Advanced Technological Assessment

General, Advanced and New Technology Assessment Merged - Zan

1. Is your business vulnerable to the collapse or failure of its IT systems (server and/or web-site), the loss, theft or corruption of data and cybercrime? *

No not at all - we make use of a fully managed 24/7 outsourced system security service provider who is monitoring and analysing logs from active directories, running scanners, monitoring for unauthorized access attempts, managing our anti-virus protection, managing intrusion prevention, firewalls, web proxy servers and who raise alerts to the appropriate levels and parties in our business/organisation as required.

No - we have very good physical controls, we make use of the latest security software and devices, virtual walls, motion detectors and connectivity to enable remote event and incident monitoring.

No to a large degree - our web-site and other servers are externally hosted and we have ensured that these are adequately secure, not easily vulnerable to external hacking or cyber attacks and that our business continuity is not at risk.

No not really - we believe that our IT controls, infrastructure, data back-up routines, disaster planning and cyber awareness, puts us in a position to counter the threats to our business but we still don’t think this is sufficient or adequate to counter a sophisticated cyber attack.

Yes – while we are doing the basics, we believe that due to limited IT controls and resources, coupled with ever changing technology, we are highly vulnerable to any attacks on our IT systems and to the potential loss of data.

Yes very – we have no real IT disciplines and our existing controls are woefully weak and limited.

2. Is the potential threat of cyber crime, cyber attacks, sabotage, on-line vandalism, blackmail , data theft, malicious attacks (distributed denial of service) and the blocking of hacker opportunities form a strategic focus in your business and does this form part of on-going staff education and training? *

Yes absolutely - we have made the threat of Cybercrime a key area of focus across the whole organisation as the majority of attacks originate from unsolicited e-mails and/or disgruntled or ex employees.

Yes - we have increased our focus on firewall and other controls and improved disaster recovery, but our overall disciplines and awareness could be improved.

Yes to a degree - while we aware of the growing risk and the potential loss of data and the likely impact on our business, we have only done the basics and need to elevate the importance of this risk.

No - while we are aware of the threat and potential impact, we see ourselves as a low risk and unlikely target.

No not at all - we have not quantified the full extent of the potential impact of a cyber attack and continue to focus on other areas.

3. Does the Company have an appointed "Security Officer, a privacy and security policy and has the Company conducted a risk assessment in the past 12 months? *

Yes absolutely - we have a dedicated security officer, comprehensive privacy and IT policy and undertake on-going technology risk assessments.

Yes - we have IT policies and data privacy is a specific focus but we don’t have a dedicated security officer and risk assessments are undertaken on an ad hoc basis when requested or required by our auditors or insurance company.

No not at all - we have no formally documented IT and privacy policies and risk assessment is handled very informally.

4. Does the Company have an incident response plan for network intrusions and data security breaches? *

Yes absolutely – we have detailed logs and analyse, review and follow up on all security incidents including attempted breaches in order to bring about improved controls and processes.

Yes – all incidents are recorded and reported on.

No – while we are aware of major incidents or breaches our processes lack formality.

No not at all - we have no formalised response plans and tackle incidents as and when they occur.

5. Does IT and Cyber Risk form a key part of your formal risk management process and is IT and Cyber Risk consistently a Board reportable item? *

Yes absolutely – we have recognized this as being one of the major risks facing our business/organisation going forward and it is a permanently reportable board agenda item.

Yes – we have made this a specific area of focus and have elevated it in our risk management process.

Yes to a degree – we have had an increasing number of hardware thefts and/or malware incidents which have elevated our concerns and we are aware that this is an ever increasing area of crime.

No not specifically - we are still relying on our general security and existing IT policies, procedures and disciplines to protect our systems and data.

No not at all - we have not had the time or resources to make this a specific area of focus.

6. Do you undertake regular stress and ethical hack testing of your systems and applications, and do you understand the limitations of your system infrastructure? *

Yes absolutely - our system and network is continually stress and hack tested to ensure that it is secure and robust and that our systems are capable of adequately supporting our business and data volumes such that outages and failures are minimized.

