Devtegrate Cloud Services
Devtegrate Cloud Services
Get In Touch
    Start The Questionnaire
  1. Do you collect, store, host, process, control, use or share any private or sensitive information* in either paper or electronic form?
    2. If “Yes”, please provide the approximate number of unique records:

    Paper records:

    Electronic records:

    *Private or sensitive information includes any information or data that can be used to uniquely identify a person, including, but not limited to, social security numbers or other government identification numbers, payment card information, drivers’ license numbers, financial account numbers, personal identification numbers (PINs), usernames, passwords, healthcare records, and email addresses.
    Yes
    No
  2. Do you collect, store, host, process, control, use or share any biometric information or data, such as fingerprints, voiceprints, facial, hand, iris or retinal scans, DNA, or any other biological, physical or behavioral characteristics that can be used to uniquely identify a person?
    3. If “Yes”, have you reviewed your policies relating to the collection, storage, and destruction of such information or data with a qualified attorney and confirmed compliance with applicable federal, state, local, and foreign laws?
    Yes
    No
  3. Do you process, store, or handle credit card transactions?
    4. If “Yes”, are you PCI-DSS Compliant?
    Yes
    No
  4. Do you tag external emails to alert employees that the message originated from outside the organization?
    5. If “Yes”, have you reviewed your policies relating to the collection, storage, and destruction of such information or data with a qualified attorney and confirmed compliance with applicable federal, state, local, and foreign laws?
    Yes
    No
  5. Do you pre-screen emails for potentially malicious attachments and links?
    6. If “Yes”, do you have the capability to automatically detonate and evaluate attachments in a sandbox to determine if they are malicious prior to delivery to the end-user?
    Yes
    No
  6. Which of the following have you implemented to protect against phishing messages?

    7. Sender Policy Framework (SPF)

    DomainKeys Identified Mail (DKIM)

    Domain-based Message Authentication, Reporting & Conformance (DMARC)

    None of the above

  7. Can your users access their email through a web application or a non-corporate device?
    8. If “Yes”, do you enforce Multi-Factor Authentication (MFA)?
    Yes
    No
  8. Do you use Office 365 in your organization?
    9. If “Yes”, do you use the Office 365 Advanced Threat Protection add-on?
    Yes
    No
  9. Do you use a cloud provider to store data or host applications?
    10. If “Yes”, please provide the name of the cloud provider:
    If you use more than one cloud provider to store data, please specify the cloud provider storing the largest quantity of sensitive customer and/or employee records.
    Yes
    No
  10. Do you use MFA to secure all cloud provider services that you utilize?
    11. Yes
    No
  11. Do you encrypt all sensitive and confidential information stored on your organization’s systems and networks? If “No”, are the following compensating controls in place; If "Yes", select "None of the above":

    12. Segregation of servers that store sensitive and confidential information

    Access control with role-based assignments

    None of the above

  12. Do you allow remote access to your network?
    13. If “Yes”:
    • Do you use MFA to secure all remote access to your network, including any remote desktop protocol (RDP) connections?
    If MFA is used, please select your MFA provider:
    Yes
    No
  13. Do you use a next-generation antivirus (NGAV) product to protect all endpoints across your enterprise?
    14. If “Yes”, please select your NGAV provider:
    Yes
    No
  14. Do you use an endpoint detection and response (EDR) tool that includes centralized monitoring and logging of all endpoint activity across your enterprise?
    15. If “Yes”, please select your EDR provider:
    Yes
    No
  15. Do you use MFA to protect access to privileged user accounts?
    16. Yes
    No
  16. Do you manage privileged accounts using privileged account management software((e.g., CyberArk, BeyondTrust, etc.)?
    17. If “Yes”, please provide the name of your provider:
    Yes
    No
  17. Do you actively monitor all administrator access for unusual behavior patterns?
    18. If “Yes”, please provide the name of your monitoring tool:
    Yes
    No
  18. Do you roll out a hardened baseline configuration across servers, laptops, desktops, and managed mobile devices?
    19. Yes
    No
  19. Do you record and track all software and hardware assets deployed across your organization?
    20. If “Yes”, please provide the name of the tool used for this purpose (if any):
    Yes
    No
  20. Do non-IT users have local administration rights on their laptop/desktop?
    21. Yes
    No
  21. How frequently do you install critical and high severity patches across your enterprise?

