OMB Control Number: 1670-NEW
OMB Expiration Date: MM/DD/YYYY
Department of Homeland Security
National Protection and Programs Directorate
Paperwork Reduction Act
The public reporting burden to complete this information collection is estimated at 30 minutes per response, including the time for reviewing instructions, searching existing data sources, gathering and maintaining the data needed, and completing and reviewing the collected information. The collection of information is voluntary. An agency may not conduct or sponsor, and a person is not required to respond to a collection of information unless it displays a currently valid OMB control number and expiration date. Send comments regarding this burden estimate or any other aspect of this collection of information, including suggestions for reducing this burden to DHS Office of Cybersecurity and Communications, 4200 Wilson Blvd, Arlington, VA 22203. ATTN: Critical Infrastructure Cyber Community (C3) Voluntary Program Manager [OMB Control No. 1670-NEW].
IT SCC - Questions for SMBs.1
This is a two-part questionnaire. Questions 1-11 are intended for CEO, while the remaining portion requires technical information and should be filled out by CISO and IT staff.
Respondent Contact Information
Name (Last, First) and Email: _____________________________________________________________
What is the organization’s core business function?
☐ 511210 - Software Publishers
☐ 518210 - Data Processing, Hosting, and Related Services
☐ 519130 - Internet Publishing and Broadcasting and Web Search Portals
☐ 519190 - All Other Information Services
☐ 541511 - Custom Computer Programming Services
☐ 541512 - Computer Systems Design, Development and Integration Services
☐ 541513 - Computer Facilities Management Services
☐ 541519 - Other Computer Related Services
☐ Public Federal
☐ Public State
☐ Local Municipality
☐ Other ______________________
What are the primary industry sectors your organization is supporting, i.e. what type of customers constitute your primary market segment?
Private:
☐ Chemical Facilities ☐ Commercial Facilities ☐ Communications ☐ Critical Manufacturing ☐ Dams ☐ Defense Industrial Base ☐ Emergency Services ☐ Energy ☐ Financial Services
|
☐ Food and Agriculture ☐ Healthcare and Public Health ☐ Information Technology ☐ Nuclear Reactors, Materials and Waste ☐ Transportation ☐ Water and Wastewater ☐ Non-profit/Not for profit ☐ Academic ☐ Other _____________________________
|
Public:
☐ Federal ☐ State |
☐ Local Municipality ☐ Other ______________________
|
Size of the company:
What is your estimated annual revenue?
☐ < $1M ☐ $1M-$5M ☐ $5M-$10M ☐ $10-$20M ☐ $20-$30M |
☐ $30-$38.5M ☐ $40M - $50M ☐ $50M - $100M ☐ $100M - $500M
|
How many employees work at your organization?
☐ No Employees ☐ Under 20 ☐ 20-99 ☐ 100-499 ☐ 500-749 ☐ 750-999 |
☐ 1,000-1,499 ☐ 1,500-2,499 ☐ 2,500-4,999 ☐ 5,000-9,999 ☐ 10,000 or more |
Years
in business ______________
Safeguarded assets (cyber-relevant)
Types of critical assets as related to the mission space
☐ Personally Identifiable Information (PII) (e.g., customer lists, consumer contact information)
☐ Protected Health Information (PHI) (e.g., including medical records, other health data collected via apps and wearables, medical device data)
☐ Financial/Account Information (e.g., credit card records, transactional data, or in providing a service to business customer)
☐ Personal Confidential Information (e.g., private email, employer records, etc.)
☐ Corporate Confidential Information (e.g., corporate email, business-sensitive documentation)
☐ Intellectual Property (IP) (e.g., trade secrets, copyrightable materials, patents, designs)
☐ SCADA/ICS (industrial control systems)
☐ Customer-facing Website
☐ Business Application Servers and/or Transaction Systems
☐ Embedded Systems (e.g., Building Controls, Medical Devices, etc.)
☐ End points (e.g., PCs, Tablets, Smartphones)
☐ IT Infrastructure Systems (e.g., DNS servers, data centers)
☐ Encryption Keys
☐ Other _______________
☐ Not Applicable
What are your primary cyber impact of concerns as related to these assets?
