Introduction
Thank you for engaging with ZZ Servers, LLC. to perform a Cyber Security Risk Assessment (CSRA), enabling your organization to:
- Discover the current security position of the company
- Identify any high-risk security flaws offering easy access to criminals
- Understand the risk to the business operations
- Estimate the financial impact of a security breach
The Cyber Security Risk Assessment (CSRA) is designed to investigate the existing business practices, test staff readiness, and analyze the business technology infrastructure to determine whether the people, processes, and technology align to repel criminal cyber-attacks.
The CSRA results will provide your organization’s management with the facts regarding the business so the leadership team can make an informed decision regarding the next steps.
This CSRA Pre-Visit Checklist aims to ensure that the goals and objectives for the consulting engagement are identified in advance and that the engagement is tailored to meet your company’s needs.
The Pre-Visit Checklist is divided into the following areas:
- Consulting Engagement Guidelines and Process
- Selecting Participants
- Interview Details
- Interview Scripts and Guidelines
- Visit Logistics
Consulting Engagement Guidelines and Process
The Cyber Security Risk Assessment (CSRA) requires participation from your leadership team and all employees.
The leadership team will be interviewed. The leadership team may also nominate key individual contributors to participate in the process. In addition, all employees will be tested to determine how likely the staff is to enable and further a cyber-attack.
The Cyber Security Risk Assessment (CSRA) success is directly related to the open exchange of information between participants. For this reason, strict confidentiality is required. Comments made in individual interviews will be reported without attribution to a specific individual.
The Cyber Security Risk Assessment (CSRA) gathers information and evaluates the security risks in the following areas:
- Management Behavior
- Business Security Policies
- Staff (end-user) Behavior
- Physical Site Security
- Incident Response Planning
- Network Security
- Data Security
- Server-based Application Security
- Cloud-based Application Security
- Password Security and Practices
Data is gathered using two main techniques: interviews and technical scans. Select members of the management team and staff will be interviewed. The technology infrastructure will be inspected using various scanning and analysis tools.
Before starting the Cyber Security Risk Assessment engagement, we will require administrative access to your information systems, including access to your network, data, and email systems. We will confirm access before starting the Day One activities.
CSRA Exercise Schedule
The following table describes the information gathering and facilitated exercises that will be used during the consultation:
On-Site Activities
Technical Scans
- ZZ servers, LLC CISO, will install the network, data, and application scanning tools. Starts the scans. This activity requires at least five (5) days.
Key Staff Members Group Interview (Optional) (Also available Off-Site)
- ZZ Servers, LLC. CISO will facilitate a group discussion using a standard script developed for your organization.
Individual Interviews (Also available Off-Site)
- ZZ servers, LLC. CISO performs key interviews using a standard script based on the area of responsibility of the interviewee.
Off-Site Activities
Team Behavior Test
- ZZ servers, LLC. CISO kicks off the team behavior test after the technical white-listing is complete. This activity requires seven (7) days to complete. No meetings are required for this task.
Data Analysis
- ZZ Servers, LLC. CISO reviews responses from the management and key staff members and creates clarifying questions as needed. This may require additional interviews/meetings.
Technical Scans
- ZZ servers, LLC. CISO assures scans are proceeding normally and prepares an estimated time of completion.
Clarifying Questions
- ZZ Servers, LLC. CISO and select organization members will attend video calls to review and clarify any additional questions.
Cyber Security Risk Assessment Executive Briefing
- ZZ Servers, LLC. Cyber Security Risk Assessment team will share and present the results of the CSRA to the organization’s Executive Management Team.
Action Plan Created
- ZZ Servers, LLC. CISO facilitates exercises to develop action plan items and project deadlines.
Cyber Security Risk Assessment Report Delivery
- ZZ Servers, LLC. CISO delivers the final report to the organization’s Executive Sponsor.
CSRA Close
- ZZ Servers Cyber Security Risk Assessment team confirms all:
- Technical tools are returned.
