Question Bank
Manage assessment questions by domain and category
| ID | Question Text | Domain | Category | Type | Risk Weight | Status | Actions |
|---|---|---|---|---|---|---|---|
| 99 | Do you have a formal user access provisioning process? Documented procedures for granting access |
IT Assets & Investments | Access Controls | YesNo | 2.0 | Active | |
| 185 | Do you have a formal user access provisioning process? Documented procedures for granting access |
IT Assets & Investments | Access Controls | YesNo | 2.0 | Active | |
| 100 | Do you have a formal user deprovisioning process? Procedures for removing access when employees leave |
IT Assets & Investments | Access Controls | YesNo | 2.5 | Active | |
| 186 | Do you have a formal user deprovisioning process? Procedures for removing access when employees leave |
IT Assets & Investments | Access Controls | YesNo | 2.5 | Active | |
| 101 | How quickly is access removed when an employee terminates? | IT Assets & Investments | Access Controls | MultipleChoice | 2.5 | Active | |
| 187 | How quickly is access removed when an employee terminates? | IT Assets & Investments | Access Controls | MultipleChoice | 2.5 | Active | |
| 102 | Do you conduct regular access reviews? Periodic review of who has access to what |
IT Assets & Investments | Access Controls | YesNo | 2.0 | Active | |
| 188 | Do you conduct regular access reviews? Periodic review of who has access to what |
IT Assets & Investments | Access Controls | YesNo | 2.0 | Active | |
| 103 | How frequently are access reviews conducted? | IT Assets & Investments | Access Controls | MultipleChoice | 1.5 | Active | |
| 189 | How frequently are access reviews conducted? | IT Assets & Investments | Access Controls | MultipleChoice | 1.5 | Active | |
| 104 | Do you follow the principle of least privilege? Users only have minimum necessary access |
IT Assets & Investments | Access Controls | YesNo | 2.0 | Active | |
| 190 | Do you follow the principle of least privilege? Users only have minimum necessary access |
IT Assets & Investments | Access Controls | YesNo | 2.0 | Active | |
| 105 | Do you have a password policy? Requirements for password complexity and expiration |
IT Assets & Investments | Access Controls | YesNo | 2.0 | Active | |
| 191 | Do you have a password policy? Requirements for password complexity and expiration |
IT Assets & Investments | Access Controls | YesNo | 2.0 | Active | |
| 106 | What is your minimum password length requirement? Number of characters |
IT Assets & Investments | Access Controls | Numeric | 1.5 | Active | |
| 192 | What is your minimum password length requirement? Number of characters |
IT Assets & Investments | Access Controls | Numeric | 1.5 | Active | |
| 107 | How frequently are passwords required to change? | IT Assets & Investments | Access Controls | MultipleChoice | 1.0 | Active | |
| 193 | How frequently are passwords required to change? | IT Assets & Investments | Access Controls | MultipleChoice | 1.0 | Active | |
| 89 | Do you have a formal backup strategy? Documented backup procedures and schedules |
IT Assets & Investments | Backup & Disaster Recovery | YesNo | 3.0 | Active | |
| 175 | Do you have a formal backup strategy? Documented backup procedures and schedules |
IT Assets & Investments | Backup & Disaster Recovery | YesNo | 3.0 | Active | |
| 90 | How frequently are backups performed? | IT Assets & Investments | Backup & Disaster Recovery | MultipleChoice | 2.5 | Active | |
| 176 | How frequently are backups performed? | IT Assets & Investments | Backup & Disaster Recovery | MultipleChoice | 2.5 | Active | |
| 91 | Where are backups stored? | IT Assets & Investments | Backup & Disaster Recovery | MultipleChoice | 2.0 | Active | |
| 177 | Where are backups stored? | IT Assets & Investments | Backup & Disaster Recovery | MultipleChoice | 2.0 | Active | |
| 92 | Do you have offsite/cloud backups? Backups stored in different physical location |
IT Assets & Investments | Backup & Disaster Recovery | YesNo | 2.5 | Active | |
| 178 | Do you have offsite/cloud backups? Backups stored in different physical location |
IT Assets & Investments | Backup & Disaster Recovery | YesNo | 2.5 | Active | |