☐ PII or PHI Loss ☐ IP Loss ☐ Financial Loss ☐ Reputation Loss
|
☐ Availability of Data/Information ☐ Integrity of Data/Information ☐ Operational Functionality (ICS or Embedded Systems) ☐ Mission Disruption/Denial of Service ☐ Other __________________________________
|
What is the perceived value of your top assets?
☐ < $1M ☐ $1M-$5M ☐ $5M-$10M ☐ $10-$20M ☐ $20-$30M ☐ $30-$40M
|
☐ $40M - $50M ☐ $50M - $100M ☐ $100M - $500M ☐ $500M - $1B ☐ More than $1B ☐ Unknown
|
Cybersecurity capabilities:
What are current cybersecurity capabilities of your organization?
☐ Dedicated staff/department handling internal cybersecurity issues
☐ No stand-alone department, combined with other functions
☐ Mostly Outsourced (established relationship with a third party)
☐ Blended approach with a smaller portion of cybersecurity responsibilities outsourced
☐ Ad hoc, no specifically identified internal or external cybersecurity support
What is the approximate IT share relative to revenue? _________%
What is the cybersecurity share in the overall IT budget? _________%
How does your organization rank cybersecurity and information security relative to other priorities?
Relative ranking as compared with other aspects of the core business objectives. Please assign a rank from 1 to 7 to the following areas:
__________ Attracting New Customers
__________ Retaining Existing Customers
__________ Cybersecurity
__________ Financing
__________ Physical Security
__________ Attracting Talent
__________ Compliance with the Regulations
Importance of cybersecurity for your business
☐ Cyber security is HIGHLY IMPORTANT for my business
☐ Cyber security is IMPORTANT for my business
☐ Cyber security is SOMEWHAT IMPORTANT for my business
☐ Cyber security is NOT IMPORTANT for my business
NIST Cybersecurity Framework (NIST CSF):
Is your organization familiar with the NIST CSF? ☐ Yes ☐ No
If yes, is your organization IMPLEMENTING the NIST CSF?
☐ Yes
☐ Yes, but in conjunction with other frameworks, standards and practices
If no,
☐ Are you using some other framework, standards or practices
☐ Currently not using any
If your organization is aware of the NIST CSF, but not using it, what are the barriers to its implementation?
☐ Lack of implementation guidance
☐ Lack of specific technical information sources
☐ NIST CSF is complex and hard to understand
☐ Organization lacks technical expertise to support implementation
☐ Insufficient information on the cost burden of the NIST CSF implementation
☐ Insufficient budget
☐ Cost-effectiveness considerations
☐ Other_________________________
☐ Using some other standards/framework instead
What other cybersecurity practices, standards and procedures are being implemented by your organization as part of the cyber risk management?
☐ CCS CSC ☐ COBIT 5 ☐ NIST SP 800-53 ☐ ISA 62443 ☐ ISO/IEC 27001/27002
|
☐ CIS Critical Security Controls (formerly SANS Top 20) ☐ PCI Payment Card Industry Data Security Council Standard ☐ Other ________________________________ ☐ We do not use any cybersecurity frameworks
|
What information sources are you relying on for the cybersecurity best practices?
☐ Getting Started for Business - https://www.us-cert.gov/ccubedvp/smb
☐ MS‐ISAC Cyber Security Toolkit - https://msisac.cisecurity.org/toolkit/
☐ FCC Small Biz Cyber Planner 2.0 - https://www.fcc.gov/cyberplanner
☐ Cyber Resilience Review (CRR) - https://www.us-cert.gov/ccubedvp/assessments
☐ US-CERT Resource List –
https://www.us-cert.gov/sites/default/files/c3vp/smb/Top_SMB_Resources.pdf
☐ NIST SMB Information Security Guide: The Fundamentals - http://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf
☐ Other (Specify) ___________________________________________________
☐ None of the above
What do you think the likelihood is that your organization will experience an incident in the next 2-3 years?
☐ Very Unlikely
|
☐ Unlikely
|
☐ Likely
|
☐ Very Likely
|
If your organization is using NIST CSF framework, please answer the set of questions below.