Yes – while we have done some stress testing and are aware of our system constraints and limitations, we do not undertake any ethical or hack testing.

No - our systems are largely externally hosted and we rely almost entirely on our service providers to address and manage these aspects in terms of our contract.

No not at all – we have done no testing of our systems and have no idea of our security limitations or capacity constraints.

7. Do you have an outsourced or fully managed system security function (SOC) which is monitoring your systems 24x7, is analysing logs from active directories, is running scanners and is managing your anti-virus protection, intrusion prevention, firewalls, web proxy servers and is raising real time alerts of security events to the appropriate levels and parties? *

Yes absolutely – we make use of external ISO27001:2013 accredited dedicated security monitoring, alerting, escalation and remediation which encompass monitoring of active directories, perimeter security systems and critical systems, as well as the provision of a customised dynamic dashboard for management along with global threat feeds and alerts to the latest threats and counter measures.

Yes - we have a limited externally managed security function which manages our anti-virus protection, intrusion prevention and firewalls.

No – we manage our system security internally making use of our own limited resources and available security tools.

No not at all – we have not placed a big emphasis on system security and still rely on the basic software controls, password configurations and IT disciplines.

8. Do you use encryption for data and file transmission, logging utilities and real time alerts around restricted file access and the extraction of data from data bases? *

Yes absolutely – we have comprehensive security controls and make use of end to end encryption around the transmission of mails, files and sensitive data and make use of logging utilities and 24x7 real time monitoring of data base activity.

Yes – we make use of encryption for all data and file transmission and have dedicated data base activity monitoring.

No – we do not transmit any sensitive information and don’t believe we need any additional security controls around our data base activity.

No not at all – due to control and resource limitations, we are highly exposed and vulnerable to unauthorised access to our data base and data and/or to the interception of mails and/or confidential or sensitive data.

9. Do you undertake comprehensive reference checking and vetting of all staff that will have direct access to networks, systems, programs and data, before they are taken into the employ of your business? *

Yes absolutely – we make use of specialist IT recruitment agencies who undertake a thorough review of potential candidates technical capabilities and track record and our organisation undertakes the required other checks as part of our normal HR recruitment process.

Yes – we subject all resources to comprehensive background vetting and checking.

No not at all – our background vetting and reference checking is particularly weak and limited.

10. Do you have copies of and ready access to the source code of all programs and applications developed for your business or organisation, maintain tight version control and is the code for current developments sufficiently secured in escrow structures where necessary?

Yes absolutely – we have made this a specific area of focus and in addition to robust legal contracts with reputable software vendors and developers, we make sure we have ownership of and access to all code and applications at all times as well as tight version control. During development phases, code is lodged in escrow structures until ownership and control passes.

Yes – as a policy we have decided to use only widely supported commercially available software and applications.

Yes to a degree – while we endeavour not to be exposed in this regard, we have in the past been forced to incur unnecessary legal costs to get access to source code.

No – we are exposed here as we have some legacy systems still running on old software applications for which we do not hold the source code.

No not at all – we are very exposed in this area as much of our development is customised and undertaken by private resources that hold us captive in this regard.

11. Do you have a redundancy plan in respect of the availability of your network infrastructure, including servers, telephone connectivity, access to data, storage, networks, power, and web-sites, as well as internet connectivity? *

Yes absolutely - we have well documented and board/management approved comprehensive disaster recovery and redundancy/continuity plan for our IT systems which has been tested and have monitoring systems in place to ensure the successful generation of back-ups.

Yes – we have a disaster backup site but this has never been fully resourced or tested in a live environment.

No – we have very limited redundancy plans other than for back up power, some data backup and the potential use of an alternative site for our web hosting.

No not at all - other than for the regular backup of our data to cloud storage we do not have any business continuity or redundancy plans in place for our systems or back up computers available.

12. Are user privileges tightly managed in order to prevent misuse by “privileged” users and have you ensured that there is a clear segregation of duties between programmers, application and system administrators as well as the use of controls which manage access to data on the network to no more than what is essential and required in order for job requirements to be performed? *

Yes absolutely - user privileges are tightly managed and we ensure that system administrators together with application administrators do not have access to all data on the network other than what is essential and required for them to use in order to fulfil their job requirements.