| 93 | Are backups encrypted? | IT Assets & Investments | Backup & Disaster Recovery | YesNo | 2.0 | Active | |
| 179 | Are backups encrypted? | IT Assets & Investments | Backup & Disaster Recovery | YesNo | 2.0 | Active | |
| 94 | When was the last backup restoration test? Verification that backups can be recovered |
IT Assets & Investments | Backup & Disaster Recovery | Date | 2.5 | Active | |
| 180 | When was the last backup restoration test? Verification that backups can be recovered |
IT Assets & Investments | Backup & Disaster Recovery | Date | 2.5 | Active | |
| 95 | Do you have a Disaster Recovery Plan (DRP)? Documented procedures for disaster recovery |
IT Assets & Investments | Backup & Disaster Recovery | YesNo | 2.5 | Active | |
| 181 | Do you have a Disaster Recovery Plan (DRP)? Documented procedures for disaster recovery |
IT Assets & Investments | Backup & Disaster Recovery | YesNo | 2.5 | Active | |
| 96 | Do you have a Business Continuity Plan (BCP)? Plans to maintain operations during disruptions |
IT Assets & Investments | Backup & Disaster Recovery | YesNo | 2.0 | Active | |
| 182 | Do you have a Business Continuity Plan (BCP)? Plans to maintain operations during disruptions |
IT Assets & Investments | Backup & Disaster Recovery | YesNo | 2.0 | Active | |
| 97 | When was your DRP/BCP last tested? Tabletop exercise or full test |
IT Assets & Investments | Backup & Disaster Recovery | Date | 2.0 | Active | |
| 183 | When was your DRP/BCP last tested? Tabletop exercise or full test |
IT Assets & Investments | Backup & Disaster Recovery | Date | 2.0 | Active | |
| 98 | What is your Recovery Time Objective (RTO) for critical systems? Maximum acceptable downtime |
IT Assets & Investments | Backup & Disaster Recovery | MultipleChoice | 1.5 | Active | |
| 184 | What is your Recovery Time Objective (RTO) for critical systems? Maximum acceptable downtime |
IT Assets & Investments | Backup & Disaster Recovery | MultipleChoice | 1.5 | Active | |
| 108 | Do you have a formal Change Management process? Controlled process for making changes to IT systems |
IT Assets & Investments | Change & Incident Management | YesNo | 2.0 | Active | |
| 194 | Do you have a formal Change Management process? Controlled process for making changes to IT systems |
IT Assets & Investments | Change & Incident Management | YesNo | 2.0 | Active | |
| 109 | Do you have a Change Advisory Board (CAB)? Group that reviews and approves changes |
IT Assets & Investments | Change & Incident Management | YesNo | 1.5 | Active | |
| 195 | Do you have a Change Advisory Board (CAB)? Group that reviews and approves changes |
IT Assets & Investments | Change & Incident Management | YesNo | 1.5 | Active | |
| 110 | Are changes tested before production deployment? | IT Assets & Investments | Change & Incident Management | YesNo | 2.0 | Active | |
| 196 | Are changes tested before production deployment? | IT Assets & Investments | Change & Incident Management | YesNo | 2.0 | Active | |
| 111 | Do you have a formal Incident Management process? Procedures for handling IT incidents |
IT Assets & Investments | Change & Incident Management | YesNo | 2.0 | Active | |
| 197 | Do you have a formal Incident Management process? Procedures for handling IT incidents |
IT Assets & Investments | Change & Incident Management | YesNo | 2.0 | Active | |
| 112 | Do you track and categorize incidents by severity? | IT Assets & Investments | Change & Incident Management | YesNo | 1.5 | Active | |
| 198 | Do you track and categorize incidents by severity? | IT Assets & Investments | Change & Incident Management | YesNo | 1.5 | Active | |
| 113 | Do you conduct root cause analysis for major incidents? Investigation to prevent recurrence |
IT Assets & Investments | Change & Incident Management | YesNo | 1.5 | Active | |
| 199 | Do you conduct root cause analysis for major incidents? Investigation to prevent recurrence |
IT Assets & Investments | Change & Incident Management | YesNo | 1.5 | Active | |
| 82 | Have you conducted a HIPAA Security Rule assessment? Evaluation against HIPAA security requirements |
IT Assets & Investments | Compliance & Regulatory | YesNo | 3.0 | Active | |
| 168 | Have you conducted a HIPAA Security Rule assessment? Evaluation against HIPAA security requirements |