How long has your organization been using the NIST CSF? _____________years
What element(s) of the NIST CSF have been implemented in your organization? (check all that apply)
☐ Framework Core
☐ Identify Categories/subcategories
☐ Protect Categories/subcategories
☐ Detect Categories/subcategories
☐ Respond Categories/subcategories
☐ Recover Categories/subcategories
☐ Framework Profiles
☐ Profile provided by sector/subsector
☐ Profile specific to our organization
☐ Framework Implementation Tiers
☐ Other______________________
What were the factors driving NIST CSF adoption?
☐ NIST CSF is considered a best practice
☐ Federal contract required it
☐ Non-federal contract required it
☐ Business partner required it
☐ Other _________________
Is NIST CSF implemented in a segment of organization or throughout the entity?
☐ Segment |
☐ Throughout the organization |
☐ Not Implemented |
To the best of your ability, please determine the value the NIST Cybersecurity Framework has provided to these aspects of your organization
|
Affect |
|||
Possible Value |
Positive |
Neutral |
Negative |
Non-Applicable |
Characterize the Cybersecurity Framework’s affect with regard to: |
- |
- |
- |
- |
Understanding or managing cybersecurity risk |
|
|
|
|
Managing or fulfilling cybersecurity requirements |
|
|
|
|
Prioritizing the relative importance of cybersecurity requirements or activities |
|
|
|
|
Determining areas for improvement and developing plans to achieve improvements |
|
|
|
|
Reducing risk |
|
|
|
|
What was the approximate cost of the NIST CSF implementation:
Staff Time/Total Cost _________________$ thousand
Acquisitions (software and hardware)/Total Cost ________________$ thousand
What was the impact of the NIST CSF implementation on the information security (cost savings or change in practices, both short-term and long-term)?
Total cost savings ________________$ thousand
Change in practices ________________$ thousand
What was the impact on operations (cost savings or change in practices, short-term and long-term)?
Total cost savings _________________$ thousand
Change in practices _________________$ thousand
How many endpoints/hosts and servers does your organization have on the network?
Endpoints/hosts/terminals ___________
Servers __________________
What portion of the systems are you most concerned about?
☐ 10% or less ☐ 10 - less than 25% ☐ 25 - less than 50% |
☐ 50% - less than 75% ☐ 75% or more ☐ Prefer not to disclose ☐ Do not know
|
Do you have an on-file asset inventory, data flow and core network diagram with access points documented? Please select Yes or No for each document below:
Asset Inventory ☐ Yes ☐ No
Data Flow ☐ Yes ☐ No
Core Network Diagram ☐ Yes ☐ No
Access Points Documented ☐ Yes ☐ No
Security Architecture Diagram ☐ Yes ☐ No
How is physical access to the assets managed?
☐ All physical locations of assets are documented, physical access is strictly monitored
☐ Location of SOME assets is documented, limited management of physical access
☐ Other_________________
How is remote access to the assets managed?
☐ Established usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed
☐ Connections are implemented through managed interfaces
☐ Controls have been implemented to protect all communication and control network (technology) assets
☐ Systems are monitored to detect unauthorized local, network, and remote connections.
☐ Other ________________
How is patching and remediation managed?
☐ Ad Hoc reactive patching and remediation
☐ Standard managed program with regular updates in place
☐ Established relationship with an outside product and service providers
☐ Other _________________________________
Are system changes and incidents tracked?
Incidents Tracked ☐ Yes ☐ No
System Changes Tracked ☐ Yes ☐ No
If a cyber incident were to occur, how would it be handled?
☐ Ad Hoc response
☐ Cyber response plan or disaster response plan in place with POCs, roles and responsibilities identified
☐ Established relationship with an outside product and service providers
Overall, how would you rate your relative cybersecurity maturity of your organization compared to your competitors?
☐ New to market; novice experience
☐ Beginner; beginning to develop cybersecurity processes
☐ Intermediate; some processes are in place
☐ Mature; processes are used and improved regularly
In which of the following cybersecurity focus areas could your organization improve (select all that apply)?
☐ Access and identity management
☐ Vulnerability management
☐ Antivirus/malware management
☐ Endpoint security
☐ Network security
☐ Intrusion detection and protection
☐ Secure development and testing practices
☐ Encryption management (key storage, rotation, protocol selection)
☐ Incident management and data breach response
☐ Training and awareness
1 Last update: May 1, 2017
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Modified | 0000-00-00 |
| File Created | 2021-01-21 |