    22. 1-3 days

    4-7 days

    8-30 days

    One month or longer

  22. Do you have any end-of-life or end-of-support software?
    23. If “Yes”, is it segregated from the rest of your network?
    Yes
    No
  23. Do you use a protective DNS service to block access to known malicious websites?
    24. If “Yes”, please provide the name of your DNS provider:
    Yes
    No
  24. Do you use endpoint application isolation and containment technology on all endpoints?
    25. If “Yes”, please select your provider:
    Yes
    No
  25. Can users run Microsoft Office Macro enabled documents on their system by default?
    26. Yes
    No
  26. Do you implement PowerShell best practices as outlined in the Environment Recommendations by Microsoft?
    27. Yes
    No
  27. Do you utilize a Security Information and Event Management (SIEM) system?
    28. Yes
    No
  28. Do you utilize a Security Operations Center (SOC)?
    29. If “Yes”, is it monitored 24 hours a day, 7 days a week?
    Yes
    No
  29. Do you use a vulnerability management tool?
    30. If “Yes”, please select your provider:
    Yes
    No
  30. Do you use a data backup solution?
    31. If “Yes”
    How frequently does it run?

    Daily

    Weekly

    Monthly

  31. Estimated amount of time it will take to restore essential functions in the event of a widespread malware or ransomware attack within your network?

    32. 0-24 hours

    1-3 days

    4-6 days

    1 week or longer

  32. Please check all that apply:

    33. Backups are encrypted.

    Backups are kept separate from your network (offline/air-gapped), or in a cloud service designed for this purpose.

    Backups are secured with different access credentials from other administrator credentials.

    You utilize MFA to restrict access to your backups.

    You use a cloud-syncing service (e.g., Dropbox, OneDrive, SharePoint, Google Drive) for backups.

    Your cloud-syncing service is protected by MFA.

    You have tested the successful restoration and recovery of key server configurations and data from backups in the last 6 months.

    You are able to test the integrity of backups prior to restoration to ensure that they are free of malware.

  33. Do any of the following employees at your company complete social engineering training:
    • Employees with financial or accounting responsibilities?
    • Employees without financial or accounting responsibilities?
    If “Yes” to question 9.a.(1) or 9.a.(2) above, does your social engineering training include phishing simulation?
    Yes
    No
  34. Does your organization send and/or receive wire transfers? If “Yes”, does your wire transfer authorization process include the following:

    35. A wire request documentation form?

    A protocol for obtaining proper written authorization for wire transfers?

    A separation of authority protocol?

    A protocol for confirming all payment or funds transfer instructions/requests from a new vendor, client, or customer via direct call to that vendor, client, or customer using only the telephone number provided by the vendor, client, or customer before the payment or funds transfer instruction/request was received?

    A protocol for confirming any vendor, client, or customer account information change requests via direct call to that vendor, client, or customer using only the telephone number provided by the vendor, client, or customer before the change request was received?

    No, we do not send and/or receive wire transfers

  35. In the past 3 years, has the Applicant or any other person or organization proposed for this insurance:

    36. Received any complaints or written demands or been a subject in litigation involving matters of privacy injury, breach of private information, network security, defamation, content infringement, identity theft, denial of service attacks, computer virus infections, cyber extortion, or other cyber-related incidents

    Sustained any system intrusions, tampering, virus or malicious code attacks, loss of data, loss of portable media, hacking incidents, extortion attempts, or theft of information

    Sustained any unscheduled network outages or interruptions

    Notified customers or any other third party of a data breach incident

    Been the subject of a government action, investigation, or subpoena regarding any alleged violation of a privacy law or regulation

    Received any complaints, claims, or been subject to litigation involving sexual harassment, invasion of privacy, wrongful collection of private information, discrimination, or wrongful employment practices

Previous Question
Next Question
1/37  Slides