IT Assets & Investments | Compliance & Regulatory | YesNo | 3.0 | Active | |
| 83 | When was your last HIPAA Security Rule assessment? | IT Assets & Investments | Compliance & Regulatory | Date | 2.5 | Active | |
| 169 | When was your last HIPAA Security Rule assessment? | IT Assets & Investments | Compliance & Regulatory | Date | 2.5 | Active | |
| 84 | Do you have documented HIPAA policies and procedures? Written policies for HIPAA compliance |
IT Assets & Investments | Compliance & Regulatory | YesNo | 3.0 | Active | |
| 170 | Do you have documented HIPAA policies and procedures? Written policies for HIPAA compliance |
IT Assets & Investments | Compliance & Regulatory | YesNo | 3.0 | Active | |
| 85 | Do you have a designated HIPAA Security Officer? | IT Assets & Investments | Compliance & Regulatory | YesNo | 2.0 | Active | |
| 171 | Do you have a designated HIPAA Security Officer? | IT Assets & Investments | Compliance & Regulatory | YesNo | 2.0 | Active | |
| 86 | Do you have Business Associate Agreements (BAAs) with all vendors handling PHI? Required contracts with third parties |
IT Assets & Investments | Compliance & Regulatory | YesNo | 2.5 | Active | |
| 172 | Do you have Business Associate Agreements (BAAs) with all vendors handling PHI? Required contracts with third parties |
IT Assets & Investments | Compliance & Regulatory | YesNo | 2.5 | Active | |
| 87 | Have you conducted a risk assessment for Protected Health Information (PHI)? Analysis of threats to patient data |
IT Assets & Investments | Compliance & Regulatory | YesNo | 3.0 | Active | |
| 173 | Have you conducted a risk assessment for Protected Health Information (PHI)? Analysis of threats to patient data |
IT Assets & Investments | Compliance & Regulatory | YesNo | 3.0 | Active | |
| 88 | When was your last PHI risk assessment? | IT Assets & Investments | Compliance & Regulatory | Date | 2.0 | Active | |
| 174 | When was your last PHI risk assessment? | IT Assets & Investments | Compliance & Regulatory | Date | 2.0 | Active | |
| 236 | Do you have an access control system? Badge readers, biometric, key cards |
IT Assets & Investments | Physical Security | YesNo | 1.5 | Active | |
| 237 | Do you have video surveillance? Security cameras |
IT Assets & Investments | Physical Security | YesNo | 1.0 | Active | |
| 238 | How long is video surveillance footage retained? Number of days |
IT Assets & Investments | Physical Security | Numeric | 1.0 | Active | |
| 239 | Do you have a dedicated server room or network closet? | IT Assets & Investments | Physical Security | YesNo | 1.5 | Active | |
| 240 | Is access to the server room restricted? Limited to authorized personnel |
IT Assets & Investments | Physical Security | YesNo | 2.0 | Active | |
| 241 | Do you have environmental monitoring in the server room? Temperature, humidity, water detection |
IT Assets & Investments | Physical Security | YesNo | 1.0 | Active | |
| 242 | Do you have backup power (UPS/Generator)? | IT Assets & Investments | Physical Security | YesNo | 1.5 | Active | |
| 243 | Do you have a visitor sign-in process? Logging and escorting visitors |
IT Assets & Investments | Physical Security | YesNo | 1.0 | Active | |
| 244 | Are workstations physically secured when unattended? Screen locks, cable locks |
IT Assets & Investments | Physical Security | YesNo | 1.5 | Active | |
| 114 | Do you have a documented Information Security Policy? Overarching security policy |
IT Assets & Investments | Policies & Documentation | YesNo | 2.5 | Active | |
| 121 | How many workstations (desktops/laptops) does your organization have? Total count of employee computers |
IT Assets & Investments | Policies & Documentation | Numeric | 1.0 | Active | |
| 200 | Do you have a documented Information Security Policy? Overarching security policy |
IT Assets & Investments | Policies & Documentation | YesNo | 2.5 | Active | |
| 115 | Do you have a documented Acceptable Use Policy? Guidelines for acceptable use of IT resources |
IT Assets & Investments | Policies & Documentation | YesNo | 2.0 | Active | |
| 122 | What percentage of workstations are running Windows 10 or newer? Supported operating system versions |