Yes - we have general controls in place and user privileges for users with access to sensitive systems and sensitive information are revoked within thirty (30) days of termination of their employment and in particular where there is termination of employment at outsourced/third party service providers.

Yes to a degree – while we have controls in place, with all the staff changes and changes in roles, we need to urgently review the situation.

No – due to resource constraints we do not have the required segregation of user privileges in place.

No not at all - this area has not received the focus it deserves.

13. Do you ensure that data and files are removed or erased from the drives on all old servers or scrapped PC's, laptops, inactive workstations, memory sticks, discs or other optical media and in particular from devices held by or used by staff no longer in the employ of the organisation? *

Yes absolutely – we have very strict disciplines in place for the erasure and removal of sensitive data, documents, applications, programs and mails from obsolete/discontinued devices and those devices of employees who are leaving or who have been suspended from the organisation.

Yes to a degree – we have limited disciplines in place around the removal of data, applications and programs, but struggle to remove content and data from privately owned laptops, tablets, memory sticks and phones.

No not at all – this is an area that we have completely over-looked and which poses a risk.

14. Do you hold cyber liability insurance cover? *

Yes absolutely – we have comprehensive cyber cover that covers data theft, loss of data, reputational damage and costs of remedial action, web-site hacking or hi-jacking, ransom threats, theft of monies, systems rendered unavailable and the inability to deliver services, and focus rigidly on complying with the terms and conditions and IT disciplines required in terms of the policy cover.

Yes - we have basic cover that covers the theft of monies and/or data as a result of cybercrime.

Yes to a degree – while we have some cover we are unable to meet all the compliance requirements of the policy and extended cover on a consistent basis and run the risks of our claims being repudiated.

No – the cost of cover and the basic excess that will apply does not warrant or justify what we believe is our likely or potential loss in this regard.

No not at all – we only have insurance for the theft of computers, at this stage we have not contemplated this and have no idea to what extent we might be exposed and the level of potential loss we might experience.

15. Do you protect and keep the confidentiality of all data and records? *

Yes absolutely - we focus on the physical security of our computers, regularly back up all our data to an off-site location, make use of the latest firewall and anti-virus protection, pro-actively monitor data base activity and have made the confidentiality and safety of customer records and sensitive data a key strategic objective.

Yes - we have good physical controls and we have restricted the access to our confidential data and customer records and rely on our IT controls to prevent unauthorised access to these.

No - while confidential records and data are backed up daily off-site with hard copies stored in secure fire proof cabinets, access to these is not tightly controlled and the physical control of computers is slack.

No not at all - we have very weak IT disciplines in place around access to confidential data and records, and equally weak controls in respect of the removal of computers and/or laptops and IT assets, data and/or confidential records from the business.

16. Do you have robust IT controls and disciplines in your business?

Yes, absolutely. We have made security and in particular IT security and cyber-crime a core strategic focus of our business and an integral part of our risk management process.

Yes, we have an IT governance framework with robust IT policies and data controls, a data security manual and comprehensive system protocols in place.

Yes, while we follow tried-and-tested IT best practice policies and procedures, and these are aligned to the overall governance policy of our business, we still seem to be behind the curve.

To a limited extent. While we have some controls (e.g. physical, firewall and password controls) to protect our IT systems, we lack an integrated policy to ensure overall IT security.

No, we have almost no real IT security policy or IT controls/discipline, OR find that policies (e.g. password changes) are not followed by staff.

No, not at all. We have no documented IT controls in place and rely merely on password protection for the control of access to our systems and data.

17. Is there a culture and operational controls in place that endorse/enforce IT security disciplines, password control, data management and cybercrime awareness in your organisation?

Yes, absolutely. We have been proactive and have put preventative measures 24/7 in place around a variety of potential attacks to our business coming across multiple channels not just e-mail, including theft of computers (laptops/tablets/desktops), encryption of sensitive mails/records, cyber fraud and have issued best practice guidelines to customers and staff.