- Admin access is revoked
- Sensitive Passwords held by ZZ Servers are purged
- Sensitive Data held by ZZ Servers is purged
Selecting Participants
The ZZ Servers, LLC’s cyber security team, will interact with the management team and key staff members, including those responsible for paying invoices, assisting the management team, and managing supplier relationships and sales.
In the pre-visit consultation, the participants will be defined by organization, level (management or individual contributor), and area of responsibility.
The following table describes the roles and requirements of each participant.
| Role | Tasks |
|---|---|
| CEO / Executive Sponsor | Attend the Kick-off meeting and the main point of contact for the duration of CSRA Individual Interview participant Attend Closing meeting |
| Team Member Manager / Supervisor(s) | Attend the Kick-off meeting and the main point of contact for the duration of CSRA Individual Interview participant Attend Closing meeting |
| Financial Manager / Supervisor(s) | Attend the Kick-off meeting and the main point of contact for the duration of CSRA Individual Interview participant Attend Closing meeting |
| Sales Manager / Supervisor(s) | Attend the Kick-off meeting and the main point of contact for the duration of CSRA Individual Interview participant Attend Closing meeting |
| External Marketing Sponsor(s) | Attend the Kick-off meeting and the main point of contact for the duration of CSRA Individual Interview participant Attend Closing meeting |
| Supplier Relationship Manager/Supervisor(s) | Attend the Kick-off meeting and the main point of contact for the duration of CSRA Individual Interview participant Attend Closing meeting |
| Key members of the staff team | Attend the Kick-off meeting and the main point of contact for the duration of CSRA Group discussion interview participation |
Interview Schedule
The interview schedule is listed below, briefly describing the activity.
| Activity | Attendees | Comments |
|---|---|---|
| CSRA Kick-off meeting | Executive Sponsor ZZ Servers CISO | 30-minute introductory zoom meeting discussing any questions Executive Sponsor may have. |
| Individual Participant Interviews | Selected Participants ZZ Servers CISO | 30-minute interview per participant (in person or on zoom) If in-person, allow a 15-minute break after each participant. |
| Financial Team Interviews | Financial Manager ZZ Servers CISO | 30-minute interview per participant (in person or on zoom) If in-person, allow a 15-minute break after each participant. |
| Sales Team Interviews | Sales Manager ZZ Servers CISO | 30-minute interview per participant (in person or on zoom) If in-person, allow a 15-minute break after each participant. |
| Key Individual Team Member Interview(s) | Selected Staff ZZ Servers CISO | 45-minute facilitated group discussion with questions tailored to the organization. |
The interview scripts are reviewed before the on-site visit and may be modified to accommodate specific situations.
Individual Scripts and Guidelines
Individual Interviews
The individual interviews are designed to discover how security is handled in your organization.
For example, each member of the executive team will be asked questions about how the business operates, security policies and procedures,
Feedback received during the individual interviews typically resurfaces in a different form during the individual contributors’ (optional) group interview.
The following section shows sample interview questions for each interviewee or group. All questions are acknowledged with “Thank you.”
CEO / Executive Sponsor Interview Questions | Pace
- Would you please describe the organization’s top three (3) business objectives?
- Would you please describe the top three (3) pains concerning achieving the company goals?
- Would you please describe the role of technology in achieving these objectives?
- Would you please describe any security issues the company experienced in the past?
- Would you please describe any insurance claims the business has made in the last five (5) years?
- Would you please describe how business risk is mitigated within the company?
- Would you please describe your top five (5) business partners?
- If you could change one thing about your company, what would it be? Why?
Individual Participant Interview Questions
- Would you please describe the organization’s top three (3) business objectives?
- Would you please describe the top three (3) pains concerning achieving the company goals?
- Would you please describe your business’s relationship with the different insurance carriers?
- Would you please describe your end-to-end supply chain, focusing on the names of the companies that are most crucial to the business?
- Would you please describe how physical security is implemented in the company?
- Would you please describe how the technology in your company is secured from outside attacks?
