Assessment Dashboard - Cyber Security Risk Management

Self-Assessment: Cyber Security Risk Management
Read
Introduction
Self-Assess
RACI Matrix
View Scores

Introduction, about the Cyber Security Risk Management Self-Assessment
Defining, designing, creating, and implementing a process to solve a business challenge or meet a business
objective is the most valuable role… In EVERY company, organization and department.
Unless you are talking a one-time, single-use project within a business, there should be a process. Whether that process
is managed and implemented by humans, AI, or a combination of the two, it needs to be designed by someone with a
complex enough perspective to ask the right questions. Someone capable of asking the right questions and step back
and say, 'What are we really trying to accomplish here? And is there a different way to look at it?'
For more than twenty years, The Art of Service's Self-Assessments empower people who can do just that - whether their
title is marketer, entrepreneur, manager, salesperson, consultant, business process manager, executive assistant, IT
Manager, CxO etc... - they are the people who rule the future. They are people who watch the process as it happens,
and ask the right questions to make the process work better.
This Self-Assessment is for managers, advisors, consultants, specialists, professionals and anyone interested in
knowing the right questions to ask.
Featuring new and updated case-based questions, organized into seven core areas of process design, this Self-
Assessment will help you identify areas in which improvements can be made.
In using the questions you will be better able to:
diagnose projects, initiatives, organizations, businesses and processes using accepted diagnostic standards and
practices
implement evidence-based best practice strategies aligned with overall goals
integrate recent advances in the topic and process design strategies into practice according to best practice
guidelines
Using a Self-Assessment tool known as the Self-Assessment Radar Chart, you will develop a clear picture of the areas
where improvements can be made.
Start
Self-Assessment
This document is a partial preview. Full document download can be found on Flevy:
http://flevy.com/browse/document/assessment-dashboard-cyber-security-risk-management-2991

This spreadsheet has been designed for 1-10 participants and is easy to expand; multiple spreadsheets can be used to
assess with a large group or modify formula's etc.
You can use this spreadsheet as the starting point for deeper analysis. One suggestion is to use Pivot Tables, for even
more powerful analysis, or import the data in analysis and reporting tools like Tableau, SAP, ZOHO or the Business
Intelligence tool of your choice.
You are free to use the Self-Assessment contents in your presentations and materials for customers without asking us -
we are here to help. The Art of Service has helped hundreds of clients to improve execution and meet the needs of
customers better by applying process redesign.
How can we help you? For all questions regarding this Self-Assessment or to discuss how our team can help your
business achieve true results, please visit
https://store.theartofservice.com/contact-us/

Below are the only valid entries for the assessment. This Self-Assessment is set up to process 1-10 participant's
views. When using for less than 10 participants, the entry fields need to stay clear/empty so it does not skew the
results.
Each participants answer is to be recorded using the drop down box next to the question and select an answer of 1-5,
or leave at Non applicable for each question for each process area.
In my belief, the answer to the following question is clearly defined: (click 'Not applicable' under Participant
name to change value, leave at 'Not applicable' if the question is not matched to your goals/needs)
1 Strongly Disagree
2 Disagree
3 Neutral
4 Agree
5 Strongly Agree
Step 1 - Enter the names of the participants here:
Participant 1
Participant 2
Participant 3
Participant 4
Participant 5
Participant 6
Participant 7
Participant 8
Participant 9
Participant 10
Step 2 - Now have each participant answer each question for each Process area, under their name. Click 'Not
applicable' under Participant name to change value, leave at 'Not applicable' if the question is not matched to
your goals/needs.
1 Recognize Participant 1 Participant 2 Participant 3 Participant 4 Participant 5 Participant 6 Participant 7 Participant 8 Participant 9 Participant 10 Total Count Avg
"In my belief, the answer to the following question is clearly defined:" 0 0 0
1 Who defines the rules in relation to any given issue? 5 5 2 5 5 5 5 1 4 5 42 10 4.2
2 What situation(s) led to this Cyber Security Risk Management Self Assessment? 4 5 5 3 5 5 5 5 5 5 47 10 4.7
3 Will it solve real problems? 5 1 2 5 5 5 5 5 5 5 43 10 4.3
4 Do we use IT personnel directly, use outsourcing, or use both approaches to address IT issues? 5 5 2 2 5 3 1 5 5 5 38 10 3.8
5 What do we need to start doing? 5 5 5 4 5 5 5 5 5 5 49 10 4.9
6 What vendors make products that address the Cyber Security Risk Management needs? 5 5 5 5 5 5 5 5 3 5 48 10 4.8
7 What are the business objectives to be achieved with Cyber Security Risk Management? 5 1 5 5 5 5 5 5 5 5 46 10 4.6
8 How can auditing be a preventative security measure? 5 1 5 5 5 5 5 4 5 5 45 10 4.5
9 Are controls defined to recognize and contain problems? 3 5 1 5 5 5 5 2 5 5 41 10 4.1
10 What information do users need? 2 5 5 5 5 5 5 5 5 5 47 10 4.7
11
NIST Cybersecurity Framework Criterion ID.BE-2: The organization’s place in critical infrastructure and its industry sector is identified and
communicated 5 5 5 5 5 5 5 5 5 5
50 10 5
12 When a Cyber Security Risk Management manager recognizes a problem, what options are available? 5 5 3 5 2 2 5 5 5 5 42 10 4.2
13 NIST Cybersecurity Framework Criterion RS.CO-1: Personnel know their roles and order of operations when a response is needed 5 5 5 5 2 2 5 5 1 5 40 10 4
14 What training and capacity building actions are needed to implement proposed reforms? 5 5 5 5 5 5 5 4 5 5 49 10 4.9
15 NIST Cybersecurity Framework Criterion RS.CO-2: Events are reported consistent with established criteria 5 5 5 3 5 5 5 5 5 5 48 10 4.8
16 How does it fit into our organizational needs and tasks? 5 5 5 5 5 5 5 5 5 5 50 10 5
17 What should be considered when identifying available resources, constraints, and deadlines? 5 5 5 5 5 5 5 1 5 5 46 10 4.6
18 NIST Cybersecurity Framework Criterion DE.DP-4: Event detection information is communicated to appropriate parties 5 5 5 5 5 3 5 5 5 5 48 10 4.8
19 Is remote maintenance of organizational assets approved, logged, and performed in a manner that prevents unauthorized access? 5 5 5 5 5 5 5 5 5 2 47 10 4.7
20 Why do we need to keep records? 5 5 5 5 5 5 5 5 5 4 49 10 4.9
21 What else needs to be measured? 5 5 5 5 5 5 3 5 5 3 46 10 4.6
22
Do we support the certified Cybersecurity professional and cyber-informed operations and engineering professionals with advanced problem-
solving tools, communities of practice, canonical knowledge bases, and other performance support tools? 5 5 5 5 5 2 5 5 3 5
45 10 4.5
23 Who else hopes to benefit from it? 5 5 5 2 5 2 5 1 5 5 40 10 4
24
For your Cyber Security Risk Management project, identify and describe the business environment. is there more than one layer to the business
environment? 5 5 5 4 5 2 5 5 5 5
46 10 4.6
25 What is the smallest subset of the problem we can usefully solve? 4 2 5 5 5 5 5 5 5 5 46 10 4.6
26
NIST Cybersecurity Framework Criterion PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a
manner that prevents unauthorized access 1 5 5 5 5 5 5 5 4 5
45 10 4.5
27
How much are sponsors, customers, partners, stakeholders involved in Cyber Security Risk Management? In other words, what are the risks, if
Cyber Security Risk Management does not deliver successfully? 5 5 3 5 5 5 5 5 5 2
45 10 4.5
28 Does our organization need more Cyber Security Risk Management education? 5 5 5 5 5 5 5 5 5 5 50 10 5
29 What' s De-identified? 5 5 4 5 5 5 1 5 5 1 41 10 4.1
30 Will a response program recognize when a crisis occurs and provide some level of response? 2 4 5 4 5 5 5 5 2 1 38 10 3.8
31 Can Management personnel recognize the monetary benefit of Cyber Security Risk Management? 5 5 5 5 5 1 5 3 5 5 44 10 4.4
32 How are the Cyber Security Risk Management's objectives aligned to the organization’s overall business strategy? 2 5 5 5 3 4 5 4 5 5 43 10 4.3
33 How do we Identify specific Cyber Security Risk Management investment and emerging trends? 5 5 5 5 5 5 5 5 5 5 50 10 5
34 Have we articulated reporting elements for the kinds of information you disclose in the event of an attack? 5 5 5 5 5 5 5 3 5 5 48 10 4.8
35 As a sponsor, customer or management, how important is it to meet goals, objectives? 2 5 5 5 5 5 5 2 5 5 44 10 4.4
36 Will new equipment/products be required to facilitate Cyber Security Risk Management delivery for example is new software needed? 5 5 5 5 5 5 5 5 5 5 50 10 5
37 Does Cyber Security Risk Management create potential expectations in other areas that need to be recognized and considered? 5 5 3 5 5 1 1 5 5 5 40 10 4
38 What would happen if Cyber Security Risk Management weren’t done? 5 5 5 5 5 5 5 5 5 2 47 10 4.7
39 What tools and technologies are needed for a custom Cyber Security Risk Management project? 5 5 5 5 5 5 5 5 5 5 50 10 5
40 How do you identify the information basis for later specification of performance or acceptance criteria? 5 5 5 5 3 5 5 5 5 5 48 10 4.8
Cyber Security Risk Management Self-Assessment Questions
SustainControlImproveAnalyzeMeasureDefineRecognize
Show RACI Matrix Results