Yes, to a large extent. As part of our HR employee induction programme and on-going staff education and training, a specific focus is placed on security, IT security, IT disciplines, data back-up, password controls, cybercrime awareness, social media and internet usage and the threat of data theft, hacking, phishing, impersonation, sabotage, ransomware and malware.

Yes, we ensure that the confidentiality of all passwords and password disciplines are tightly maintained, that strong passwords are used and that these are regularly changed by users. We ensure that all departing or suspended employees are immediately removed from access to all systems.

Yes, to a degree. Levels of accessibility to all our vital hardware systems, programs, drives, servers and files and banking systems are controlled by passwords or other similar security measures.

No, not really. Other than for the use of basic anti-virus software and firewall controls, we have not taken any specific security measures.

No, not at all. We have no specific focus on IT security in the business, but face major challenges around password controls, basic system access disciplines and the opening of unsolicited e-mails.

18. Do you have back-up power (UPS) in place to ensure continuity of operations and integrity of data records in the event of power outages or other disruptions?

Yes, absolutely. It is imperative that our business has sufficient back-up power supply from generators/UPS or inverter devices as our systems need to be available and accessible 24/7 as any outages and down-time would have a material impact on business processes and controls, service levels, enquiries and sales.

Yes, we are making use of an outsourced data centre which has enabled us to mitigate some of the risks of power outages and a lack of system back-up capacity as well as lowering the risk of loss of data.

Yes, to a degree. We make use of basic UPS back-up power devices to ensure continuity of our business operations and systems availability, but remain vulnerable to extended outages.

No, we have not taken any specific steps around back-up power and rely almost entirely on the efforts and actions of our landlord in this area.

No, not at all. We have no back-up power in place and merely try and keep laptops, tablets and phones fully charged at all times.

19. Do you ensure that you update your virus protection or anti-virus software, mail management and operating software, personal firewall software and other associated security controls on a regular basis?

Yes, absolutely. We ensure that our operating system, anti-virus software, firewall software and other associated security controls are updated on a regular basis and that we are running the latest version/release and updates of the respective software.

Yes, to a large extent. We run security software and are receiving threat alerts. We try to ensure that we have no weak configurations in place.

Yes, we try and ensure that our operating system and security software is updated on a regular basis and that our licences are current.

Yes, to a degree. We rely almost entirely on updating our anti-virus, malware software and firewall protection from free versions available online.

No, not really. We are careful around opening unsolicited mails and have outdated anti-virus and malware software loaded and rely purely on the bank’s security to protect our online banking.

No, not at all. We get minimal e-mail, run mainly stand alone off-line applications, use smartphones for much of our communication and have removed the security software from most PC’s as this was slowing them down and impacting other programs we run.

20. Is all your data secure and regularly backed-up off-site or in the cloud?

Yes, absolutely. As our business has high value data, we have the required tested redundancies, physical controls of hardware, encryption of information, back-ups and a secondary peripheral computer system in place that takes over if our primary unit or other essential systems fail.

Yes, to a large extent. We have daily automated routines which are monitored to ensure that all our data and records are backed-up off-site or to cloud storage.

Yes, we require all staff to do daily back-ups of their data stored on our server to the cloud, including data files stored on laptops or tablets.

Yes, to a degree. We currently back-up our data on a weekly basis to a removable hard drive device which is then taken to the business owner’s home. We have never tested our back up or attempted a full restore.

No, not really. While we endeavor to do weekly back-ups to an external hard drive, these are not always done for a variety of reasons. We have never done a restore.

No, not at all. We have no formalised disciplines around back-ups and rely on each staff member to secure their data and keep hard copies of records and mails.

21. Have you suffered theft of computer equipment, data loss, systems failure or a systems security incident such as hacking, phishing, malware or ransomware?

No, not at all. We have a very secure IT environment, appropriate locks on all our desktop and laptops and due to our IT and e-mail disciplines and data back-up routines, we have not suffered a data loss or security incident.

No, our website and servers are externally hosted by reputable organisations, our internet service provider is blocking spam, unsolicited mails and viruses, we have anti-virus software on all machines, have run the latest operating software patches and our data is backed-up daily off-site.

