IT Governance & Controls | Security Awareness Training | YesNo | 2.0 | Active | |
| 160 | Do you conduct simulated phishing campaigns? Testing employee response to phishing emails |
IT Governance & Controls | Security Awareness Training | YesNo | 2.0 | Active | |
| 75 | How frequently are phishing simulations conducted? | IT Governance & Controls | Security Awareness Training | MultipleChoice | 1.5 | Active | |
| 161 | How frequently are phishing simulations conducted? | IT Governance & Controls | Security Awareness Training | MultipleChoice | 1.5 | Active | |
| 76 | Do you track metrics from security awareness training? Completion rates, phishing click rates, etc. |
IT Governance & Controls | Security Awareness Training | YesNo | 1.0 | Active | |
| 162 | Do you track metrics from security awareness training? Completion rates, phishing click rates, etc. |
IT Governance & Controls | Security Awareness Training | YesNo | 1.0 | Active | |
| 209 | Have you experienced any security incidents in the past 24 months? Breaches, ransomware, data loss, etc. |
IT Governance & Controls | Security Incident History | YesNo | 2.0 | Active | |
| 210 | Have you ever had a ransomware incident? | IT Governance & Controls | Security Incident History | YesNo | 2.5 | Active | |
| 211 | Have you ever had a data breach involving PHI/PII? | IT Governance & Controls | Security Incident History | YesNo | 3.0 | Active | |
| 212 | Were any incidents reported to regulatory authorities? HHS OCR, State AG, etc. |
IT Governance & Controls | Security Incident History | YesNo | 2.0 | Active | |
| 213 | Do you have cyber insurance? | IT Governance & Controls | Security Incident History | YesNo | 1.5 | Active | |
| 214 | If yes, what is your cyber insurance coverage limit? Dollar amount |
IT Governance & Controls | Security Incident History | Numeric | 1.0 | Active | |
| 215 | Have you ever filed a cyber insurance claim? | IT Governance & Controls | Security Incident History | YesNo | 1.5 | Active | |
| 59 | Do you have centralized logging for security events? Aggregated logs from systems, applications, network devices |
IT Governance & Controls | Security Monitoring & Response | YesNo | 2.0 | Active | |
| 145 | Do you have centralized logging for security events? Aggregated logs from systems, applications, network devices |
IT Governance & Controls | Security Monitoring & Response | YesNo | 2.0 | Active | |
| 60 | Do you use a Security Information and Event Management (SIEM) system? Security monitoring and alerting platform |
IT Governance & Controls | Security Monitoring & Response | YesNo | 2.0 | Active | |
| 146 | Do you use a Security Information and Event Management (SIEM) system? Security monitoring and alerting platform |
IT Governance & Controls | Security Monitoring & Response | YesNo | 2.0 | Active | |
| 61 | If yes, which SIEM solution do you use? e.g., Splunk, Microsoft Sentinel, LogRhythm |
IT Governance & Controls | Security Monitoring & Response | Text | 1.0 | Active | |
| 147 | If yes, which SIEM solution do you use? e.g., Splunk, Microsoft Sentinel, LogRhythm |
IT Governance & Controls | Security Monitoring & Response | Text | 1.0 | Active | |
| 62 | Do you have a Security Operations Center (SOC) monitoring your environment? Internal or outsourced 24/7 security monitoring |
IT Governance & Controls | Security Monitoring & Response | YesNo | 2.0 | Active | |
| 148 | Do you have a Security Operations Center (SOC) monitoring your environment? Internal or outsourced 24/7 security monitoring |
IT Governance & Controls | Security Monitoring & Response | YesNo | 2.0 | Active | |
| 63 | If yes, is the SOC internal or outsourced? | IT Governance & Controls | Security Monitoring & Response | MultipleChoice | 1.0 | Active | |
| 149 | If yes, is the SOC internal or outsourced? | IT Governance & Controls | Security Monitoring & Response | MultipleChoice | 1.0 | Active | |
| 64 | Do you have an Incident Response Plan? Documented procedures for security incidents |
IT Governance & Controls | Security Monitoring & Response | YesNo | 2.5 | Active | |
| 150 | Do you have an Incident Response Plan? Documented procedures for security incidents |
IT Governance & Controls | Security Monitoring & Response | YesNo | 2.5 | Active | |
| 65 | When was your Incident Response Plan last tested? Tabletop exercise or simulation |
IT Governance & Controls | Security Monitoring & Response | Date | 1.5 | Active | |
| 151 | When was your Incident Response Plan last tested? Tabletop exercise or simulation |
IT Governance & Controls | Security Monitoring & Response | Date | 1.5 | Active |
Showing 89 of 242 questions
242 Active
0 Inactive