Security Risk Assessments  
  Have you ever completed a Security Risk Assessment
  If Yes, when was the last time one was performed
  If Yes, how many medium to high risk areas are still on the list to be accomplished?
  Appropriate Employee IT Usage    
  Do you have anything in place to train your employees on security awareness?
  If Yes, are they trained when they are first hired?
  If Yes, how often are they trained again?
  Do you keep records or each employee training and attendance
  Documented IT Usage Policies    
  Do you have security policies written which outline how to protect PI and how
to govern the use of technology?
  Were all employees trained in the past year?
  If Yes, do you train every new employee within the first 30 days?
  Massachusetts State Law Compliance    
  As all businesses in Massachusetts require a WISP…    
  Are you legaly compliant to MA CMR.17 by having a Written Information Security Program (WISP)?
  If Yes, when was the last time you updated your WISP?
  If Yes, when was the last time you trained your employees on your WISP?
  Clients, Partners and Vendors    
  Have you ever had to fill out a security questionaire from a client or were you audited by a client?
  Have you signed a BAA with any of your clients?
  Do you have BAA setup with your suppliers or service organizations?
  Business Insurance    
  Do you have cyber risk insurance?
  Is your Cyber Risk Insurance value commensurate with your risk?
  Do you have any language in agreements with clients that states how you will handle their PI, IP or confidental information?
  Do you know the details of what your cyber risk insurance does and does not cover?
IT Policy Assessment Score
Scoring Summary:
Below 60
76 - 85