41
Are there any specific expectations or concerns about the Cyber Security Risk Management team, Cyber Security Risk Management itself?
1 5 5 5 5 5 5 5 5 5
46 10 4.6
42
Think about the people you identified for your Cyber Security Risk Management project and the project responsibilities you would assign to them.
what kind of training do you think they would need to perform these responsibilities effectively? 5 4 5 5 5 5 5 5 5 5
49 10 4.9
43 What does Cyber Security Risk Management success mean to the stakeholders? 5 5 5 5 5 5 5 5 5 5 50 10 5
44 What prevents me from making the changes I know will make me a more effective Cyber Security Risk Management leader? 4 4 1 2 5 5 5 5 5 4 40 10 4
45 What problems are you facing and how do you consider Cyber Security Risk Management will circumvent those obstacles? 5 5 5 5 5 5 5 4 5 5 49 10 4.9
46 NIST Cybersecurity Framework Criterion ID.BE-1: The organization’s role in the supply chain is identified and communicated 5 5 4 5 5 5 5 5 5 5 49 10 4.9
47
What is the framework we use for general Cybersecurity certifications that integrate both knowledge and skill while predicting constraints of
innate abilities on performance, and do we need specific certifications? 5 5 5 5 5 5 2 3 5 5
45 10 4.5
48 How do you identify the kinds of information that you will need? 4 5 5 5 5 3 5 5 1 5 43 10 4.3
49 Do we know what we need to know about this topic? 5 5 5 5 5 5 5 5 5 5 50 10 5
50 What reporting occurs in the event of an attempted Cybersecurity breach, successful or not? 5 5 5 5 5 5 3 5 5 5 48 10 4.8
51 Are there recognized Cyber Security Risk Management problems? 5 5 5 5 5 5 5 5 5 2 47 10 4.7
52 NIST Cybersecurity Framework Criterion RC.CO-2: Reputation after an event is repaired 5 5 5 1 4 3 5 5 1 5 39 10 3.9
53 Is it clear when you think of the day ahead of you what activities and tasks you need to complete? 5 5 5 1 5 5 5 4 5 5 45 10 4.5
54 Will Cyber Security Risk Management deliverables need to be tested and, if so, by whom? 5 5 5 3 5 5 5 5 5 5 48 10 4.8
55 Does the company collect personally identifiable information electronically? 5 5 3 5 4 5 5 5 5 5 47 10 4.7
56 What are the expected benefits of Cyber Security Risk Management to the business? 5 5 5 5 5 5 3 5 5 5 48 10 4.8
57 What prevents me from making the changes I know will make me a more effective leader? 2 5 5 5 5 5 5 5 5 1 43 10 4.3
58 Are there Cyber Security Risk Management problems defined? 5 5 5 5 5 5 5 5 5 5 50 10 5
59 How are we going to measure success? 1 1 5 5 5 5 5 5 5 5 42 10 4.2
0 0 0
SCORE 262 273 268 269 283 263 274 266 274 267 2699 590 4.6
2 Define Participant 1 Participant 2 Participant 3 Participant 4 Participant 5 Participant 6 Participant 7 Participant 8 Participant 9 Participant 10 Total Count Avg
1 What would be the goal or target for a Cyber Security Risk Management's improvement team? 4 5 4 4 3 5 4 4 4 5 42 10 4.2
2 Is the team sponsored by a champion or business leader? 5 5 5 5 5 5 5 4 5 4 48 10 4.8
3 When was the Cyber Security Risk Management start date? 4 1 5 4 1 5 5 4 4 2 35 10 3.5
4 Is Cyber Security Risk Management linked to key business goals and objectives? 4 4 5 5 5 4 4 4 5 4 44 10 4.4
5
What are the current regulatory and regulatory reporting requirements in the United States (e.g. local, state, national, and other) for organizations
relating to Cybersecurity? 5 4 4 4 4 5 5 4 5 1
41 10 4.1
6 Are customer(s) identified and segmented according to their different needs and requirements? 5 4 4 4 2 5 5 2 2 5 38 10 3.8
7
Is there regularly 100% attendance at the team meetings? If not, have appointed substitutes attended to preserve cross-functionality and full
representation? 3 4 3 4 5 5 4 5 5 3
41 10 4.1
8 Is there a completed SIPOC representation, describing the Suppliers, Inputs, Process, Outputs, and Customers? 5 4 1 4 3 5 5 4 5 4 40 10 4
9 Is full participation by members in regularly held team meetings guaranteed? 3 4 4 4 5 4 5 3 4 3 39 10 3.9
10 What constraints exist that might impact the team? 5 5 5 3 5 5 3 5 4 1 41 10 4.1
11 Have all of the relationships been defined properly? 3 5 5 5 5 4 5 5 5 4 46 10 4.6
12 Are accountability and ownership for Cyber Security Risk Management clearly defined? 4 2 5 2 4 4 4 5 4 1 35 10 3.5
13
Do the requirements that we've gathered and the models that demonstrate them constitute a full and accurate representation of what we want? 5 4 5 5 5 5 4 5 5 4
47 10 4.7
14 Has a high-level ‘as is’ process map been completed, verified and validated? 5 4 5 5 5 4 5 4 4 5 46 10 4.6
15 NIST Cybersecurity Framework Criterion DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability 5 5 4 4 4 5 5 4 5 4 45 10 4.5
16 What Organizational Structure is Required? 5 4 5 4 4 4 1 3 4 4 38 10 3.8
17
Does Cyber Security Risk Management include applications and information with regulatory compliance significance (or other contractual
conditions that must be formally complied with) in a new or unique manner for which no approved security requirements, templates or design
models exist? 5 2 4 5 4 4 4 5 4 5
42 10 4.2
18 Are business processes mapped? 4 4 5 4 2 4 4 5 5 4 41 10 4.1
19 What performance requirements do you want from the company? 4 5 4 5 1 5 3 5 5 1 38 10 3.8
20 How would you define the culture here? 4 4 4 4 5 5 2 5 4 5 42 10 4.2
21
Are there any constraints known that bear on the ability to perform Cyber Security Risk Management work? How is the team addressing them? 2 4 4 5 3 5 4 5 4 5
41 10 4.1
22 In what way can we redefine the criteria of choice clients have in our category in our favor? 4 4 4 5 5 4 4 5 4 4 43 10 4.3
23 Are customers identified and high impact areas defined? 4 4 5 4 5 5 5 5 5 4 46 10 4.6
24 NIST Cybersecurity Framework Criterion DE.DP-2: Detection activities comply with all applicable requirements 5 3 5 4 4 5 4 2 4 4 40 10 4
25 What are the security information requirements of Cybersecurity stakeholders? 5 5 4 4 5 4 5 5 5 1 43 10 4.3
26 Has a project plan, Gantt chart, or similar been developed/completed? 5 4 5 5 5 4 3 4 5 5 45 10 4.5
27 Do we all define Cyber Security Risk Management in the same way? 2 4 4 2 4 3 5 4 5 1 34 10 3.4
28 Are we specifically expressing Cybersecurity requirements to our partners, suppliers, and other third parties? 5 2 4 4 4 5 4 4 4 1 37 10 3.7
29 Is Cyber Security Risk Management currently on schedule according to the plan? 5 5 5 5 5 5 5 5 3 4 47 10 4.7
30 Is a fully trained team formed, supported, and committed to work on the Cyber Security Risk Management improvements? 5 4 4 4 5 5 5 2 5 4 43 10 4.3
31 Have the customer needs been translated into specific, measurable requirements? How? 5 5 5 4 5 4 5 5 4 4 46 10 4.6
32 Has a team charter been developed and communicated? 3 5 5 4 5 5 4 4 1 5 41 10 4.1
33 What are the boundaries of the scope? What is in bounds and what is not? What is the start point? What is the stop point? 5 5 4 5 5 4 5 4 4 5 46 10 4.6
34 How and when will be baselines be defined? 5 4 3 5 5 5 5 4 4 5 45 10 4.5
35
Has anyone else (internal or external to the organization) attempted to solve this problem or a similar one before? If so, what knowledge can be
leveraged from these previous efforts? 5 5 2 4 4 4 5 5 4 5
43 10 4.3
36 Has everyone on the team, including the team leaders, been properly trained? 4 5 5 4 4 4 4 4 1 5 40 10 4
37 Are there different segments of customers? 4 4 1 5 4 4 5 5 4 5 41 10 4.1
38
How did the Cyber Security Risk Management manager receive input to the development of a Cyber Security Risk Management improvement
plan and the estimated completion dates/times of each activity? 5 4 4 5 4 4 5 5 5 5
46 10 4.6
39 How would one define Cyber Security Risk Management leadership? 4 4 4 3 5 5 4 5 5 2 41 10 4.1
40 Has the direction changed at all during the course of Cyber Security Risk Management? If so, when did it change and why? 4 4 4 4 4 5 5 4 5 5 44 10 4.4
41 Are team charters developed? 1 4 1 5 4 4 4 4 3 4 34 10 3.4
42 What are the compelling business reasons for embarking on Cyber Security Risk Management? 4 2 3 5 5 1 4 5 5 5 39 10 3.9
43 Is data collected and displayed to better understand customer(s) critical needs and requirements. 5 4 5 5 4 4 5 4 3 2 41 10 4.1
44 Will team members perform Cyber Security Risk Management work when assigned and in a timely fashion? 5 1 4 4 5 5 1 4 5 2 36 10 3.6
45
Is the improvement team aware of the different versions of a process: what they think it is vs. what it actually is vs. what it should be vs. what it
could be? 4 5 5 5 4 5 5 3 5 5
46 10 4.6
46 Are approval levels defined for contracts and supplements to contracts? 3 4 4 1 4 4 5 1 5 1 32 10 3.2
47 How is the team tracking and documenting its work? 4 5 5 5 4 4 2 5 4 5 43 10 4.3
48 Will team members regularly document their Cyber Security Risk Management work? 4 4 4 5 4 4 4 4 4 4 41 10 4.1
49 Are improvement team members fully trained on Cyber Security Risk Management? 3 1 5 4 4 4 4 4 4 4 37 10 3.7
50 Are different versions of process maps needed to account for the different types of inputs? 5 5 4 5 5 3 5 4 4 3 43 10 4.3
51 What customer feedback methods were used to solicit their input? 4 5 5 2 5 2 4 5 4 5 41 10 4.1

52 What sources do you use to gather information for a Cyber Security Risk Management study? 4 4 5 5 2 4 5 4 3 4 40 10 4
53 When are meeting minutes sent out? Who is on the distribution list? 1 5 4 4 4 3 4 4 4 4 37 10 3.7
54 What baselines are required to be defined and managed? 2 1 3 4 4 4 5 1 4 4 32 10 3.2
55 Are task requirements clearly defined? 5 5 5 1 5 4 4 5 4 4 42 10 4.2
56
If substitutes have been appointed, have they been briefed on the Cyber Security Risk Management goals and received regular communications
as to the progress to date? 5 5 3 4 5 5 4 5 1 1
38 10 3.8
57 Is there a critical path to deliver Cyber Security Risk Management results? 4 4 4 5 4 5 4 4 5 3 42 10 4.2
58 Is the current ‘as is’ process being followed? If not, what are the discrepancies? 4 4 4 5 5 5 5 5 4 4 45 10 4.5
59 Is the team formed and are team leaders (Coaches and Management Leads) assigned? 5 5 5 5 5 3 5 4 5 5 47 10 4.7
60 When is the estimated completion date? 4 5 5 4 1 4 2 5 5 3 38 10 3.8
61 How does the Cyber Security Risk Management manager ensure against scope creep? 4 5 5 4 5 4 3 5 4 5 44 10 4.4
62 Is it clearly defined in and to your organization what you do? 4 4 5 5 4 5 4 4 4 4 43 10 4.3
63 Is the team equipped with available and reliable resources? 4 4 5 4 4 5 5 5 3 5 44 10 4.4
64 Has/have the customer(s) been identified? 5 1 5 5 5 4 4 5 5 4 43 10 4.3
65
Is there a Cyber Security Risk Management management charter, including business case, problem and goal statements, scope, milestones,
roles and responsibilities, communication plan? 4 4 5 5 4 5 4 1 5 3
40 10 4
66
In what way can we redefine the criteria of choice in our category in our favor, as Method introduced style and design to cleaning and Virgin
America returned glamor to flying? 4 4 5 5 5 4 4 4 2 5
42 10 4.2
67
How will variation in the actual durations of each activity be dealt with to ensure that the expected Cyber Security Risk Management results are
met? 4 3 5 5 4 5 4 2 5 4
41 10 4.1
68 Are we currently required to report any cyber incidents to any federal or state agencies? 5 4 5 4 5 4 2 4 4 4 41 10 4.1
69 What key business process output measure(s) does Cyber Security Risk Management leverage and how? 4 4 4 5 4 5 2 5 3 4 40 10 4
70
How will the Cyber Security Risk Management team and the organization measure complete success of Cyber Security Risk Management? 4 5 5 4 4 4 4 5 4 5
44 10 4.4
71 Does the team have regular meetings? 5 5 5 4 4 3 3 3 5 4 41 10 4.1
72 Is the Cyber Security Risk Management scope manageable? 5 5 4 5 3 5 4 5 4 5 45 10 4.5
73 What specifically is the problem? Where does it occur? When does it occur? What is its extent? 1 5 4 1 3 5 5 5 5 4 38 10 3.8
74 What defines Best in Class? 2 5 4 5 5 1 5 5 5 4 41 10 4.1
75 What are the rough order estimates on cost savings/opportunities that Cyber Security Risk Management brings? 5 1 5 5 5 1 5 4 4 5 40 10 4
76 Has the improvement team collected the ‘voice of the customer’ (obtained feedback – qualitative and quantitative)? 5 4 1 4 4 4 3 5 4 4 38 10 3.8
77 Have specific policy objectives been defined? 4 5 2 4 5 2 1 5 4 4 36 10 3.6
78 How often are the team meetings? 5 4 2 2 5 4 4 4 4 4 38 10 3.8
79 Is there a schedule for required password updates from default vendor or manufacturer passwords? 3 4 4 2 4 5 4 4 2 4 36 10 3.6
80 What tools and roadmaps did you use for getting through the Define phase? 5 1 4 4 4 2 4 4 2 5 35 10 3.5
81 What are the dynamics of the communication plan? 4 5 4 4 5 4 4 5 5 4 44 10 4.4
82 Is the team adequately staffed with the desired cross-functionality? If not, what additional resources are available to the team? 3 1 5 4 5 5 4 5 4 5 41 10 4.1
83 How do you keep key subject matter experts in the loop? 4 2 2 4 5 4 4 4 4 5 38 10 3.8
84 Are audit criteria, scope, frequency and methods defined? 4 5 5 5 4 4 4 5 5 4 45 10 4.5
85
Has the Cyber Security Risk Management work been fairly and/or equitably divided and delegated among team members who are qualified and
capable to perform the work? Has everyone contributed? 1 5 1 4 5 4 4 4 5 5
38 10 3.8
86 Is the scope of Cyber Security Risk Management defined? 5 4 5 4 4 4 5 4 5 5 45 10 4.5
87 What are the Roles and Responsibilities for each team member and its leadership? Where is this documented? 4 5 2 5 4 5 2 5 5 4 41 10 4.1
88 Are Required Metrics Defined? 4 3 4 5 4 4 4 5 4 1 38 10 3.8
89 What scope do you want your strategy to cover? 4 5 5 5 4 5 4 4 1 5 42 10 4.2
90 How can the value of Cyber Security Risk Management be defined? 4 5 4 4 3 4 1 3 5 4 37 10 3.7
91 Are roles and responsibilities formally defined? 2 4 2 5 5 5 4 5 5 5 42 10 4.2
92 Do the problem and goal statements meet the SMART criteria (specific, measurable, attainable, relevant, and time-bound)? 2 4 5 5 4 4 4 4 4 4 40 10 4
93 How and when will baselines be defined? 5 4 5 5 3 5 5 5 5 5 47 10 4.7
94 NIST Cybersecurity Framework Criterion ID.BE-5: Resilience requirements to support delivery of critical services are established 4 4 4 3 4 5 4 2 4 4 38 10 3.8
95 What critical content must be communicated – who, what, when, where, and how? 4 4 5 5 5 3 3 5 4 4 42 10 4.2
96 Have all basic functions of Cyber Security Risk Management been defined? 5 5 5 5 4 5 5 4 4 4 46 10 4.6
97 Are security/privacy roles and responsibilities formally defined? 5 4 3 4 4 5 4 5 1 4 39 10 3.9
98 How was the ‘as is’ process map developed, reviewed, verified and validated? 5 4 5 5 1 4 1 5 3 2 35 10 3.5
99 Is there a completed, verified, and validated high-level ‘as is’ (not ‘should be’ or ‘could be’) business process map? 5 5 4 4 3 5 3 5 5 4 43 10 4.3
100 Who defines (or who defined) the rules and roles? 5 4 4 5 4 5 4 3 5 3 42 10 4.2
101 Who are the Cyber Security Risk Management improvement team members, including Management Leads and Coaches? 5 5 5 5 4 5 3 4 4 4 44 10 4.4
0 0 0
SCORE 415 405 418 429 420 429 404 426 415 391 4152 1010 4.1
3 Measure Participant 1 Participant 2 Participant 3 Participant 4 Participant 5 Participant 6 Participant 7 Participant 8 Participant 9 Participant 10 Total Count Avg
1
Do you participate in sharing communication, analysis, and mitigation measures with other companies as part of a mutual network of defense? 3 5 3 5 5 3 5 3 3 5
40 10 4
2 Among the Cyber Security Risk Management product and service cost to be estimated, which is considered hardest to estimate? 4 1 5 4 2 4 4 5 4 5 38 10 3.8
3 How will measures be used to manage and adapt? 5 5 3 3 4 5 3 4 3 3 38 10 3.8
4 How Will We Measure Success? 4 4 5 3 3 3 3 3 5 4 37 10 3.7
5 What is the right balance of time and resources between investigation, analysis, and discussion and dissemination? 4 3 4 5 3 5 3 3 3 4 37 10 3.7
6 Are there measurements based on task performance? 3 3 4 4 3 3 4 3 4 3 34 10 3.4
7 Where is it measured? 4 5 4 4 4 1 3 3 4 4 36 10 3.6
8 Do we effectively measure and reward individual and team performance? 5 4 4 5 5 4 4 5 4 3 43 10 4.3
9
Do we aggressively reward and promote the people who have the biggest impact on creating excellent Cyber Security Risk Management
services/products? 4 4 5 3 4 3 5 5 1 5
39 10 3.9
10 How do we measure the effectiveness of our Cybersecurity program? 4 3 2 5 5 4 5 5 5 4 42 10 4.2
11 How do we focus on what is right -not who is right? 4 3 4 2 3 3 3 5 1 4 32 10 3.2
12 What potential environmental factors impact the Cyber Security Risk Management effort? 5 3 5 3 4 2 4 4 1 4 35 10 3.5
13 How to measure variability? 3 5 3 4 5 4 5 5 3 1 38 10 3.8
14 Why should we expend time and effort to implement measurement? 4 5 5 1 5 5 4 5 1 1 36 10 3.6
15 What are the key input variables? What are the key process variables? What are the key output variables? 5 5 2 3 4 4 5 4 5 5 42 10 4.2
16 How can you measure Cyber Security Risk Management in a systematic way? 5 3 5 4 5 2 5 3 4 3 39 10 3.9
17 Is performance measured? 2 4 5 4 3 3 3 5 3 3 35 10 3.5
18 Does Cyber Security Risk Management analysis isolate the fundamental causes of problems? 4 4 3 5 4 5 3 5 4 5 42 10 4.2
19 Which methods and measures do you use to determine workforce engagement and workforce satisfaction? 4 5 5 3 2 4 3 3 4 5 38 10 3.8
20 Will We Aggregate Measures across Priorities? 3 3 1 4 4 3 4 5 3 5 35 10 3.5
21 What has the team done to assure the stability and accuracy of the measurement process? 4 5 3 5 3 5 4 5 4 3 41 10 4.1
22 Is there a Performance Baseline? 5 4 3 3 2 4 5 4 2 4 36 10 3.6
23
Is it possible to estimate the impact of unanticipated complexity such as wrong or failed assumptions, feedback, etc. on proposed reforms? 5 5 3 3 5 3 5 5 3 1
38 10 3.8

