1. What industry does your client operate in?

Healthcare Financial Services & Banks Technology & IT Services Government & Public Sector Retail & eCommerce Other

Low Risk

Medium Risk

High Risk

Critical Risk

2. How critical are the services provided by the client to their clients?

Non-Essential Essential Business Critical Mission Critical

Low Risk

Medium Risk

High Risk

Critical Risk

3. Does your client handle sensitive data as part of its regular business operations?

No, the company does not handle any sensitive data Personal Identifiable Information (PII) or PHI data Controlled Unclassified Information (CUI) Financial Data Some or all of the above

Low Risk

Medium Risk

High Risk

Critical Risk

4. Does your client maintain well-documented cybersecurity policies and procedures?

No. Cybersecurity policies and procedures are mostly ad hoc or non-existent Cybersecurity policies are ad-hoc and inconsistent at best and written mostly to fulfill audit requirements Cybersecurity policies and procedures are written and managed centrally by the security team, but the processes are manual A central policy management solution is used to define, maintain and improve cybersecurity policies and procedures

Low Risk

Medium Risk

High Risk

Critical Risk

5. Does your client ask all its employees and partners to undergo security awareness training at regular intervals?

Awareness training is ad hoc, inconsistent or non existent A central training management platform is used to train all employees and partners In addition to basic training, all employees are trained on handling phishing, social engineering and other similar attacks A very mature security awareness training program exists that aligns with job roles and industry threats

Low Risk

Medium Risk

High Risk

Critical Risk

6. How does your client maintain an inventory of all its assets?

No central repository exists for all hardware and software assets A partial inventory is maintained using manual methods such as spreadsheets Central asset management tool (i.e. such as a RMM) is used to create an asset inventory of software and hardware products Asset management covers 100% of assets, is fully integrated, and automatically keeps the inventory accurate continuously

Low Risk

Medium Risk

High Risk

Critical Risk

7. Does your client centrally manage configuration of all its devices?

Configuration management is non-existent, or manually performed to fulfill audit requirements Well defined configuration management baseline, but 100% implementation is yet to be achieved A central configuration management database is used to define, manage and change configuration Configuration management is central and automated with the ability of monitoring, tracking and reporting

Low Risk

Medium Risk

High Risk

Critical Risk

8. Does your client use an Endpoint Protection Solution to protect its endpoints?

No Endpoint Protection Solutions is used A Central Endpoint Protection platform such as CrowdStrike is in place to protect all endpoints A central configuration management database is used to define, manage and change configuration Endpoint Protection Platform with advanced Endpoint Detection and Response capabilities is deployed

Low Risk

Medium Risk

High Risk

Critical Risk

9. Does your client centrally log & monitor events in real time?

A central logging and monitoring solution is not present and implementation is currently inconsistent Log management policy is well defined and all systems log access and other activity based on the policy A central log management system is in place which provides end to end log monitoring and log lifecycle management Advanced real time algorithmic SIEM solution is deployed to log, monitor and alert for anomalous activities

Low Risk

Medium Risk

High Risk

Critical Risk

10. Can your client effectively failover in case of a disaster?

Business cannot perform in case of natural disaster or calamity Only critical data and applications can failover to an alternate site or facility Most applications and systems can effectively failover to an alternate site Alternate sites are not required for the company

Low Risk

Medium Risk

High Risk

Critical Risk

11. Does your client have an incident response and recovery playbook?

Incident response playbook is not present and incidents are handled in a reactive fashion Policies and procedures are defined in a playbook and incidents are handled based on the playbook A central automated incident response management tool is in place and is configured based on the incident response playbook Proactive incident management is in place by using tools for threat detection, dark web monitoring and vulnerability scanning

Low Risk

Medium Risk

High Risk

Critical Risk

Chapter 3:

Client Assessment

Client Assessment

1. What industry does your client operate in?

2. How critical are the services provided by the client to their clients?

3. Does your client handle sensitive data as part of its regular business operations?

4. Does your client maintain well-documented cybersecurity policies and procedures?

5. Does your client ask all its employees and partners to undergo security awareness training at regular intervals?

6. How does your client maintain an inventory of all its assets?

7. Does your client centrally manage configuration of all its devices?

8. Does your client use an Endpoint Protection Solution to protect its endpoints?

9. Does your client centrally log & monitor events in real time?

10. Can your client effectively failover in case of a disaster?

11. Does your client have an incident response and recovery playbook?

How can you prove that compliance is critical to your client’s success?

Find out how to change the conversation in Chapter 4.

Chapter 2

Identify Your Clients’ Needs

Chapter 4

Don’t Sell Compliance — Sell Risk Assessment & Management