Greater Houston Partnership (GHP)

Free Cybersecurity Guide

Partnership Cybersecurity Self Assessment Tool

  Cyber Security Risk Level
  Negligible   Low Moderate High Extreme
Do you assess and monitor changes to user privileges? All user privileges monitored continuously, alerts investigated immediately. All user privileges monitored continuously, reports analyzed weekly. Only administrator account monitored. Reports analyzed at least monthly. User privilege assessment scans performed and reviewed once in a while. No
Do you have an organization password strength policy?   Multi factor authentication (something you know, like a password, plus something you have, like a badge or a finger print) 8 characters or more, special characters required with required change every 3 or 6 months Less than 8 characters, no special characters No
Do individuals or third party organizations have access to your network?   Over a virtual private network, restricted access vendor accounts, business associates agreement with vendor Remote access tools to access secure network from outside Physical access to hardware  
Do you perform Security/Awareness training?   Mandatory for all employees periodically with assessment of understanding. Third parties understand roles and responsibilities For new hires only No  
Do you manage assets?     Formally managed through acquisition, update, transfer, removal and disposal Network, servers, devices and software documented Purchased inventory only documented No device or network management
Do your employees travel with laptops or other removable devices? No Encrypted and no local data storage Hard drive encryption File encryption Unencrypted
Do you have remote backup? No Zero recovery encrypted Encrypted Unencrypted Physically unsecured
Do you have wireless networks?     No SSID (name of wireless network) broadcast, complex password, air defense system (blocks addition of wireless routers to network). User account and/or computer address access control. No public access Separate isolated guest wireless with no access to internal network Published SSID, weak password    
Do you store personally identifiable information on your network?     No Yes, encrypted at rest and in transmission Yes, unencrypted at rest and/or in transmission    
Do you have organizational security policies?     Board approved, trained, monitored and enforced On shelf No    
Contracts with vendors?     Have copies of vendor security policies. Vendor has adequate cyber protection and insurance. Liability defined in contract. Liability defined in contract No cybersecurity in contract    
Do you perform personnel security and background checks?     All employees have background checks. Physical access control to physical network and servers. Accounts disabled as soon as employee is no longer hired Background checks, but no physical access controls No security or background checks    
How do you transmit personally identifiable information to third parties?     Using mutual transport layer security with a BAA in place Over a virtual private network Via secure/encrypted email to unvalidated recipient unencrypted, e.g. via email
Do you have a security function in your organization?     Dedicated Security team. Reports to senior leadership Security functions shared within technical teams No Security function    
Do you have an incident response team and recovery plan?     24/7 response by multiple teams Business hours response by some teams None    
Do you perform logging and monitoring?     Network and host base alerts responded in real time Network only / Host only (No real time alerting) No    
Do you have anti virus and malware software?     All computers and servers, monitored Computers with access to PHI only, not monitored No    
Do you have Phishing protection?     Monitored, no email/unrestricted internet browser access on network containing secure information Yes, users trained No    
Do you protect your network with a firewall?   Monitored Commercial class router, complex password, ports open to the internet restricted to only those required for business applications Residential class router, default password No
Count of risk level categories Negligible Low Moderate High Extreme

Overall Score: 18 or less: Good cyber security measures in place
19-36: Perform risk/benefit analysis
Over 36: Invest in cyber protection

The Greater Houston Partnership Salutes Our Executive Partners