24 How are you going to measure success? 5 3 5 4 4 4 5 3 3 4 40 10 4
25 Meeting the Challenge: Are Missed Cyber Security Risk Management opportunities Costing you Money? 5 4 5 4 3 3 1 3 4 4 36 10 3.6
26 How will you measure your Cyber Security Risk Management effectiveness? 4 3 3 2 5 3 5 5 4 4 38 10 3.8
27 Does Cyber Security Risk Management analysis show the relationships among important Cyber Security Risk Management factors? 4 4 5 2 4 4 3 5 3 5 39 10 3.9
28 Is data collection planned and executed? 4 3 5 3 5 5 4 4 3 4 40 10 4
29 Who participated in the data collection for measurements? 3 3 3 2 3 4 5 3 5 5 36 10 3.6
30 Does the Cyber Security Risk Management task fit the client's priorities? 2 4 1 4 3 4 3 1 3 3 28 10 2.8
31 Do you use contingency-driven consequence analysis? 5 5 2 4 3 3 4 5 4 5 40 10 4
32 How is the value delivered by Cyber Security Risk Management being measured? 3 3 1 5 3 4 3 5 4 3 34 10 3.4
33 What will be measured? 5 5 3 5 3 5 4 4 3 4 41 10 4.1
34
NIST Cybersecurity Framework Criterion ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical
infrastructure and sector specific risk analysis 3 4 5 4 2 1 5 5 5 4
38 10 3.8
35 What is measured? 4 3 5 5 3 4 3 3 3 3 36 10 3.6
36 NIST Cybersecurity Framework Criterion ID.RA-5: Threats, vulnerabilities, likelihoods, and impacts are used to determine risk 3 5 2 4 5 3 4 5 4 4 39 10 3.9
37 Have changes been properly/adequately analyzed for effect? 3 3 5 1 4 4 3 3 3 4 33 10 3.3
38 How is Knowledge Management Measured? 3 3 4 2 4 3 5 3 3 5 35 10 3.5
39 NIST Cybersecurity Framework Criterion ID.RA-4: Potential business impacts and likelihoods are identified 3 4 4 5 3 4 2 2 3 2 32 10 3.2
40 How do we prioritize risks? 3 2 5 3 4 3 4 5 3 4 36 10 3.6
41 What data was collected (past, present, future/ongoing)? 4 5 5 3 4 4 3 3 3 4 38 10 3.8
42
Do we provide the right level of specificity and guidance for mitigating the impact of Cybersecurity measures on privacy and civil liberties? 5 5 4 4 4 5 4 3 4 4
42 10 4.2
43 Why do measure/indicators matter? 5 4 3 5 2 1 3 5 3 5 36 10 3.6
44
NIST Cybersecurity Framework Criterion ID.AM-5: Resources (e.g., hardware, devices, data, and software) are prioritized based on their
classification, criticality, and business value 3 3 4 1 1 4 4 2 5 3
30 10 3
45 How will success or failure be measured? 4 5 4 1 4 5 1 4 4 3 35 10 3.5
46 What about Cyber Security Risk Management Analysis of results? 4 4 4 4 3 4 3 5 5 3 39 10 3.9
47 NIST Cybersecurity Framework Criterion DE.AE-2: Detected events are analyzed to understand attack targets and methods 3 5 3 5 4 4 2 1 4 3 34 10 3.4
48 Is key measure data collection planned and executed, process variation displayed and communicated and performance baselined? 3 4 5 4 5 5 3 3 4 5 41 10 4.1
49 Who should receive measurement reports ? 3 2 4 4 3 5 4 3 3 3 34 10 3.4
50 Is long term and short term variability accounted for? 4 5 5 4 3 2 2 4 3 3 35 10 3.5
51 What methods are feasible and acceptable to estimate the impact of reforms? 5 5 4 4 5 4 5 4 3 3 42 10 4.2
52
NIST Cybersecurity Framework Criterion PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information
integrity 4 5 4 4 5 3 3 5 5 5
43 10 4.3
53 Have the concerns of stakeholders to help identify and define potential barriers been obtained and analyzed? 4 4 4 5 5 4 4 2 4 3 39 10 3.9
54 Customer Measures: How Do Customers See Us? 4 5 3 4 4 2 3 3 3 2 33 10 3.3
55 Are key measures identified and agreed upon? 3 3 5 5 5 4 3 4 5 5 42 10 4.2
56
NIST Cybersecurity Framework Criterion ID.BE-3: Priorities for organizational mission, objectives, and activities are established and
communicated 3 5 2 4 5 3 1 5 3 4
35 10 3.5
57
How do you determine which systems, components and functions get priority in regard to implementation of new Cybersecurity measures? 4 3 1 5 5 4 3 1 4 5
35 10 3.5
58 Are you taking your company in the direction of better and revenue or cheaper and cost? 1 4 4 5 3 3 3 4 3 5 35 10 3.5
59 What are my customers expectations and measures? 4 3 4 2 3 5 5 4 3 4 37 10 3.7
60 Have you found any ‘ground fruit’ or ‘low-hanging fruit’ for immediate remedies to the gap in performance? 3 4 2 3 4 3 4 3 3 4 33 10 3.3
61
There are two philosophical approaches to implementing Cybersecurity on an intelligent, networked grid: create a checklist of actions to take that
address known security problems or prioritize actions based on continually refreshing the answer to the question, “What makes my system more
secure? Which approach do wo take? 5 4 5 4 3 5 4 3 4 4
41 10 4.1
62 Does Cyber Security Risk Management systematically track and analyze outcomes for accountability and quality improvement? 4 4 3 3 5 5 5 3 2 4 38 10 3.8
63 What are the uncertainties surrounding estimates of impact? 4 4 4 3 4 2 3 4 5 4 37 10 3.7
64 How are measurements made? 4 4 5 1 5 4 4 5 1 3 36 10 3.6
65 How is progress measured? 3 3 3 3 3 3 1 2 4 3 28 10 2.8
66 How do you measure success? 4 3 5 5 5 5 5 1 4 5 42 10 4.2
67 Why Measure? 4 5 4 4 4 4 4 5 3 4 41 10 4.1
68 Meeting the challenge: are missed Cyber Security Risk Management opportunities costing us money? 5 5 3 4 4 3 1 5 5 4 39 10 3.9
69 NIST Cybersecurity Framework Criterion ID.RA-6: Risk responses are identified and prioritized 3 4 3 5 4 2 3 4 5 5 38 10 3.8
70 What charts has the team used to display the components of variation in the process? 4 4 5 4 5 5 5 4 5 2 43 10 4.3
71 Why do the measurements/indicators matter? 4 5 2 5 3 4 3 3 5 5 39 10 3.9
72 Does the practice systematically track and analyze outcomes related for accountability and quality improvement? 4 3 3 3 5 5 4 3 5 5 40 10 4
73 How can we measure the performance? 3 4 4 5 3 3 5 1 5 4 37 10 3.7
74 How do you prioritize risks? 3 1 5 3 5 4 3 5 3 5 37 10 3.7
75 What evidence is there and what is measured? 2 5 4 5 5 5 5 1 3 5 40 10 4
76 Is a solid data collection plan established that includes measurement systems analysis? 5 5 5 5 5 5 4 3 5 5 47 10 4.7
77 Was a data collection plan established? 3 1 5 3 5 4 4 5 5 4 39 10 3.9
78 What is an unallowable cost? 5 4 5 5 5 3 5 3 3 2 40 10 4
79 Are we taking our company in the direction of better and revenue or cheaper and cost? 3 3 5 5 3 4 5 4 4 3 39 10 3.9
80 Are priorities and opportunities deployed to your suppliers, partners, and collaborators to ensure organizational alignment? 4 3 3 3 5 3 3 5 5 5 39 10 3.9
81 Are the units of measure consistent? 3 1 2 5 4 3 3 1 2 5 29 10 2.9
82 What Relevant Entities could be measured? 4 4 5 3 5 3 4 3 5 3 39 10 3.9
83 Why focus on Cybersecurity & resilience? 3 3 3 4 3 4 3 4 4 5 36 10 3.6
84 How will effects be measured? 4 1 5 4 5 4 5 2 4 3 37 10 3.7
85 Can We Measure the Return on Analysis? 5 3 4 5 3 3 3 5 4 3 38 10 3.8
86 What measurements are being captured? 1 3 3 4 4 5 4 5 5 2 36 10 3.6
87 Have all non-recommended alternatives been analyzed in sufficient detail? 2 4 4 4 3 3 3 3 5 4 35 10 3.5
88 Are process variation components displayed/communicated using suitable charts, graphs, plots? 3 3 4 5 5 5 4 5 4 3 41 10 4.1
89 What particular quality tools did the team find helpful in establishing measurements? 4 4 3 5 5 4 5 3 5 3 41 10 4.1
90 What are the types and number of measures to use? 4 5 5 4 4 3 3 4 3 3 38 10 3.8
91 How frequently do we track measures? 5 3 3 4 5 1 5 4 4 4 38 10 3.8
92 Is this an issue for analysis or intuition? 5 5 3 5 3 4 5 4 4 2 40 10 4
93 NIST Cybersecurity Framework Criterion RS.AN-2: The impact of the incident is understood 4 4 5 3 3 3 4 5 5 5 41 10 4.1
94 How do you identify and analyze stakeholders and their interests? 4 5 4 3 3 2 3 1 5 5 35 10 3.5
95 Are high impact defects defined and identified in the business process? 4 4 3 5 2 3 4 5 5 5 40 10 4
96 Which Stakeholder Characteristics Are Analyzed? 4 5 4 4 3 4 5 5 3 3 40 10 4
97 What should be measured? 4 5 3 1 3 5 4 3 4 3 35 10 3.5
98
Which customers cant participate in our Cyber Security Risk Management domain because they lack skills, wealth, or convenient access to
existing solutions? 1 5 5 3 5 3 3 3 5 3
36 10 3.6
99 NIST Cybersecurity Framework Criterion DE.AE-4: Impact of events is determined 4 5 3 3 5 5 4 2 3 4 38 10 3.8
100 Do staff have the necessary skills to collect, analyze, and report data? 2 5 5 5 1 3 5 2 4 5 37 10 3.7
101 Which customers can't participate in our market because they lack skills, wealth, or convenient access to existing solutions? 1 4 4 1 3 4 5 5 3 4 34 10 3.4
102 What does the charts tell us in terms of variation? 3 5 4 4 5 1 5 1 3 3 34 10 3.4
103 What key measures identified indicate the performance of the business process? 5 5 3 4 5 5 5 4 4 4 44 10 4.4

