IT SCC Survey

Office of Cyber Security & Communications (CS&C) Information Technology (IT) Sector Small and Midsize Businesses (SMB) Cybersecurity Survey

1670-NEW_IT Sector Survey_instrument

IT Sector Coordinating Council Survey

OMB: 1670-0038

Document [docx]
Download: docx | pdf

OMB Control Number: 1670-NEW

OMB Expiration Date: MM/DD/YYYY



Department of Homeland Security

National Protection and Programs Directorate


Paperwork Reduction Act

The public reporting burden to complete this information collection is estimated at 30 minutes per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collected information.  The collection of information is voluntary. An agency may not conduct or sponsor, and a person is not required to respond to a collection of information unless it displays a currently valid OMB control number and expiration date.  Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to DHS Office of Cybersecurity and Communications, 4200 Wilson Blvd, Arlington, VA 22203. ATTN: Critical Infrastructure Cyber Community (C3) Voluntary Program Manager [OMB Control No. 1670-NEW].



IT SCC - Questions for SMBs.1

This is a two-part questionnaire. Questions 1-11 are intended for CEO, while the remaining portion requires technical information and should be filled out by CISO and IT staff.

Respondent Contact Information

Name (Last, First) and Email: _____________________________________________________________

  1. What is the organization’s core business function?

511210 - Software Publishers

518210 - Data Processing, Hosting, and Related Services

519130 - Internet Publishing and Broadcasting and Web Search Portals

519190 - All Other Information Services

541511 - Custom Computer Programming Services

541512 - Computer Systems Design, Development and Integration Services

541513 - Computer Facilities Management Services

541519 - Other Computer Related Services

Public Federal

Public State

Local Municipality

Other ______________________





  1. What are the primary industry sectors your organization is supporting, i.e. what type of customers constitute your primary market segment?

    Private:


    Chemical Facilities

    Commercial Facilities

    Communications

    Critical Manufacturing

    Dams

    Defense Industrial Base

    Emergency Services

    Energy

    Financial Services




    Food and Agriculture

    Healthcare and Public Health

    Information Technology

    Nuclear Reactors, Materials and Waste

    Transportation

    Water and Wastewater

    Non-profit/Not for profit

    Academic

    Other _____________________________


    Public:


    Federal

    State


    Local Municipality

    Other ______________________


  2. Size of the company:


    1. What is your estimated annual revenue?

< $1M

$1M-$5M

$5M-$10M

$10-$20M

$20-$30M

$30-$38.5M

$40M - $50M

$50M - $100M

$100M - $500M




    1. How many employees work at your organization?

No Employees

Under 20

20-99

100-499

500-749

750-999

1,000-1,499

1,500-2,499

2,500-4,999

5,000-9,999

10,000 or more





    1. Years in business ______________


  1. Safeguarded assets (cyber-relevant)



  1. Types of critical assets as related to the mission space

Personally Identifiable Information (PII) (e.g., customer lists, consumer contact information)

Protected Health Information (PHI) (e.g., including medical records, other health data collected via apps and wearables, medical device data)

Financial/Account Information (e.g., credit card records, transactional data, or in providing a service to business customer)

Personal Confidential Information (e.g., private email, employer records, etc.)

Corporate Confidential Information (e.g., corporate email, business-sensitive documentation)

Intellectual Property (IP) (e.g., trade secrets, copyrightable materials, patents, designs)

SCADA/ICS (industrial control systems)

Customer-facing Website

Business Application Servers and/or Transaction Systems

Embedded Systems (e.g., Building Controls, Medical Devices, etc.)

End points (e.g., PCs, Tablets, Smartphones)

IT Infrastructure Systems (e.g., DNS servers, data centers)

Encryption Keys

Other _______________

Not Applicable



  1. What are your primary cyber impact of concerns as related to these assets?

PII or PHI Loss

IP Loss

Financial Loss

Reputation Loss



Availability of Data/Information

Integrity of Data/Information

Operational Functionality (ICS or Embedded Systems)

Mission Disruption/Denial of Service

Other __________________________________




  1. What is the perceived value of your top assets?

< $1M

$1M-$5M

$5M-$10M

$10-$20M

$20-$30M

$30-$40M


$40M - $50M

$50M - $100M

$100M - $500M

$500M - $1B

More than $1B

Unknown




  1. Cybersecurity capabilities:


    1. What are current cybersecurity capabilities of your organization?

Dedicated staff/department handling internal cybersecurity issues

No stand-alone department, combined with other functions

Mostly Outsourced (established relationship with a third party)

Blended approach with a smaller portion of cybersecurity responsibilities outsourced

Ad hoc, no specifically identified internal or external cybersecurity support


    1. What is the approximate IT share relative to revenue? _________%


    1. What is the cybersecurity share in the overall IT budget? _________%



  1. How does your organization rank cybersecurity and information security relative to other priorities?


    1. Relative ranking as compared with other aspects of the core business objectives. Please assign a rank from 1 to 7 to the following areas:

__________ Attracting New Customers

__________ Retaining Existing Customers

__________ Cybersecurity

__________ Financing

__________ Physical Security

__________ Attracting Talent

__________ Compliance with the Regulations


    1. Importance of cybersecurity for your business

Cyber security is HIGHLY IMPORTANT for my business

Cyber security is IMPORTANT for my business

Cyber security is SOMEWHAT IMPORTANT for my business

Cyber security is NOT IMPORTANT for my business


  1. NIST Cybersecurity Framework (NIST CSF):


    1. Is your organization familiar with the NIST CSF? Yes No



    1. If yes, is your organization IMPLEMENTING the NIST CSF?

Yes

Yes, but in conjunction with other frameworks, standards and practices


    1. If no,

Are you using some other framework, standards or practices

Currently not using any


  1. If your organization is aware of the NIST CSF, but not using it, what are the barriers to its implementation?

Lack of implementation guidance

Lack of specific technical information sources

NIST CSF is complex and hard to understand

Organization lacks technical expertise to support implementation

Insufficient information on the cost burden of the NIST CSF implementation

Insufficient budget

Cost-effectiveness considerations

Other_________________________

Using some other standards/framework instead



  1. What other cybersecurity practices, standards and procedures are being implemented by your organization as part of the cyber risk management?