- What would it be if you could change one thing about your existing environment? Why?
- If you could change one thing about the current financial controls or security controls, what would it be? Why?
Financial & Sales Participant Interview Questions
- Would you please describe the organization’s top three (3) business objectives?
- Would you please describe technology’s role in achieving these objectives?
- Would you please describe how money flows in and out of the company?
- Would you please describe any security precautions you have established for transferring money within the company?
- Would you please describe who has access to sensitive financial information?
- Would you please describe who has access to financial accounts?
- Would you please describe the wire transfer process used in the company?
- Would you please describe any security issues, including but not limited to financial irregularities or fraud, that the company has experienced in the last five (5) years?
- Would you please describe how the company would proceed if an illicit transfer of funds eliminated the balance in the corporate bank accounts?
- If you could change one thing about the current financial controls or security controls, what would it be? Why?
Key Individual Interview Questions
- Would you please describe the organization’s top three (3) business objectives?
- Would you please describe the role of technology in achieving these objectives?
- Would you please describe the applications used daily?
- Would you please describe how you access your applications and data?
- Would you please describe how you work from any location other than this office?
- Would you please describe any past or current security issues during your employment with the company?
- Would you please describe how concerned the company could be ransomed or otherwise attacked by cyber criminals?
- What would it be if you could change one thing about your world except for your boss or your paycheck? Why?
The Individual Contributor (Optional) Group Discussion
The individual contributor group discussions are open discussions where representatives from across the company describe how they work and their interactions with technology and security. The participants are given an opening question and a closing question.
The opening question is sufficiently open-ended that participants typically cover process, organizational, and product issues in an integrated manner.
The opening question is:
Would you please describe how information technology and security interact with your department?
The closing question is:
If you could change one thing except your boss or your paycheck, what would it be and why?”
Deliverables
The Cyber Security Risk Assessment engagement is designed to accomplish three goals:
- Determine the state of the existing cyber security and information security processes and any best practices within the organization.
- Identify any existing security gaps.
- Provide the Executive Team with a current picture of the organization’s ability and readiness to withstand a cyber-attack.
The specific deliverables for the consulting engagement are:
- Cyber Security Risk Assessment Final Report
- Cyber Security Risk Assessment Briefing
During the on-site visit, we will focus on understanding the business operations, how work is done, and the status of any security best practices used within the organization. Any policies or procedures used within the organization shall be reviewed as part of the assessment process. The final report includes recommendations that may be part of a 90-day action plan for immediate improvement following the assessment.
On-Site Visit Logistics
The on-site visit is highly scheduled and requires prompt attendance and adherence to the schedule to accomplish the objectives. To support the schedule, the following is requested:
- A single office will be used for all interviews on day one.
- Interviewees will be asked to come to this office to eliminate any travel time issues or office interruptions.
- Administrative access to all computers, networks, and other devices connected to the network for the exclusive purpose of running detailed technical scans.
Pre-Visit Checklist
- Identify Executive Sponsor
- Identify Executive Team Members
- Send meeting notices to executive team members for interviews
- Decide if Key Individual Contributors will participate in the optional group discussion
- Identify Key Individual Contributors
- Send meeting notices to the Key Individual Contributors in the optional group discussion.
- Reserve meeting rooms or zoom times
- Ask Executive Sponsor to send a sponsorship email
Appendix
Sample Email to In-House Information Technology Team
Dear <Attendee>
At [CLIENT NAME], we are committed to improving the operation of the company and improving our cyber defenses. We have engaged the services of ZZ Servers, LLC. to help our team understand our current situation and craft a plan to improve our company defenses.
We need your help to make this happen.
We have commissioned a Cyber Security Risk Assessment consulting engagement to define “where we are,” “where we need to be,” and a 90-day action plan to get there.
I ask for your participation in this program by participating in the program on <On-site date>. Your participation is required at: <Fill in as needed in your engagement>
Thanks in advance for your talent and insight. Your participation is what will make this effort a success.
[Company Executive Sponsor]