104 Have the types of risks that may impact Cyber Security Risk Management been identified and analyzed? 1 4 3 3 5 5 1 5 1 4 32 10 3.2
105 Are losses documented, analyzed, and remedial processes developed to prevent future losses? 5 3 4 4 5 5 5 4 5 4 44 10 4.4
106 How do we do risk analysis of rare, cascading, catastrophic events? 3 4 4 2 4 5 3 5 5 4 39 10 3.9
107 When is Knowledge Management Measured? 3 3 5 1 3 3 4 3 4 2 31 10 3.1
108
Not all cyber-connected assets are essential to protect at all cost. Some assets, however, are “crown jewels” – worth protecting at all costs.
Other assets may be more like “paperclips” where the expense of protection exceeds the benefit. How do you tell the difference? 3 5 2 3 4 2 3 3 3 5
33 10 3.3
109 How to measure lifecycle phases? 4 5 5 3 5 3 4 3 5 4 41 10 4.1
110 What are our key indicators that you will measure, analyze and track? 1 4 3 3 3 5 4 4 3 3 33 10 3.3
111 What are the costs of reform? 5 4 3 3 4 5 3 4 3 5 39 10 3.9
112 How large is the gap between current performance and the customer-specified (goal) performance? 2 4 4 2 3 1 4 3 4 4 31 10 3.1
113 What to measure and why? 3 4 4 5 4 5 3 5 4 4 41 10 4.1
114 What are measures? 5 5 3 5 4 3 3 3 3 3 37 10 3.7
115 Why identify and analyze stakeholders and their interests? 2 4 5 4 3 4 4 2 5 5 38 10 3.8
116 Is the solution cost-effective? 3 5 3 4 3 3 5 3 1 4 34 10 3.4
117 Is data collected on key measures that were identified? 3 4 5 4 3 3 5 1 3 4 35 10 3.5
118 What measurements are possible, practicable and meaningful? 3 3 5 3 5 4 4 5 3 4 39 10 3.9
119 How will your organization measure success? 5 3 4 5 4 1 4 5 3 4 38 10 3.8
120
What are the agreed upon definitions of the high impact areas, defect(s), unit(s), and opportunities that will figure into the process capability
metrics? 3 3 2 3 4 1 3 5 2 3
29 10 2.9
121 Do we aggressively reward and promote the people who have the biggest impact on creating excellent products? 5 2 3 3 5 3 2 5 3 3 34 10 3.4
122 Is Process Variation Displayed/Communicated? 3 5 5 3 3 4 5 3 3 5 39 10 3.9
123
Are there any easy-to-implement alternatives to Cyber Security Risk Management? Sometimes other solutions are available that do not require
the cost implications of a full-blown project? 3 4 4 3 5 4 1 3 5 4
36 10 3.6
124 Are the measurements objective? 3 5 4 5 4 5 4 2 5 4 41 10 4.1
0 0 0
SCORE 451 483 471 457 481 449 462 453 455 474 4636 1240 3.7
4 Analyze Participant 1 Participant 2 Participant 3 Participant 4 Participant 5 Participant 6 Participant 7 Participant 8 Participant 9 Participant 10 Total Count Avg
1 Does our organization have a Cybersecurity Risk Management process that is functioning and repeatable? 3 4 3 3 4 3 4 4 4 1 33 10 3.3
2 Does our company communicate to employees the process for reporting and containing compromise? 1 3 4 3 4 3 3 1 3 3 28 10 2.8
3 What other jobs or tasks affect the performance of the steps in the Cyber Security Risk Management process? 3 4 1 4 3 4 4 4 1 4 32 10 3.2
4
NIST Cybersecurity Framework Criterion DE.AE-1: A baseline of network operations and expected data flows for users and systems is
established and managed 1 3 3 3 4 3 4 3 4 3
31 10 3.1
5 Is the suppliers process defined and controlled? 5 3 4 4 2 3 5 4 4 2 36 10 3.6
6
What are your current levels and trends in key measures or indicators of Cyber Security Risk Management product and process performance
that are important to and directly serve your customers? how do these results compare with the performance of your competi tors and other
organizations with similar offerings? 3 3 3 3 3 4 3 3 5 4
34 10 3.4
7 Have the problem and goal statements been updated to reflect the additional knowledge gained from the analyze phase? 3 3 2 4 5 3 4 3 4 5 36 10 3.6
8 How often will data be collected for measures? 3 3 3 3 2 4 4 3 4 4 33 10 3.3
9 Are you aware of anyone attempting (whether successfully or not) to gain unauthorized access to your system or its data? 3 4 3 3 3 4 3 3 3 3 32 10 3.2
10 Were there any improvement opportunities identified from the process analysis? 3 4 3 3 3 3 3 3 4 4 33 10 3.3
11 Identify an operational issue in your organization. for example, could a particular task be done more quickly or more efficiently? 5 3 4 4 3 3 4 4 1 4 35 10 3.5
12 Is the Cyber Security Risk Management process severely broken such that a re-design is necessary? 3 4 4 3 3 5 5 4 3 3 37 10 3.7
13 Do we leverage resources like the ESC2M2 or DOE Risk Management Process for Cybersecurity? 5 2 3 3 4 4 3 3 4 4 35 10 3.5
14 NIST Cybersecurity Framework Criterion PR.IP-6: Data is destroyed according to policy 3 3 3 3 4 3 4 3 3 3 32 10 3.2
15 What is the cost of poor quality as supported by the team’s analysis? 4 3 3 4 3 2 1 3 4 3 30 10 3
16 What are the best opportunities for value improvement? 1 4 4 3 4 4 3 4 5 2 34 10 3.4
17 Do you, as a leader, bounce back quickly from setbacks? 2 3 3 3 3 3 3 4 5 3 32 10 3.2
18 What does the data say about the performance of the business process? 4 3 4 4 1 4 3 4 3 3 33 10 3.3
19
How do you measure the Operational performance of your key work systems and processes, including productivity, cycle time, and other
appropriate measures of process effectiveness, efficiency, and innovation? 3 2 5 1 4 4 5 3 3 3
33 10 3.3
20 What were the financial benefits resulting from any ‘ground fruit or low-hanging fruit’ (quick fixes)? 4 2 1 3 5 4 3 4 3 3 32 10 3.2
21 What will drive Cyber Security Risk Management change? 4 3 3 3 1 1 3 3 3 3 27 10 2.7
22 NIST Cybersecurity Framework Criterion PR.DS-1: Data-at-rest is protected 3 4 3 3 4 3 4 3 3 3 33 10 3.3
23
Are interdependent service providers (for example, fuel suppliers, telecommunications providers, meter data processors) included in risk
assessments? 3 3 4 3 3 4 4 3 3 2
32 10 3.2
24 How do mission and objectives affect the Cyber Security Risk Management processes of our organization? 3 4 3 4 3 3 3 4 4 3 34 10 3.4
25 What successful thing are we doing today that may be blinding us to new growth opportunities? 3 1 3 4 3 4 4 4 2 3 31 10 3.1
26 NIST Cybersecurity Framework Criterion DE.AE-3: Event data are aggregated and correlated from multiple sources and sensors 4 4 4 4 3 3 1 4 4 4 35 10 3.5
27 Is the performance gap determined? 3 3 4 3 2 1 5 3 5 3 32 10 3.2
28 What are the revised rough estimates of the financial savings/opportunity for Cyber Security Risk Management improvements? 3 4 5 3 3 5 5 3 3 4 38 10 3.8
29 Are unauthorized parties using your system for the processing or storage of data? 3 4 3 1 4 4 5 3 4 4 35 10 3.5
30 Did any value-added analysis or ‘lean thinking’ take place to identify some of the gaps shown on the ‘as is’ process map? 4 4 4 3 3 4 3 2 4 4 35 10 3.5
31 How does the organization define, manage, and improve its Cyber Security Risk Management processes? 2 4 4 3 4 4 4 3 4 4 36 10 3.6
32 Did any additional data need to be collected? 4 3 4 3 1 3 3 4 4 3 32 10 3.2
33
When conducting a business process reengineering study, what should we look for when trying to identify business processes to change? 3 1 4 4 3 4 4 3 4 4
34 10 3.4
34
What are the disruptive Cyber Security Risk Management technologies that enable our organization to radically change our business processes? 4 4 4 3 3 4 3 4 4 3
36 10 3.6
35
Record-keeping requirements flow from the records needed as inputs, outputs, controls and for transformation of a Cyber Security Risk
Management process. ask yourself: are the records needed as inputs to the Cyber Security Risk Management process available? 3 4 3 3 4 4 4 3 3 4
35 10 3.5
36 NIST Cybersecurity Framework Criterion PR.IP-3: Configuration change control processes are in place 4 4 4 3 3 3 2 4 4 4 35 10 3.5
37 Was a detailed process map created to amplify critical steps of the ‘as is’ business process? 3 4 3 4 4 3 4 3 4 3 35 10 3.5
38 Are response processes and procedures executable and are they being maintained? 3 3 5 3 3 4 1 4 4 3 33 10 3.3
39 What quality tools were used to get through the analyze phase? 3 2 4 4 3 3 4 4 4 4 35 10 3.5
40 Are gaps between current performance and the goal performance identified? 1 4 4 5 4 4 4 2 4 4 36 10 3.6
41 Do your employees have the opportunity to do what they do best everyday? 4 3 2 4 3 1 4 4 3 4 32 10 3.2
42
What other organizational variables, such as reward systems or communication systems, affect the performance of this Cyber Security Risk
Management process? 5 3 4 5 4 4 2 5 5 4
41 10 4.1
43 What conclusions were drawn from the team’s data collection and analysis? How did the team reach these conclusions? 3 3 4 4 4 4 3 3 3 4 35 10 3.5
44 NIST Cybersecurity Framework Criterion ID.GV-4: Governance and risk management processes address cybersecurity risks 3 4 4 3 4 3 5 4 4 4 38 10 3.8
45 Were Pareto charts (or similar) used to portray the ‘heavy hitters’ (or key sources of variation)? 4 3 4 3 3 4 4 3 3 3 34 10 3.4
46 NIST Cybersecurity Framework Criterion DE.DP-5: Detection processes are continuously improved 2 3 4 3 3 4 3 4 3 3 32 10 3.2
47 What project management qualifications does the Project Manager have? 4 4 1 2 5 3 4 1 1 2 27 10 2.7
48 Where is the data coming from to measure compliance? 4 3 4 4 3 4 4 1 4 3 34 10 3.4
49 Were any designed experiments used to generate additional insight into the data analysis? 3 3 4 4 4 4 3 4 2 3 34 10 3.4

50 How is the way you as the leader think and process information affecting your organizational culture? 3 4 3 3 4 3 4 4 4 4 36 10 3.6
51
How do we promote understanding that opportunity for improvement is not criticism of the status quo, or the people who created the status quo? 3 3 4 4 3 1 4 4 3 3
32 10 3.2
52 What were the crucial ‘moments of truth’ on the process map? 3 4 5 4 3 3 3 3 2 3 33 10 3.3
53
NIST Cybersecurity Framework Criterion ID.RM-1: Risk management processes are established, managed, and agreed to by organizational
stakeholders 1 4 2 4 2 4 4 4 1 3
29 10 2.9
54 What tools were used to generate the list of possible causes? 5 4 4 4 3 3 4 3 4 3 37 10 3.7
55 What did the team gain from developing a sub-process map? 3 4 4 3 4 3 3 4 4 3 35 10 3.5
56 Is the gap/opportunity displayed and communicated in financial terms? 4 5 3 3 3 3 3 4 4 3 35 10 3.5
57 How was the detailed process map generated, verified, and validated? 3 3 3 4 3 3 3 3 3 3 31 10 3.1
58 Do governance and risk management processes address Cybersecurity risks? 4 3 2 3 4 4 4 1 3 3 31 10 3.1
59 Was a cause-and-effect diagram used to explore the different types of causes (or sources of variation)? 4 3 4 4 3 4 3 3 4 3 35 10 3.5
60
An organizationally feasible system request is one that considers the mission, goals and objectives of the organization. key questions are: is the
solution request practical and will it solve a problem or take advantage of an opportunity to achieve company goals? 2 4 1 4 3 3 4 3 4 4
32 10 3.2
61 NIST Cybersecurity Framework Criterion ID.AM-3: Organizational communication and data flows are mapped 4 4 3 4 4 3 1 3 4 4 34 10 3.4
62 Think about some of the processes you undertake within your organization. which do you own? 4 4 3 3 4 3 3 4 4 3 35 10 3.5
63 Do we have a formal escalation process to address Cybersecurity risks that suddenly increase in severity? 3 2 4 4 3 4 4 4 4 4 36 10 3.6
64 What tools were used to narrow the list of possible causes? 3 4 5 4 4 3 3 3 4 3 36 10 3.6
65 NIST Cybersecurity Framework Criterion PR.IP-7: Protection processes are continuously improved 3 4 3 3 3 3 4 1 4 4 32 10 3.2
66 What process should we select for improvement? 3 4 4 3 4 3 5 4 4 1 35 10 3.5
67 Is Data and process analysis, root cause analysis and quantifying the gap/opportunity in place? 3 4 5 4 3 4 3 4 4 2 36 10 3.6
68 NIST Cybersecurity Framework Criterion DE.DP-3: Detection processes are tested 2 3 3 3 3 4 3 3 4 4 32 10 3.2
69 Do you have a process for looking at consequences of cyber incidents that informs your risk management process? 4 3 5 3 3 3 3 3 4 2 33 10 3.3
70 NIST Cybersecurity Framework Criterion PR.DS-2: Data-in-transit is protected 4 4 1 3 3 4 4 3 3 4 33 10 3.3
71
What kind of crime could a potential new hire have committed that would not only not disqualify him/her from being hired by our organization,
but would actually indicate that he/she might be a particularly good fit? 1 4 4 4 4 3 4 5 2 2
33 10 3.3
72 What controls do we have in place to protect data? 3 3 3 3 4 3 4 4 3 3 33 10 3.3
73 Have any additional benefits been identified that will result from closing all or most of the gaps? 4 4 1 3 3 4 5 4 3 2 33 10 3.3
74 Are protection processes being continuously improved? 4 5 3 4 4 4 4 5 3 4 40 10 4
75
What domains of knowledge and types of Cybersecurity-associated skills and abilities are necessary for engineers involved in operating
industrial processes to achieve safe and reliable operating goals? 3 2 4 3 1 3 3 4 3 4
30 10 3
76 Do our leaders quickly bounce back from setbacks? 3 5 4 3 3 4 4 4 4 3 37 10 3.7
77 Does your organization destroy data according to policies in place? 2 4 3 4 2 4 4 3 4 3 33 10 3.3
0 0 0
SCORE 245 263 262 260 251 262 273 259 269 250 2594 770 3.4
5 Improve Participant 1 Participant 2 Participant 3 Participant 4 Participant 5 Participant 6 Participant 7 Participant 8 Participant 9 Participant 10 Total Count Avg
1 To what extent does management recognize Cyber Security Risk Management as a tool to increase the results? 2 3 4 3 2 2 2 3 3 2 26 10 2.6
2
Are we communicating about our Cybersecurity Risk Management programs including the effectiveness of those programs to stakeholders,
including boards, investors, auditors, and insurers? 3 3 5 2 3 2 5 2 3 3
31 10 3.1
3 How can we improve Cyber Security Risk Management? 5 3 3 3 2 2 3 3 2 3 29 10 2.9
4 What resources are required for the improvement effort? 2 3 3 3 2 2 3 3 3 2 26 10 2.6
5 How does the solution remove the key sources of issues discovered in the analyze phase? 2 2 2 3 3 5 3 3 2 2 27 10 2.7
6 How do we define and assess risk generally and Cybersecurity risk specifically? 3 4 3 2 2 2 3 3 5 2 29 10 2.9
7 How do we Improve Cyber Security Risk Management service perception, and satisfaction? 2 2 3 3 3 2 3 3 1 3 25 10 2.5
8 Are the best solutions selected? 3 2 3 2 1 3 3 1 2 3 23 10 2.3
9 Are new and improved process (‘should be’) maps developed? 2 2 3 2 3 3 2 2 2 2 23 10 2.3
10 How can we improve performance? 2 2 2 2 3 3 3 3 2 3 25 10 2.5
11 What were the underlying assumptions on the cost-benefit analysis? 2 1 2 1 2 3 3 2 2 2 20 10 2
12 How do we go about Comparing Cyber Security Risk Management approaches/solutions? 3 2 2 1 5 1 2 2 2 5 25 10 2.5
13 How do we appropriately integrate Cybersecurity risk into business risk? 4 3 3 3 2 3 2 2 2 1 25 10 2.5
14 How do we measure risk? 2 1 5 2 2 3 2 2 3 2 24 10 2.4
15
What collaborative organizations or efforts has your company interacted with or become involved with to improve its Cybersecurity posture (such
as NESCO, NESCOR, Fusion centers, Infragard, US-CERT, ICS-CERT, E-ISAC, SANS, HSIN, the Cross-Sector Cyber Security Working Group
of the National Sector Partnership, etc.)? 3 2 5 5 2 3 2 3 3 3
31 10 3.1
16 NIST Cybersecurity Framework Criterion PR.AT-5: Physical and information security personnel understand roles & responsibilities 2 4 3 3 2 3 3 3 2 2 27 10 2.7
17 To what extent is Cybersecurity Risk Management integrated into enterprise risk management? 3 2 3 1 5 2 1 2 2 3 24 10 2.4
18 How do we decide which activities to take action on regarding a detected Cybersecurity threat? 3 2 3 3 3 2 3 2 2 3 26 10 2.6
19 How will you measure the results? 2 2 2 2 3 3 3 2 2 3 24 10 2.4
20 What current systems have to be understood and/or changed? 2 2 2 3 2 2 3 3 3 2 24 10 2.4
21 Was a pilot designed for the proposed solution(s)? 3 3 2 3 2 3 2 2 2 3 25 10 2.5
22 What attendant changes will need to be made to ensure that the solution is successful? 3 1 2 2 3 1 3 2 1 3 21 10 2.1
23 Have logical and physical connections to key systems been evaluated and addressed? 3 2 3 2 1 3 4 3 3 2 26 10 2.6
24 What performance goals do we adopt to ensure our ability to provide essential services while managing Cybersecurity risk? 2 2 2 2 2 3 2 3 3 2 23 10 2.3
25 What can we do to improve? 2 3 2 5 5 3 5 4 3 3 35 10 3.5
26 How will the organization know that the solution worked? 3 2 2 1 2 3 3 3 1 2 22 10 2.2
27
How do you improve workforce health, safety, and security? what are your performance measures and improvement goals for each of these
workforce needs? what are any significant differences in these factors and performance measures or targets for different workplace
environments? 3 2 3 5 2 2 5 2 3 2
29 10 2.9
28 How do you measure progress and evaluate training effectiveness? 3 2 3 2 2 2 2 3 3 5 27 10 2.7
29 How did the team generate the list of possible solutions? 2 2 2 2 2 3 3 2 3 4 25 10 2.5
30 Is Supporting Cyber Security Risk Management documentation required? 2 3 3 2 1 2 2 2 3 3 23 10 2.3
31 Who controls the risk? 2 5 2 3 3 2 3 2 3 3 28 10 2.8
32 How do we keep improving Cyber Security Risk Management? 3 1 2 3 2 2 2 3 2 5 25 10 2.5
33 What tools were most useful during the improve phase? 2 5 2 3 2 2 3 3 3 3 28 10 2.8
34 Who will be responsible for documenting the Cyber Security Risk Management requirements in detail? 2 2 2 2 2 3 2 5 2 3 25 10 2.5
35 What to do with the results or outcomes of measurements? 1 2 2 2 3 2 3 2 3 2 22 10 2.2
36 Does senior leadership have access to Cybersecurity risk information? 3 3 2 2 5 2 4 2 3 5 31 10 3.1
37 Is there a high likelihood that any recommendations will achieve their intended results? 2 3 2 2 3 3 2 2 3 4 26 10 2.6
38
At what point will vulnerability assessments be performed once Cyber Security Risk Management is put into production (e.g., ongoing Risk
Management after implementation)? 2 2 3 2 3 2 3 3 2 2
24 10 2.4
39 Is the solution technically practical? 3 1 1 4 3 3 2 5 4 2 28 10 2.8
40 How do we improve productivity? 3 2 4 3 3 3 2 3 3 3 29 10 2.9
41
Describe your organization's policies and procedures governing risk generally and Cybersecurity risk specifically. How does senior management
communicate and oversee these policies and procedures? 3 3 5 3 4 5 3 4 4 2
36 10 3.6
42 How Do We Link Measurement and Risk? 2 2 2 2 5 3 3 4 3 2 28 10 2.8