CCS CSC

COBIT 5

NIST SP 800-53

ISA 62443

ISO/IEC 27001/27002


CIS Critical Security Controls (formerly SANS Top 20)

PCI Payment Card Industry Data Security Council Standard

Other ________________________________

We do not use any cybersecurity frameworks




  1. What information sources are you relying on for the cybersecurity best practices?

Getting Started for Business - https://www.us-cert.gov/ccubedvp/smb

MS‐ISAC Cyber Security Toolkit - https://msisac.cisecurity.org/toolkit/

FCC Small Biz Cyber Planner 2.0 - https://www.fcc.gov/cyberplanner

Cyber Resilience Review (CRR) - https://www.us-cert.gov/ccubedvp/assessments

US-CERT Resource List –

https://www.us-cert.gov/sites/default/files/c3vp/smb/Top_SMB_Resources.pdf

NIST SMB Information Security Guide: The Fundamentals - http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf

Other (Specify) ___________________________________________________

None of the above



  1. What do you think the likelihood is that your organization will experience an incident in the next 2-3 years?

Very Unlikely


Unlikely


Likely


Very Likely



  1. If your organization is using NIST CSF framework, please answer the set of questions below.

    1. How long has your organization been using the NIST CSF? _____________years

    2. What element(s) of the NIST CSF have been implemented in your organization? (check all that apply)



Framework Core

Identify Categories/subcategories

Protect Categories/subcategories

Detect Categories/subcategories

Respond Categories/subcategories

Recover Categories/subcategories


Framework Profiles

Profile provided by sector/subsector

Profile specific to our organization


Framework Implementation Tiers

Other______________________



    1. What were the factors driving NIST CSF adoption?

NIST CSF is considered a best practice

Federal contract required it

Non-federal contract required it

Business partner required it

Other _________________


    1. Is NIST CSF implemented in a segment of organization or throughout the entity?

Segment

Throughout the organization

Not Implemented



    1. To the best of your ability, please determine the value the NIST Cybersecurity Framework has provided to these aspects of your organization


Affect

Possible Value

Positive

Neutral

Negative

Non-Applicable

Characterize the Cybersecurity Framework’s affect with regard to:

-

-

-

-

Understanding or managing cybersecurity risk





Managing or fulfilling cybersecurity requirements





Prioritizing the relative importance of cybersecurity requirements or activities





Determining areas for improvement and developing plans to achieve improvements





Reducing risk







    1. What was the approximate cost of the NIST CSF implementation:

  1. Staff Time/Total Cost _________________$ thousand

  2. Acquisitions (software and hardware)/Total Cost ________________$ thousand


    1. What was the impact of the NIST CSF implementation on the information security (cost savings or change in practices, both short-term and long-term)?

  1. Total cost savings ________________$ thousand

  2. Change in practices ________________$ thousand


    1. What was the impact on operations (cost savings or change in practices, short-term and long-term)?

  1. Total cost savings _________________$ thousand

  2. Change in practices _________________$ thousand


  1. How many endpoints/hosts and servers does your organization have on the network?

  1. Endpoints/hosts/terminals ___________

  2. Servers __________________


  1. What portion of the systems are you most concerned about?

10% or less

10 - less than 25%

25 - less than 50%

50% - less than 75%

75% or more

Prefer not to disclose

Do not know



  1. Do you have an on-file asset inventory, data flow and core network diagram with access points documented? Please select Yes or No for each document below:

  1. Asset Inventory Yes No

  2. Data Flow Yes No

  3. Core Network Diagram Yes No

  4. Access Points Documented Yes No

  5. Security Architecture Diagram Yes No


  1. How is physical access to the assets managed?

All physical locations of assets are documented, physical access is strictly monitored

Location of SOME assets is documented, limited management of physical access

Other_________________


  1. How is remote access to the assets managed?

Established usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed

Connections are implemented through managed interfaces

Controls have been implemented to protect all communication and control network (technology) assets

Systems are monitored to detect unauthorized local, network, and remote connections.

Other ________________


  1. How is patching and remediation managed?

Ad Hoc reactive patching and remediation

Standard managed program with regular updates in place

Established relationship with an outside product and service providers

Other _________________________________



  1. Are system changes and incidents tracked?

    1. Incidents Tracked Yes No

    2. System Changes Tracked Yes No



  1. If a cyber incident were to occur, how would it be handled?

Ad Hoc response

Cyber response plan or disaster response plan in place with POCs, roles and responsibilities identified

Established relationship with an outside product and service providers



  1. Overall, how would you rate your relative cybersecurity maturity of your organization compared to your competitors?

New to market; novice experience

Beginner; beginning to develop cybersecurity processes

Intermediate; some processes are in place

Mature; processes are used and improved regularly


  1. In which of the following cybersecurity focus areas could your organization improve (select all that apply)?

Access and identity management

Vulnerability management

Antivirus/malware management

Endpoint security

Network security

Intrusion detection and protection

Secure development and testing practices

Encryption management (key storage, rotation, protocol selection)

Incident management and data breach response

Training and awareness

1 Last update: May 1, 2017

File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File Modified0000-00-00
File Created2021-01-21

© 2024 OMB.report | Privacy Policy