IT Assets & Investments | Policies & Documentation | Numeric | 2.0 | Active | |
| 201 | Do you have a documented Acceptable Use Policy? Guidelines for acceptable use of IT resources |
IT Assets & Investments | Policies & Documentation | YesNo | 2.0 | Active | |
| 116 | Do you have a documented Data Classification Policy? How data should be categorized and protected |
IT Assets & Investments | Policies & Documentation | YesNo | 2.0 | Active | |
| 123 | Do you have a complete inventory of all IT assets? Documented list of all hardware and software |
IT Assets & Investments | Policies & Documentation | YesNo | 1.5 | Active | |
| 202 | Do you have a documented Data Classification Policy? How data should be categorized and protected |
IT Assets & Investments | Policies & Documentation | YesNo | 2.0 | Active | |
| 117 | Do you have a documented Incident Response Policy? | IT Assets & Investments | Policies & Documentation | YesNo | 2.0 | Active | |
| 124 | Do you use Remote Monitoring and Management (RMM) software? Centralized monitoring and management of endpoints |
IT Assets & Investments | Policies & Documentation | YesNo | 1.5 | Active | |
| 203 | Do you have a documented Incident Response Policy? | IT Assets & Investments | Policies & Documentation | YesNo | 2.0 | Active | |
| 118 | When were your IT policies last reviewed and updated? Policies should be reviewed annually |
IT Assets & Investments | Policies & Documentation | Date | 1.5 | Active | |
| 125 | If yes, which RMM solution do you use? e.g., NinjaRMM, Datto, ConnectWise |
IT Assets & Investments | Policies & Documentation | Text | 1.0 | Active | |
| 204 | When were your IT policies last reviewed and updated? Policies should be reviewed annually |
IT Assets & Investments | Policies & Documentation | Date | 1.5 | Active | |
| 119 | Do employees acknowledge IT policies annually? Signed acknowledgment of policy awareness |
IT Assets & Investments | Policies & Documentation | YesNo | 1.5 | Active | |
| 126 | Are workstations encrypted? BitLocker, FileVault, or other encryption |
IT Assets & Investments | Policies & Documentation | YesNo | 2.5 | Active | |
| 205 | Do employees acknowledge IT policies annually? Signed acknowledgment of policy awareness |
IT Assets & Investments | Policies & Documentation | YesNo | 1.5 | Active | |
| 120 | Do you have an Information Security Framework adopted? e.g., NIST CSF, ISO 27001, CIS Controls |
IT Assets & Investments | Policies & Documentation | MultipleChoice | 2.0 | Active | |
| 127 | Do end users have local administrator rights on their workstations? Elevated privileges that can increase security risk |
IT Assets & Investments | Policies & Documentation | YesNo | 2.5 | Active | |
| 206 | Do you have an Information Security Framework adopted? e.g., NIST CSF, ISO 27001, CIS Controls |
IT Assets & Investments | Policies & Documentation | MultipleChoice | 2.0 | Active | |
| 128 | Do you have a Mobile Device Management (MDM) solution? Management of mobile phones and tablets |
IT Assets & Investments | Policies & Documentation | YesNo | 2.0 | Active | |
| 129 | If yes, which MDM solution do you use? e.g., Intune, Jamf, MobileIron |
IT Assets & Investments | Policies & Documentation | Text | 1.0 | Active | |
| 216 | Do you have a vendor risk management program? Process for assessing third-party vendors |
IT Assets & Investments | Vendor Risk Management | YesNo | 2.0 | Active | |
| 217 | Do you conduct security assessments of vendors before engagement? Due diligence before contracting |
IT Assets & Investments | Vendor Risk Management | YesNo | 2.0 | Active | |
| 218 | How frequently do you review vendor security posture? | IT Assets & Investments | Vendor Risk Management | MultipleChoice | 1.5 | Active | |
| 219 | Do you have a vendor inventory with criticality ratings? List of all vendors and their importance |
IT Assets & Investments | Vendor Risk Management | YesNo | 1.5 | Active | |
| 220 | Do you require vendors to have cyber insurance? | IT Assets & Investments | Vendor Risk Management | YesNo | 1.0 | Active | |
| 221 | Do you review vendor SOC 2 reports or other security certifications? | IT Assets & Investments | Vendor Risk Management | YesNo | 1.5 | Active |
Showing 102 of 242 questions
242 Active
0 Inactive