43 Is a contingency plan established? 5 2 2 2 3 2 2 3 2 2 25 10 2.5
44 Do we develop a Cyber Security Center? 1 2 3 3 2 2 2 4 2 3 24 10 2.4
45 Why improve in the first place? 2 2 2 1 3 2 2 4 1 2 21 10 2.1
46 Is the measure understandable to a variety of people? 2 4 3 2 3 1 3 2 2 3 25 10 2.5
47 Is there a cost/benefit analysis of optimal solution(s)? 2 2 3 3 3 2 2 2 2 3 24 10 2.4
48 Where do you want to be a first mover, a fast follower or wait for industry solutions? 2 3 2 5 4 5 3 2 2 3 31 10 3.1
49 NIST Cybersecurity Framework Criterion PR.AT-2: Privileged users understand roles & responsibilities 2 3 2 1 5 2 3 2 2 2 24 10 2.4
50 NIST Cybersecurity Framework Criterion PR.IP-2: A System Development Life Cycle to manage systems is implemented 2 3 2 3 2 1 5 3 1 3 25 10 2.5
51 What needs improvement? 2 2 3 1 3 2 2 2 3 3 23 10 2.3
52 Are improved process (‘should be’) maps modified based on pilot data and analysis? 3 1 2 5 3 2 2 3 3 2 26 10 2.6
53 What do we see as the greatest challenges in improving Cybersecurity practices across critical infrastructure? 2 2 5 3 3 2 3 2 3 3 28 10 2.8
54 For estimation problems, how do you develop an estimation statement? 2 3 2 3 3 2 3 2 2 2 24 10 2.4
55 What tools were used to evaluate the potential solutions? 3 3 3 2 2 3 2 3 3 3 27 10 2.7
56 Risk events: what are the things that could go wrong? 3 2 1 2 2 2 3 3 2 5 25 10 2.5
57 What are the implications of this decision 10 minutes, 10 months, and 10 years from now? 3 3 2 2 1 3 4 2 3 2 25 10 2.5
58 What error proofing will be done to address some of the discrepancies observed in the ‘as is’ process? 3 3 3 3 3 3 2 3 3 1 27 10 2.7
59 What actually has to improve and by how much? 4 3 3 3 3 3 2 3 2 3 29 10 2.9
60 What communications are necessary to support the implementation of the solution? 3 2 2 2 2 2 3 1 4 1 22 10 2.2
61 How do we decide how much to remunerate an employee? 2 2 2 3 2 3 2 2 3 2 23 10 2.3
62 What do we want to improve? 2 3 3 3 5 3 2 2 3 3 29 10 2.9
63 What is the risk? 2 3 3 3 2 3 1 5 2 2 26 10 2.6
64 For the most critical systems, are multiple operators required to implement changes that risk consequential events? 3 3 3 3 3 2 2 4 2 2 27 10 2.7
65 Is there a small-scale pilot for proposed improvement(s)? What conclusions were drawn from the outcomes of a pilot? 3 2 3 2 2 3 2 3 2 2 24 10 2.4
66 What is the magnitude of the improvements? 1 2 1 2 2 2 5 2 3 2 22 10 2.2
67
In the past few months, what is the smallest change we have made that has had the biggest positive result? What was it about that small change
that produced the large return? 3 2 2 3 3 5 3 2 5 3
31 10 3.1
68 NIST Cybersecurity Framework Criterion ID.RA-3: Threats, both internal and external, are identified and documented 2 3 5 2 3 3 2 3 3 2 28 10 2.8
69
NIST Cybersecurity Framework Criterion ID.GV-3: Legal and regulatory requirements regarding cybersecurity, including privacy and civil liberties
obligations, are understood and managed 3 2 2 2 1 1 2 3 4 3
23 10 2.3
70
Does your company provide resources to improve end-user awareness of phishing, malware, indicators of compromise, and procedures in the
event of a potential breach? 2 3 4 3 3 5 3 3 3 3
32 10 3.2
71 How will you know when its improved? 2 2 2 2 2 2 2 3 3 2 22 10 2.2
72
If you could go back in time five years, what decision would you make differently? What is your best guess as to what decision you're making
today you might regret five years from now? 4 3 4 1 2 2 2 2 3 3
26 10 2.6
73 Is pilot data collected and analyzed? 3 3 3 2 2 1 2 4 2 2 24 10 2.4
74
Who will be responsible for making the decisions to include or exclude requested changes once Cyber Security Risk Management is underway? 2 3 3 3 2 3 2 2 4 3
27 10 2.7
75 How do we measure improved Cyber Security Risk Management service perception, and satisfaction? 2 5 2 3 3 2 3 2 2 2 26 10 2.6
76 Are legal and regulatory requirements regarding Cybersecurity, including privacy and civil liberties obligations, understood and managed? 4 3 2 3 2 3 5 3 3 3 31 10 3.1
77
Has your company conducted a Cybersecurity evaluation of key assets in concert with the National Cyber Security Division of the U.S.
Department of Homeland Security (DHS)? 3 5 3 3 3 3 2 2 3 1
28 10 2.8
78
NIST Cybersecurity Framework Criterion PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance
with policy 3 4 3 2 2 3 2 3 3 3
28 10 2.8
79
How do you use other indicators, such as workforce retention, absenteeism, grievances, safety, and productivity, to assess and improve
workforce engagement? 1 2 4 2 3 3 3 2 3 3
26 10 2.6
80 How to Improve? 2 1 2 2 1 2 3 2 2 3 20 10 2
81
If you could go back in time five years, what decision would you make differently? what is your best guess as to what decision youre making
today you might regret five years from now? 2 3 2 3 3 3 3 3 2 3
27 10 2.7
82
Has your organization conducted a cyber risk or vulnerability assessment of its information systems, control systems, and other networked
systems? 3 3 3 2 3 3 2 2 3 3
27 10 2.7
83 What does the ‘should be’ process map/design look like? 3 3 2 4 3 2 2 2 2 2 25 10 2.5
84 Is the optimal solution selected based on testing and analysis? 2 4 3 2 2 3 2 3 2 3 26 10 2.6
85 Are we Assessing Cyber Security Risk Management and Risk? 2 3 3 2 3 2 3 4 3 2 27 10 2.7
86 NIST Cybersecurity Framework Criterion RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks 5 5 2 3 3 3 2 2 3 3 31 10 3.1
87 Is the implementation plan designed? 5 3 3 2 2 2 2 3 3 1 26 10 2.6
88 What is the implementation plan? 3 3 5 3 2 2 2 1 2 1 24 10 2.4
89 Does the management team seek or receive routine updates on risks and advancements in Cybersecurity? 4 3 2 3 3 2 3 2 3 2 27 10 2.7
90 What is Cyber Security Risk Management's impact on utilizing the best solution(s)? 2 2 3 2 3 2 3 2 1 1 21 10 2.1
91 Do you understand what can accelerate change? 2 4 3 4 2 2 3 3 5 1 29 10 2.9
92 How will you know that you have improved? 3 2 3 2 2 3 3 3 2 3 26 10 2.6
93 Can the solution be designed and implemented within an acceptable time period? 2 5 2 5 3 2 2 3 5 3 32 10 3.2
94 Does our company have a Cybersecurity policy, strategy, or governing document? 3 3 2 2 2 3 2 5 5 2 29 10 2.9
95 Who are the people involved in developing and implementing Cyber Security Risk Management? 2 3 3 2 3 2 2 4 2 2 25 10 2.5
96 Are there any constraints (technical, political, cultural, or otherwise) that would inhibit certain solutions? 4 4 2 3 3 3 3 1 2 5 30 10 3
97
Can we describe our organization's policies and procedures governing risk generally and Cybersecurity risk specifically. How does senior
management communicate and oversee these policies and procedures? 2 3 3 3 2 3 2 2 2 2
24 10 2.4
98 NIST Cybersecurity Framework Criterion ID.RA-1: Asset vulnerabilities are identified and documented 2 5 3 3 2 3 2 3 3 2 28 10 2.8
99 Are possible solutions generated and tested? 3 2 2 3 3 2 2 3 2 3 25 10 2.5
100 Do you have an enterprise-wide risk management program that includes Cybersecurity? 2 3 2 2 3 3 2 3 2 3 25 10 2.5
101 Have vendors documented and independently verified their Cybersecurity controls? 2 2 3 2 3 2 2 3 3 3 25 10 2.5
102
NIST Cybersecurity Framework Criterion PR.DS-7: The development and testing environment(s) are separate from the production environment 2 2 3 3 3 3 2 3 3 2
26 10 2.6
103
What kind of guidance do you follow to ensure that your procurement language is both specific and comprehensive enough to result in acquiring
secure components and systems? 3 3 2 2 2 3 3 3 5 2
28 10 2.8
104 How will the team or the process owner(s) monitor the implementation plan to see that it is working as intended? 3 3 2 3 2 2 3 1 3 3 25 10 2.5
105 How do you improve your likelihood of success ? 5 3 2 2 3 3 2 2 3 4 29 10 2.9
106 Describe the design of the pilot and what tests were conducted, if any? 3 2 2 2 2 3 2 2 3 2 23 10 2.3
107
What tools do you use once you have decided on a Cyber Security Risk Management strategy and more importantly how do you choose? 4 1 5 2 5 3 3 3 2 2
30 10 3
108 What improvements have been achieved? 1 3 2 3 3 2 4 1 3 2 24 10 2.4
109
Is a solution implementation plan established, including schedule/work breakdown structure, resources, risk management plan, cost/budget, and
control plan? 2 2 5 2 3 2 2 2 3 3
26 10 2.6
110 What evaluation strategy is needed and what needs to be done to assure its implementation and use? 3 3 3 2 2 4 3 5 3 3 31 10 3.1
111 How significant is the improvement in the eyes of the end user? 3 3 2 2 3 3 3 2 2 2 25 10 2.5
112 Is our organization doing any form of outreach or education on Cybersecurity Risk Management? 3 3 1 3 2 3 4 2 4 2 27 10 2.7
113 What needs to happen for improvement actions to take place? 2 3 5 3 3 3 2 1 3 5 30 10 3
114 Who controls key decisions that will be made? 3 2 3 3 5 3 2 5 3 2 31 10 3.1
115
NIST Cybersecurity Framework Criterion PR.AT-3: Third-party stakeholders (e.g., suppliers, customers, partners) understand roles &
responsibilities 2 3 2 3 3 3 3 3 3 2
27 10 2.7

116 How can skill-level changes improve Cyber Security Risk Management? 2 2 3 2 3 2 2 2 3 2 23 10 2.3
117 Are audit/log records determined, documented, implemented, and reviewed in accordance with your organizations policies? 2 2 5 2 5 2 2 3 3 3 29 10 2.9
118 Does the goal represent a desired result that can be measured? 3 2 3 2 3 2 3 2 3 2 25 10 2.5
119 What tools were used to tap into the creativity and encourage ‘outside the box’ thinking? 2 1 2 3 2 2 2 2 3 4 23 10 2.3
120 Risk factors: what are the characteristics of Cyber Security Risk Management that make it risky? 2 2 5 2 2 3 1 3 4 2 26 10 2.6
121 Do we appropriately integrate Cybersecurity risk into business risk? 2 3 3 2 2 3 2 2 3 2 24 10 2.4
122 What is the team’s contingency plan for potential problems occurring in implementation? 3 3 2 2 3 2 2 3 3 5 28 10 2.8
123 NIST Cybersecurity Framework Criterion ID.RM-2: Organizational risk tolerance is determined and clearly expressed 2 2 2 2 1 3 3 3 5 3 26 10 2.6
124 For decision problems, how do you develop a decision statement? 3 2 2 3 3 2 3 3 3 2 26 10 2.6
125 What went well, what should change, what can improve? 2 2 2 3 3 3 3 3 3 3 27 10 2.7
126 NIST Cybersecurity Framework Criterion PR.AT-4: Senior executives understand roles & responsibilities 3 2 2 5 4 3 3 3 3 2 30 10 3
127 How does the team improve its work? 3 3 3 5 3 2 2 2 1 2 26 10 2.6
128 Were any criteria developed to assist the team in testing and evaluating potential solutions? 2 3 4 2 2 3 2 5 2 2 27 10 2.7
129 What lessons, if any, from a pilot were incorporated into the design of the full-scale solution? 2 2 3 3 1 2 3 3 3 5 27 10 2.7
130
Has your organization conducted an evaluation of the Cybersecurity risks for major systems at each stage of the system deployment lifecycle? 3 1 2 2 1 4 4 3 3 3
26 10 2.6
131 How will we know that a change is improvement? 3 5 2 2 2 3 5 2 2 4 30 10 3
132 What' s At Risk? 1 2 5 1 3 3 2 3 2 3 25 10 2.5
133 Who will be using the results of the measurement activities? 2 2 1 3 2 3 2 3 3 2 23 10 2.3
0 0 0
SCORE 340 346 361 339 351 342 348 355 360 348 3490 1330 2.6
6 Control Participant 1 Participant 2 Participant 3 Participant 4 Participant 5 Participant 6 Participant 7 Participant 8 Participant 9 Participant 10 Total Count Avg
1 Is our Cybersecurity plan tested regularly? 1 1 2 5 2 4 1 1 1 1 19 10 1.9
2 Is reporting being used or needed? 2 2 2 2 2 2 1 2 3 1 19 10 1.9
3 Why is change control necessary? 2 2 3 2 1 1 2 2 2 4 21 10 2.1
4 How might the organization capture best practices and lessons learned so as to leverage improvements across the business? 1 2 2 2 1 1 2 1 2 1 15 10 1.5
5 Do we maintain standards and expectations for downtime during the upgrade and replacement cycle? 1 1 1 2 4 5 1 2 2 1 20 10 2
6 NIST Cybersecurity Framework Criterion DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events 2 1 1 1 2 3 2 1 2 1 16 10 1.6
7 Has the improved process and its steps been standardized? 1 1 1 1 2 1 2 1 2 2 14 10 1.4
8 How will the process owner verify improvement in present and future sigma levels, process capabilities? 2 1 4 1 5 3 2 2 1 2 23 10 2.3
9
NIST Cybersecurity Framework Criterion DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed 3 2 2 1 1 1 2 1 1 1
15 10 1.5
10 What should we measure to verify effectiveness gains? 2 2 1 1 2 2 1 2 2 1 16 10 1.6
11 Is there documentation that will support the successful operation of the improvement? 1 2 2 1 1 1 1 2 2 1 14 10 1.4
12 Is new knowledge gained imbedded in the response plan? 4 1 1 1 1 2 3 1 1 1 16 10 1.6
13 Does job training on the documented procedures need to be part of the process team’s education and training? 1 2 2 5 1 2 2 2 1 2 20 10 2
14 NIST Cybersecurity Framework Criterion PR.IP-10: Response and recovery plans are tested 2 2 2 1 1 2 1 2 2 1 16 10 1.6
15 Will existing staff require re-training, for example, to learn new business processes? 1 2 1 2 1 2 1 1 2 2 15 10 1.5
16 What is the control/monitoring plan? 2 1 1 1 2 2 2 2 2 1 16 10 1.6
17 Who will be in control? 2 2 2 2 2 1 2 2 2 1 18 10 1.8
18 What are we attempting to measure/monitor? 1 1 2 1 2 4 4 1 2 1 19 10 1.9
19 What other systems, operations, processes, and infrastructures (hiring practices, staffing, training, incentives/rewards,
metrics/dashboards/scorecards, etc.) need updates, additions, changes, or deletions in order to facilitate knowledge transfer and improvements? 2 4 2 1 1 2 1 2 1 1
17 10 1.7
20 Can our company identify any mandatory Cybersecurity standards that apply to our systems? 2 2 2 4 2 5 1 2 1 2 23 10 2.3
21 Do your recovery plans incorporate lessons learned? 1 1 1 1 1 2 2 2 2 4 17 10 1.7
22 Does Cyber Security Risk Management appropriately measure and monitor risk? 2 2 2 4 4 1 1 1 1 1 19 10 1.9
23 NIST Cybersecurity Framework Criterion DE.CM-1: The network is monitored to detect potential cybersecurity events 1 1 2 1 2 4 1 1 1 5 19 10 1.9
24 Do you monitor the effectiveness of your Cyber Security Risk Management activities? 2 2 1 2 1 1 5 1 2 2 19 10 1.9
25 How do controls support value? 2 3 1 3 2 2 2 1 1 2 19 10 1.9
26
What are your results for key measures or indicators of the accomplishment of your Cyber Security Risk Management strategy and action plans,
including building and strengthening core competencies? 2 2 2 3 2 2 2 1 2 3
21 10 2.1
27 What training is provided to personnel that are involved with Cybersecurity control, implementation, and policies? 1 2 1 2 2 3 4 2 1 1 19 10 1.9
28 NIST Cybersecurity Framework Criterion RS.IM-1: Response plans incorporate lessons learned 1 1 2 1 1 2 1 1 3 2 15 10 1.5
29 Do you have a consumer communication plan or a way of dealing with customer perceptions and expectations? 1 3 1 1 1 1 1 4 2 1 16 10 1.6
30 Is maintenance and repair of organizational assets performed and logged in a timely manner, with approved and controlled tools? 2 1 2 1 1 1 2 1 2 1 14 10 1.4
31 What should we measure to verify efficiency gains? 1 2 2 2 1 1 2 1 1 1 14 10 1.4
32 What do we stand for--and what are we against? 2 1 1 2 1 1 2 1 1 2 14 10 1.4
33 NIST Cybersecurity Framework Criterion RS.RP-1: Response plan is executed during or after an event 4 1 1 1 2 2 1 3 2 1 18 10 1.8
34
How will new or emerging customer needs/requirements be checked/communicated to orient the process toward meeting the new specifications
and continually reducing variation? 2 2 2 1 2 1 5 1 2 1
19 10 1.9
35
NIST Cybersecurity Framework Criterion PR.PT-3: Access to systems and assets is controlled, incorporating the principle of least functionality 2 2 1 1 1 1 2 3 2 2
17 10 1.7
36 Can our company identify any other mandatory Cybersecurity standards that apply to its systems? 3 2 1 1 1 2 2 3 2 1 18 10 1.8
37 Are pertinent alerts monitored, analyzed and distributed to appropriate personnel? 2 4 1 1 1 2 2 1 1 1 16 10 1.6
38 Implementation Planning- is a pilot needed to test the changes before a full roll out occurs? 1 2 2 2 1 2 2 2 1 1 16 10 1.6
39 How do you encourage people to take control and responsibility? 1 5 4 2 3 1 1 1 2 2 22 10 2.2
40 How will the process owner and team be able to hold the gains? 1 1 1 2 5 2 2 2 2 1 19 10 1.9
41 Who has control over resources? 1 1 1 1 4 2 1 3 2 2 18 10 1.8
42 How do we enable market innovation while controlling security and privacy? 2 2 1 2 2 2 2 1 1 2 17 10 1.7
43
Does your Cybersecurity plan include recognition of critical facilities and/or cyber assets that are dependent upon IT or automated processing? 2 2 1 2 1 5 1 2 5 1
22 10 2.2
44 How do our controls stack up? 2 2 2 2 1 1 1 1 2 1 15 10 1.5
45 How will report readings be checked to effectively monitor performance? 2 2 1 1 2 2 2 1 2 4 19 10 1.9
46
NIST Cybersecurity Framework Criterion PR.MA-1: Maintenance and repair of organizational assets is performed and logged in a timely manner,
with approved and controlled tools 1 1 1 3 4 1 2 1 2 1
17 10 1.7
47 Are new process steps, standards, and documentation ingrained into normal operations? 1 3 1 1 2 2 1 2 3 1 17 10 1.7
48 NIST Cybersecurity Framework Criterion PR.IP-12: A vulnerability management plan is developed and implemented 3 1 2 4 1 2 1 1 2 1 18 10 1.8
49 What is your theory of human motivation, and how does your compensation plan fit with that view? 1 2 2 2 1 2 2 2 5 2 21 10 2.1
50 Will any special training be provided for results interpretation? 2 1 2 2 2 3 1 2 1 1 17 10 1.7
51 Is a response plan in place for when the input, process, or output measures indicate an ‘out-of-control’ condition? 1 2 1 1 2 1 5 2 1 4 20 10 2
52 Have you had outside experts look at your Cybersecurity plans? 2 1 2 2 5 2 2 2 2 1 21 10 2.1
53 Do you have a plan in place for reputation management after an event? 2 2 1 2 2 1 1 2 1 1 15 10 1.5
54 Does the company have equipment dependent on remote upgrades to firmware or software, or have plans to implement such systems? 1 1 4 2 2 4 4 3 1 1 23 10 2.3
55 Is knowledge gained on process shared and institutionalized? 5 1 5 1 3 1 4 2 1 3 26 10 2.6

56 NIST Cybersecurity Framework Criterion RS.CO-3: Information is shared consistent with response plans 2 2 1 2 1 2 2 2 2 2 18 10 1.8
57 NIST Cybersecurity Framework Criterion RS.AN-4: Incidents are categorized consistent with response plans 4 2 2 1 2 2 1 2 1 5 22 10 2.2
58 Are suggested corrective/restorative actions indicated on the response plan for known causes to problems that might surface? 1 1 2 5 1 1 2 2 1 1 17 10 1.7
59 Do the decisions we make today help people and the planet tomorrow? 1 1 2 2 1 2 4 2 2 1 18 10 1.8
60 Do the Cyber Security Risk Management decisions we make today help people and the planet tomorrow? 2 2 4 1 3 2 5 1 4 1 25 10 2.5
61 Does the company have a log monitoring capability with analytics and alerting—also known as “continuous monitoring”? 2 2 2 2 1 1 2 1 2 2 17 10 1.7
62 Do you have a System Development Life Cycle plan that is implemented to manage systems? 1 2 2 2 2 1 2 3 2 2 19 10 1.9
63 Have new or revised work instructions resulted? 2 2 1 1 1 2 5 1 1 2 18 10 1.8
64 What is our theory of human motivation, and how does our compensation plan fit with that view? 2 1 2 2 2 1 2 1 1 5 19 10 1.9
65
Does your Cybersecurity plan contain both cyber and physical security components, or does your physical security plan identify critical cyber
assets? 1 1 2 1 2 4 5 2 3 1
22 10 2.2
66 Who controls critical resources? 2 2 1 1 4 1 2 3 3 2 21 10 2.1
67 What are the critical parameters to watch? 1 5 2 4 1 2 4 2 1 4 26 10 2.6
68 NIST Cybersecurity Framework Criterion RS.CO-4: Coordination with stakeholders occurs consistent with response plans 2 2 5 1 2 1 3 4 1 5 26 10 2.6
69
What's the best design framework for an organization in a post Industrial-Age if the top-down, command and control model is no longer
relevant? 2 2 2 4 2 1 2 3 2 2
22 10 2.2
70 Are communications and control networks jointly or separately protected? 2 2 2 1 1 2 1 1 4 2 18 10 1.8
71 Is there a transfer of ownership and knowledge to process owner and process team tasked with the responsibilities. 2 2 2 1 4 4 1 2 1 1 20 10 2
72 Is access to systems and assets controlled, incorporating the principle of least functionality? 2 1 3 2 1 1 2 2 1 2 17 10 1.7
73
NIST Cybersecurity Framework Criterion PR.IP-1: A baseline configuration of information technology/industrial control systems is created and
maintained 1 1 1 2 2 4 1 1 2 1
16 10 1.6
74 Do we have a log monitoring capability with analytics and alertingalso known as continuous monitoring? 2 1 2 1 2 5 2 1 1 2 19 10 1.9
75 NIST Cybersecurity Framework Criterion PR.PT-4: Communications and control networks are protected 4 2 2 2 2 2 1 1 1 1 18 10 1.8
76 What is the recommended frequency of auditing? 1 1 2 2 1 1 2 3 2 2 17 10 1.7
77
Industry standards enforce legislation that utilities must meet, and these standards do not come cheaply. Standards require additional resources
in the form of employees, hours, and technology, all of which increases the cost of providing reliable electricity to the customer. Therefore, the
standards of Cybersecurity that protect the customer are then ultimately paid by the customer. So what are these standards and who sets them? 1 2 1 1 1 2 2 1 4 1
16 10 1.6
78 NIST Cybersecurity Framework Criterion PR.DS-5: Protections against data leaks are implemented 2 1 1 2 1 1 1 1 1 2 13 10 1.3
79
Does your Cybersecurity plan include alternative methods for meeting critical functional responsibilities in the absence of IT or communication
technology? 1 1 1 5 2 1 1 2 3 1
18 10 1.8
80 NIST Cybersecurity Framework Criterion DE.CM-2: The physical environment is monitored to detect potential cybersecurity events 2 2 1 2 1 3 2 2 1 1 17 10 1.7
81 Has your Cybersecurity plan been reviewed in the last year and updated as needed? 2 1 1 4 2 2 1 1 2 2 18 10 1.8
82 Are controls in place and consistently applied? 2 1 3 1 2 2 2 5 2 2 22 10 2.2
83 What is your process/plan for managing risk? 1 4 1 1 2 1 1 1 4 2 18 10 1.8
84 Do your response plans include lessons learned and mechanisms for continual improvement? 1 1 2 2 2 2 1 1 1 1 14 10 1.4
85 Will a permanent standard be developed? 2 4 2 1 4 4 2 1 1 1 22 10 2.2
86 Is the information shared consistent with the response plan? 1 2 1 2 1 1 1 2 2 2 15 10 1.5
87
What other areas of the organization might benefit from the Cyber Security Risk Management team’s improvements, knowledge, and learning? 2 2 2 1 1 1 2 2 2 1
16 10 1.6
88 How can you tell if the actions you plan to take will contain the impact of a potential cyber threat? 2 4 2 2 1 1 1 2 2 1 18 10 1.8
89 Who sets the Cyber Security Risk Management standards? 1 2 1 2 2 1 2 2 2 3 18 10 1.8
90 When does compliance with a standard start? 2 1 3 1 2 1 1 3 1 2 17 10 1.7
91 Is there a recommended audit plan for routine surveillance inspections of Cyber Security Risk Management's gains? 1 1 2 2 2 2 2 2 1 4 19 10 1.9
92 Is Cybersecurity integrated between business systems and control systems? 2 1 1 3 2 5 2 4 2 4 26 10 2.6
93 Is your Cybersecurity plan tested regularly? 3 1 5 5 2 1 1 2 4 3 27 10 2.7
94 What can you control? 1 1 2 2 2 1 1 2 2 2 16 10 1.6
95 What else do you need to learn to be ready? 1 5 3 2 1 1 3 5 2 2 25 10 2.5
96
What are the key elements of your Cyber Security Risk Management performance improvement system, including your evaluation,
organizational learning, and innovation processes? 1 1 2 5 2 1 1 1 3 1
18 10 1.8
97
Does our Cybersecurity plan include recognition of critical facilities and/or cyber assets that are dependent upon IT or automated processing? 3 2 4 1 1 4 2 2 2 2
23 10 2.3
98 How can we best use all of our knowledge repositories to enhance learning and sharing? 2 2 1 1 1 1 1 2 1 2 14 10 1.4
99 Who is the Cyber Security Risk Management process owner? 2 2 2 2 5 1 1 1 2 2 20 10 2
100 Against what alternative is success being measured? 1 2 1 1 3 4 1 2 2 2 19 10 1.9
101 What are the known security controls? 1 2 1 2 1 1 2 2 2 1 15 10 1.5
102 How will input, process, and output variables be checked to detect for sub-optimal conditions? 5 2 3 2 2 1 2 1 2 2 22 10 2.2
103 Were the planned controls in place? 2 5 1 1 2 2 4 2 1 5 25 10 2.5
104 Is a response plan established and deployed? 1 2 1 1 2 1 1 1 2 2 14 10 1.4
105 Were the planned controls working? 1 1 2 2 1 1 3 1 2 1 15 10 1.5
106
How will the day-to-day responsibilities for monitoring and continual improvement be transferred from the improvement team to the process
owner? 1 1 1 1 2 1 1 1 2 2
13 10 1.3
107 Is there a standardized process? 1 2 1 2 2 2 5 2 2 2 21 10 2.1
108 NIST Cybersecurity Framework Criterion RC.RP-1: Recovery plan is executed during or after an event 2 2 2 1 1 1 1 1 1 2 14 10 1.4
109
NIST Cybersecurity Framework Criterion PR.IP-9: Response plans (Incident Response and Business Continuity) and recovery plans (Incident
Recovery and Disaster Recovery) are in place and managed 2 2 5 5 2 2 1 2 1 1
23 10 2.3
110 Does the Cyber Security Risk Management performance meet the customer’s requirements? 4 1 1 1 4 2 1 1 1 5 21 10 2.1
111
In the case of a Cyber Security Risk Management project, the criteria for the audit derive from implementation objectives. an audit of a Cyber
Security Risk Management project involves assessing whether the recommendations outlined for implementation have been met. in other words,
can we track that any Cyber Security Risk Management project is implemented as planned, and is it working? 2 5 3 2 1 1 2 1 2 2
21 10 2.1
112 If there currently is no plan, will a plan be developed? 1 1 1 1 2 1 2 1 1 1 12 10 1.2
113 What quality tools were useful in the control phase? 1 1 2 1 2 1 1 1 4 2 16 10 1.6
114 Does a troubleshooting guide exist or is it needed? 2 2 2 2 3 3 2 1 1 2 20 10 2
115 NIST Cybersecurity Framework Criterion RC.IM-1: Recovery plans incorporate lessons learned 1 2 2 2 3 1 1 1 2 2 17 10 1.7
116
Whats the best design framework for Cyber Security Risk Management organization now that, in a post industrial-age if the top-down, command
and control model is no longer relevant? 2 2 1 2 3 2 1 2 1 2
18 10 1.8
117 What is your quality control system? 1 1 1 1 1 2 2 1 2 2 14 10 1.4
118 Are there documented procedures? 2 2 2 1 1 2 1 5 1 2 19 10 1.9
119
Where do ideas that reach policy makers and planners as proposals for Cyber Security Risk Management strengthening and reform actually
originate? 1 3 1 2 2 2 2 2 1 2
18 10 1.8
120 What key inputs and outputs are being measured on an ongoing basis? 1 3 2 1 1 2 1 1 2 1 15 10 1.5
121 Does the response plan contain a definite closed loop continual improvement scheme (e.g., plan-do-check-act)? 1 1 1 2 3 1 2 1 1 2 15 10 1.5
122 Has Cybersecurity been identified in the physical security plans for the assets, reflecting planning for a blended cyber/physical attack? 2 2 2 2 1 1 2 1 2 1 16 10 1.6
123 Has business process Cybersecurity has been included in continuity of operations plans for areas such as customer data, billing, etc.? 2 2 1 1 1 2 2 2 2 1 16 10 1.6
124 Are operating procedures consistent? 2 2 1 2 2 4 2 1 1 2 19 10 1.9
125 Is there a control plan in place for sustaining improvements (short and long-term)? 2 1 2 1 1 2 1 2 1 1 14 10 1.4
126 Is there a documented and implemented monitoring plan? 2 2 2 2 4 2 2 1 2 1 20 10 2
127 Are documented procedures clear and easy to follow for the operators? 2 2 1 1 1 2 1 4 2 2 18 10 1.8

128
How do you monitor your Cybersecurity posture on business IT systems and ICS systems and communicate status and needs to leadership? 2 1 1 5 1 2 1 2 2 1
18 10 1.8
129
NIST Cybersecurity Framework Criterion DE.CM-6: External service provider activity is monitored to detect potential cybersecurity events 2 2 2 2 2 2 2 2 1 2
19 10 1.9
130 What should the next improvement project be that is related to Cyber Security Risk Management? 2 2 2 2 2 5 2 1 1 1 20 10 2
0 0 0
SCORE 228 240 233 243 244 251 245 228 233 236 2381 1300 1.8
7 Sustain Participant 1 Participant 2 Participant 3 Participant 4 Participant 5 Participant 6 Participant 7 Participant 8 Participant 9 Participant 10 Total Count Avg
1
If you were responsible for initiating and implementing major changes in your organization, what steps might you take to ensure acceptance of
those changes? 1 1 1 1 4 1 1 1 4 1
16 10 1.6
2 What is Effective Cyber Security Risk Management? 1 5 1 1 1 1 1 2 1 1 15 10 1.5
3 NIST Cybersecurity Framework Criterion PR.IP-4: Backups of information are conducted, maintained, and tested periodically 1 1 1 1 2 1 1 1 1 4 14 10 1.4
4 How will you know that the Cyber Security Risk Management project has been successful? 1 1 1 1 1 1 1 1 5 1 14 10 1.4
5
Does your company provide end-user training to all employees on Cybersecurity, either as part of general staff training or specifically on the
topic of computer security and company policy? 1 1 1 1 1 1 3 1 5 1
16 10 1.6
6 Is our Cybersecurity strategy aligned with our business objectives? 1 3 1 1 1 1 1 5 1 1 16 10 1.6
7 What are we challenging, in the sense that Mac challenged the PC or Dove tackled the Beauty Myth? 3 4 1 4 1 1 1 1 1 1 18 10 1.8
8 Have you had a pci compliance assessment done? 1 1 1 1 1 1 5 1 1 1 14 10 1.4
9 How should we bring in consultants, for which jobs and for how long? 1 1 1 1 1 1 2 1 1 1 11 10 1.1
10 Are new benefits received and understood? 1 1 1 1 1 1 1 1 1 3 12 10 1.2
11 How can we incorporate support to ensure safe and effective use of Cyber Security Risk Management into the services that we provide? 1 1 1 1 1 3 1 1 1 1 12 10 1.2
12 Legal and contractual - are we allowed to do this? 1 1 1 1 4 1 1 1 3 1 15 10 1.5
13 What would I recommend my friend do if he were facing this dilemma? 3 1 1 2 2 1 1 4 2 1 18 10 1.8
14
Are you aware of anyone attempting to gain information in person, by phone, mail, email, etc., regarding the configuration and/or cyber security
posture of your website, network, software, or hardware? 1 2 3 1 1 4 1 1 1 1
16 10 1.6
15 What is our Big Hairy Audacious Goal? 3 3 1 5 1 3 1 1 1 1 20 10 2
16 Is an organizational information security policy established? 1 1 1 1 1 5 1 3 1 1 16 10 1.6
17 When do you ask for help from Information Technology (IT)? 3 1 1 1 3 1 1 1 5 1 18 10 1.8
18 Who uses our product in ways we never expected? 1 1 5 1 1 1 1 1 1 1 14 10 1.4
19 What is a feasible sequencing of reform initiatives over time? 1 1 1 5 1 1 2 1 1 3 17 10 1.7
20 Are our Cybersecurity capabilities efficient and effective? 1 1 1 2 1 4 3 1 1 1 16 10 1.6
21 Do you have an implicit bias for capital investments over people investments? 1 3 1 1 1 1 1 1 1 1 12 10 1.2
22
In the past year, what have you done (or could you have done) to increase the accurate perception of this company/brand as ethical and honest? 1 2 1 1 1 1 4 1 1 1
14 10 1.4
23 Are assumptions made in Cyber Security Risk Management stated explicitly? 1 1 1 1 1 1 1 1 1 1 10 10 1
24 Who is in charge of ensuring that the repair is made? 1 1 1 5 3 1 1 1 1 1 16 10 1.6
25 Is Cybersecurity Insurance coverage a must? 1 1 1 2 1 1 1 1 1 1 11 10 1.1
26 Who will be responsible internally? 1 5 1 1 5 1 1 2 1 1 19 10 1.9
27 Who are you going to put out of business, and why? 1 3 1 1 1 1 1 1 5 4 19 10 1.9
28 Who do we think the world wants us to be? 1 1 1 4 5 1 1 1 1 1 17 10 1.7
29 How do you design a secure network? 1 2 1 1 1 1 1 1 1 1 11 10 1.1
30 Do we have enough freaky customers in our portfolio pushing us to the limit day in and day out? 1 1 1 1 1 1 1 1 1 1 10 10 1
31 Will we be inclusive enough yet not disruptive to ongoing business, for effective Cybersecurity practices? 1 1 1 1 1 1 1 1 1 1 10 10 1
32
Has anyone made unauthorized changes or additions to your system's hardware, firmware, or software characteristics without your IT
department's knowledge, instruction, or consent? 1 1 1 4 1 1 1 1 1 5
17 10 1.7
33 NIST Cybersecurity Framework Criterion ID.AM-2: Software platforms and applications within the organization are inventoried 1 2 1 1 1 2 5 1 1 1 16 10 1.6
34 NIST Cybersecurity Framework Criterion PR.DS-3: Assets are formally managed throughout removal, transfers, and disposition 1 1 4 1 2 1 3 2 1 1 17 10 1.7
35 How do I stay inspired? 1 1 3 1 1 1 1 1 1 1 12 10 1.2
36 Does your organization have a company-wide policy regarding best practices for cyber? 1 1 1 1 1 1 1 1 3 1 12 10 1.2
37 NIST Cybersecurity Framework Criterion PR.IP-8: Effectiveness of protection technologies is shared with appropriate parties 1 1 3 1 1 1 1 1 1 4 15 10 1.5
38 How do we foster innovation? 1 1 1 2 1 3 4 1 3 1 18 10 1.8
39 NIST Cybersecurity Framework Criterion ID.BE-4: Dependencies and critical functions for delivery of critical services are established 1 1 3 1 1 1 5 1 1 1 16 10 1.6
40
How do you determine the key elements that affect Cyber Security Risk Management workforce satisfaction? how are these elements determined
for different workforce groups and segments? 1 1 4 1 1 1 1 1 1 1
13 10 1.3
41 How can we become more high-tech but still be high touch? 1 1 1 1 1 4 1 5 3 4 22 10 2.2
42 Who will be responsible for deciding whether Cyber Security Risk Management goes ahead or not after the initial investigations? 1 1 1 4 1 2 1 1 5 1 18 10 1.8
43 Has implementation been effective in reaching specified objectives? 1 1 1 1 1 1 1 1 1 1 10 10 1
44
If I had to leave my organization for a year and the only communication I could have with employees was a single paragraph, what would I write? 1 1 4 4 1 1 4 1 1 4
22 10 2.2
45 Who is responsible for ensuring appropriate resources (time, people and money) are allocated to Cyber Security Risk Management? 1 3 1 1 1 1 1 1 1 1 12 10 1.2
46 How do the actors compromise our systems? 4 3 5 1 1 1 1 5 5 4 30 10 3
47 If there were zero limitations, what would we do differently? 1 1 3 5 5 1 4 3 1 1 25 10 2.5
48
If the liability portion of a Cybersecurity insurance policy is a claims-made policy, is an extended reporting endorsement (tail coverage) offered? 1 1 1 1 1 1 1 3 1 1
12 10 1.2
49 Are there any disadvantages to implementing Cyber Security Risk Management? There might be some that are less obvious? 1 1 1 1 2 1 1 1 1 2 12 10 1.2
50 Did my employees make progress today? 1 1 5 1 1 2 1 3 1 1 17 10 1.7
51 How do you assess vulnerabilities to your system and assets? 1 3 4 4 2 1 1 1 1 4 22 10 2.2
52 How will you motivate the dishwashers? 1 1 1 4 1 1 1 1 2 5 18 10 1.8
53 If we weren't already in this business, would we enter it today? And if not, what are we going to do about it? 3 1 1 1 5 1 2 1 1 1 17 10 1.7
54 Who will manage the integration of tools? 1 1 1 4 2 1 1 1 1 1 14 10 1.4
55 What stupid rule would we most like to kill? 3 1 1 3 1 1 4 1 1 1 17 10 1.7
56
What management system can we use to leverage the Cyber Security Risk Management experience, ideas, and concerns of the people closest
to the work to be done? 1 1 1 1 1 1 1 1 1 1
10 10 1
57 What are specific Cyber Security Risk Management Rules to follow? 1 1 1 4 1 1 1 1 1 1 13 10 1.3
58 What has the company done to bolster its Cybersecurity program? 1 5 1 1 1 1 1 1 1 1 14 10 1.4
59 Who are the key stakeholders? 1 1 1 1 1 1 1 1 1 1 10 10 1
60 NIST Cybersecurity Framework Criterion RS.AN-3: Forensics are performed 1 4 1 1 1 1 1 1 1 1 13 10 1.3
61 How much should we invest in Cybersecurity (and how should those funds be allocated) ? 1 1 1 1 1 1 1 1 1 1 10 10 1
62 How much contingency will be available in the budget? 1 1 1 1 1 1 1 1 3 1 12 10 1.2
63 Are records kept of Cybersecurity access to key systems? 1 1 1 1 1 1 4 1 1 1 13 10 1.3
64
Does your organization perform vulnerability assessment activities as part of the acquisition cycle for products in each of the following areas:
Cybersecurity, SCADA, smart grid, internet connectivity, and website hosting? 1 1 1 1 4 1 1 1 2 5
18 10 1.8
65 Is there a Cybersecurity budget? 1 1 1 1 1 1 1 1 1 1 10 10 1
66 Are recovery activities communicated to internal stakeholders and executive and management teams? 1 5 1 1 1 1 1 1 1 4 17 10 1.7

67
If you had to rebuild your organization without any traditional competitive advantages (i.e., no killer a technology, promising research, innovative
product/service delivery model, etc.), how would your people have to approach their work and collaborate together in order to create the
necessary conditions for success? 1 2 1 1 1 1 1 5 1 2
16 10 1.6
68 What counts that we are not counting? 1 1 1 1 1 1 1 1 3 1 12 10 1.2
69 What are the critical success factors? 1 1 1 1 2 1 1 1 1 1 11 10 1.1
70 NIST Cybersecurity Framework Criterion ID.GV-1: Organizational information security policy is established 1 1 1 1 1 1 1 1 1 1 10 10 1
71 Has your system or websites availability been disrupted? 3 5 1 1 1 1 3 1 5 1 22 10 2.2
72 Are we making progress? and are we making progress as Cyber Security Risk Management leaders? 1 5 1 1 1 1 2 1 1 1 15 10 1.5
73 Why don't our customers like us? 1 1 1 1 1 1 1 2 1 1 11 10 1.1
74 Who will determine interim and final deadlines? 1 1 3 1 1 1 1 1 1 1 12 10 1.2
75 What is something you believe that nearly no one agrees with you on? 1 4 1 1 1 1 1 1 1 1 13 10 1.3
76
In retrospect, of the projects that we pulled the plug on, what percent do we wish had been allowed to keep going, and what percent do we wish
had ended earlier? 1 1 1 1 4 1 1 3 1 1
15 10 1.5
77 Are individuals specifically assigned Cybersecurity responsibility? 1 1 1 1 1 5 1 1 4 1 17 10 1.7
78 How much to invest in Cybersecurity? 1 1 5 1 1 1 1 1 3 1 16 10 1.6
79
NIST Cybersecurity Framework Criterion PR.AC-4: Access permissions are managed, incorporating the principles of least privilege and
separation of duties 1 4 3 1 1 1 1 1 1 1
15 10 1.5
80 What happens at this company when people fail? 4 2 1 1 1 5 1 4 1 1 21 10 2.1
81
NIST Cybersecurity Framework Criterion PR.IP-11: Cybersecurity is included in human resources practices (e.g., deprovisioning, personnel
screening) 2 1 1 1 1 1 1 1 1 1
11 10 1.1
82 We picked a method, now what? 3 1 1 1 1 2 1 3 1 1 15 10 1.5
83 NIST Cybersecurity Framework Criterion PR.AT-1: All users are informed and trained 1 1 1 4 1 1 3 1 1 1 15 10 1.5
84 In what ways are Cyber Security Risk Management vendors and us interacting to ensure safe and effective use? 1 1 1 1 1 1 3 2 1 1 13 10 1.3
85 Are we paying enough attention to the partners our company depends on to succeed? 1 1 1 1 4 1 1 1 1 1 13 10 1.3
86 Whom among your colleagues do you trust, and for what? 1 1 1 5 1 1 1 4 1 1 17 10 1.7
87 Are your recovery strategies regularly updated? 1 1 1 1 1 1 1 1 4 1 13 10 1.3
88
What will be the consequences to the business (financial, reputation etc) if Cyber Security Risk Management does not go ahead or fails to deliver
the objectives? 4 1 1 1 1 1 3 1 1 1
15 10 1.5
89 What business benefits will Cyber Security Risk Management goals deliver if achieved? 1 1 1 1 1 5 1 1 4 1 17 10 1.7
90 NIST Cybersecurity Framework Criterion PR.AC-1: Identities and credentials are managed for authorized devices and users 4 1 1 1 1 1 1 1 1 1 13 10 1.3
91 Were lessons learned captured and communicated? 1 1 1 1 1 1 1 3 1 1 12 10 1.2
92 How do we go about Securing Cyber Security Risk Management? 1 1 1 5 1 1 1 1 1 1 14 10 1.4
93 How do you report cyberattacks? 1 1 1 3 1 1 1 1 1 2 13 10 1.3
94
Has anyone made unauthorized changes or additions to your systems hardware, firmware, or software characteristics without your IT
departments knowledge, instruction, or consent? 1 1 3 1 1 1 1 1 1 1
12 10 1.2
95 What are the business goals Cyber Security Risk Management is aiming to achieve? 1 1 2 4 5 1 1 5 1 5 26 10 2.6
96 How do we Lead with Cyber Security Risk Management in Mind? 1 1 5 1 1 2 1 1 1 1 15 10 1.5
97 How can you negotiate Cyber Security Risk Management successfully with a stubborn boss, an irate client, or a deceitful coworker? 1 5 1 1 1 1 1 1 1 1 14 10 1.4
98 What happens if you do not have enough funding? 3 1 1 1 2 1 1 1 1 1 13 10 1.3
99 Do you have an internal or external company performing your vulnerability assessment? 1 5 4 1 1 1 5 1 1 1 21 10 2.1
100 How are we doing compared to our industry? 1 1 1 1 1 1 3 1 1 1 12 10 1.2
101 Can we maintain our growth without detracting from the factors that have contributed to our success? 1 1 1 1 3 1 1 1 1 1 12 10 1.2
102 What one word do we want to own in the minds of our customers, employees, and partners? 1 1 1 1 1 1 1 1 1 1 10 10 1
103 Who is the main stakeholder, with ultimate responsibility for driving Cyber Security Risk Management forward? 1 4 1 1 1 4 2 1 1 3 19 10 1.9
104 Has the company experienced an increase in the number of Cybersecurity breaches? 1 1 4 1 1 1 1 1 1 4 16 10 1.6
105 Is there any reason to believe the opposite of my current belief? 1 1 4 1 1 1 4 1 1 5 20 10 2
106 Who do we want out customers to become? 1 1 5 1 1 1 1 1 1 4 17 10 1.7
107 What are the gaps in my knowledge and experience? 1 2 1 3 1 1 1 1 2 1 14 10 1.4
108 How can we become the company that would put us out of business? 1 1 1 1 4 1 1 1 2 1 14 10 1.4
109 Do you keep 50% of your time unscheduled? 1 1 1 1 1 1 1 1 4 1 13 10 1.3
110 How do we end up with a world where we dont have Cybersecurity have and have nots? 1 5 1 3 2 1 1 1 1 1 17 10 1.7
111 Ask yourself: how would we do this work if we only had one staff member to do it? 2 1 1 5 1 1 1 1 1 2 16 10 1.6
112 Is the Cybersecurity policy reviewed or audited? 1 4 1 1 5 1 1 1 1 1 17 10 1.7
113 Does the company use the NIST Cybersecurity framework? 3 1 1 1 1 1 1 1 1 1 12 10 1.2
114 Are you satisfied with your current role? If not, what is missing from it? 1 1 1 2 5 1 1 1 1 3 17 10 1.7
115 How are conflicts dealt with? 1 1 1 1 1 1 1 1 1 5 14 10 1.4
116 Who's in charge of inactivating user names and passwords as personnel changes occur? 1 1 1 1 1 1 1 4 1 1 13 10 1.3
117 Will it be accepted by users? 1 1 1 1 1 1 1 5 4 1 17 10 1.7
118 Do you see more potential in people than they do in themselves? 1 1 1 1 1 1 1 1 1 3 12 10 1.2
119 Am I failing differently each time? 1 1 1 1 1 1 2 1 5 3 17 10 1.7
120 How do you assess threats to your system and assets? 1 1 1 4 1 1 1 1 1 1 13 10 1.3
121
How do various engineering job roles and Cybersecurity specialty roles engage to maximize constructive overlap and differences to address
security for our systems? 1 1 1 1 1 4 1 1 1 1
13 10 1.3
122 Is the impact that Cyber Security Risk Management has shown? 1 1 2 5 1 1 1 1 1 2 16 10 1.6
123 Which functions and people interact with the supplier and or customer? 1 1 4 1 1 1 1 5 2 1 18 10 1.8
124 Do you have policies and regulations in place regarding the physical and operating environment for organizational assets? 1 1 5 1 1 1 1 1 1 1 14 10 1.4
125 NIST Cybersecurity Framework Criterion DE.CM-4: Malicious code is detected 1 1 1 1 1 1 2 1 1 1 11 10 1.1
126 What is your BATNA (best alternative to a negotiated agreement)? 3 3 1 1 1 2 1 1 1 1 15 10 1.5
127
Whose voice (department, ethnic group, women, older workers, etc) might you have missed hearing from in your company, and how might you
amplify this voice to create positive momentum for your business? 1 1 1 1 1 1 1 1 1 5
14 10 1.4
128 Which models, tools and techniques are necessary? 5 5 1 1 3 1 1 1 5 1 24 10 2.4
129
If you had to rebuild your organization without any traditional competitive advantages how would your people have to approach their work and
collaborate together in order to create the necessary conditions for success? 1 1 1 1 1 1 1 3 1 1
12 10 1.2
130 In a project to restructure Cyber Security Risk Management outcomes, which stakeholders would you involve? 1 1 1 1 4 1 1 1 1 1 13 10 1.3
131 Do we underestimate the customer's journey? 5 1 1 3 4 5 5 1 1 1 27 10 2.7
132 NIST Cybersecurity Framework Criterion DE.CM-5: Unauthorized mobile code is detected 1 1 1 2 1 5 1 1 1 1 15 10 1.5
133 What are the top 3 things at the forefront of our Cyber Security Risk Management agendas for the next 3 years? 1 1 1 1 1 1 3 1 1 1 12 10 1.2
134
NIST Cybersecurity Framework Criterion PR.IP-5: Policy and regulations regarding the physical operating environment for organizational assets
are met 1 1 1 1 1 1 1 2 1 1
11 10 1.1
135 What information is critical to our organization that our executives are ignoring? 1 4 1 2 1 1 1 1 1 1 14 10 1.4
136 What is it like to work for me? 2 1 1 3 1 1 1 1 1 1 13 10 1.3
137 What should we stop doing? 1 3 1 1 1 1 1 1 1 4 15 10 1.5
138
Instead of going to current contacts for new ideas, what if you reconnected with dormant contacts--the people you used to know? If you were
going reactivate a dormant tie, who would it be? 1 1 5 1 1 1 1 1 1 1
14 10 1.4
139 Have we had a PCI compliance assessment done? 1 1 1 1 2 2 1 1 1 1 12 10 1.2
140 NIST Cybersecurity Framework Criterion PR.AC-3: Remote access is managed 1 1 1 1 1 1 1 1 5 1 14 10 1.4
141 What are your key business, operational, societal responsibility, and human resource strategic challenges and advantages? 1 1 3 1 1 1 1 1 1 1 12 10 1.2
142 Who is responsible for errors? 4 1 1 1 5 1 1 1 1 1 17 10 1.7
143 Has your system or website's availability been disrupted? 1 1 5 1 1 1 4 1 1 1 17 10 1.7

Assessment Dashboard - Cyber Security Risk Management

Assessment Dashboard - Cyber Security Risk Management

Recomendados

Recomendados

Más contenido relacionado

Más de Flevy.com Best Practices

Más de Flevy.com Best Practices (20)

Último

Último (20)

Assessment Dashboard - Cyber Security Risk Management