No, but there have been numerous viruses detected by our anti-virus software and blocked by our firewall.

No, not to date - but we have received a number of bogus e-mails, fabricated letterheads and calls from syndicates attempting to get data details changed in order to solicit our banking details and passwords, solicit unauthorised payments or get payments deviated to third party bank accounts.

Yes, to a limited degree. Despite controls we have suffered theft of computers and/or we have suffered a deliberate and malicious disruption of service due to the installation of malware on our server.

Yes, we have suffered multiple thefts of computers/laptops and/or have had our website hacked and rendered unusable.

Yes, definitely. We have had sensitive information go missing on stolen computers and/or we have lost data as a result of an unexpected power failures with no recent back-ups being held on more than one occasion and/or a disgruntled employee has threatened us with the theft of sensitive data/information.

22. Do you have appropriate and suitably qualified IT resources supporting your systems and network and is your business/organisation vulnerable to IT services provided by a particular individual or outsourced third party?

Yes, absolutely. We have satisfied ourselves that the outsourced IT support service provider we use has ensured continuity of service provision, has robust disciplines around the staff employed by them, rigid controls around access to our live data, maintenance of the confidentiality of information, data back-ups, controls around any changes made to our system or programs and version control.

Yes, we obtained references from a number of customers before appointing our outsourced IT support service provider and have a comprehensive Service Level Agreement (SLA) in place with them.

Yes, although we are reliant on a single resource for our IT maintenance and support, we have ensured that we have the necessary access to source code and system access details, as well as the necessary alternative back-up and support to ensure continuity in the event of the resources absence due to illness or other eventuality.

Yes, to a degree. Our IT service provider with whom we have a formal maintenance/support contract, only makes use of appropriately certified IT resources that are vetted and selected by them.

No, we are not in control of all our IT or data services, are very reliant on a single service provider and don’t fully understand the powers and capabilities which the parties carrying out these roles have.

No, not at all. We rely on an in-house person who has this responsibility in addition to other duties. We are aware of their limitations and any problems are solved by ad-hoc external service providers.

23. Do you have a social media policy and are you managing bandwidth, data usage costs and internet usage?

Yes, absolutely. We have an effective mail management system, robust internet and e-mail usage policies and site blocking/firewall shaping in place to ensure that security and system integrity is not compromised, that bandwidth availability and productivity are optimised and that potential staff abuse of the internet and social networking sites is managed.

Yes, HR and IT policies around the use of social media are enforced and abuse of the internet and social networking sites is proactively managed.

Yes, to a degree. We have been forced to restrict internet access to a limited number of people in the business as it was being abused for personal use and the incidence of viruses escalated to unacceptable levels.

No, we have encouraged all staff to make use of the internet and social media in order to promote our business and to add value to their job role wherever possible.

No, not at all. We do not have a social media policy in place, nor do we pro-actively manage internet usage and rely on staff not to use the name of the business in unofficial/private communication, or abuse/misuse our internet connection and our bandwidth.

24. Do you use only licensed software?

Yes, absolutely. We ensure that the business only makes use of the latest versions of reputable, widely used, secure, tried and tested, easy to use, compatible and licensed software that enjoys wide spread back up, continuity and support.

Yes, we have ensured that we only make use of licensed software, have cancelled the licences of software no longer being used and destroyed any unlicensed copies of software.

Yes, to a degree. We rely on our IT support services to update our software and to attend to any licensing requirements of software being used in our business.

No, we have not complied with the requirements of a number of our software licences and are using outdated versions as well.

No, not at all. We have a number of unlicensed and pirated software applications running in our business.

25. Is your website effective and secure?

Yes, absolutely. Our website is an integral part of our business as online business forms a large and key portion of our turnover. While our site is externally hosted by a leading global player, we are continually checking on the ongoing effectiveness of the site from a content, security and functionality perspective. We are making use of displays, flash features, mobile displays and are optimising search engine criteria by using key and ad words.

Yes, the growth in our online business has forced us to focus on the functionality and security of our website and employ professional service providers and experts in this area.

Yes, to a degree. We have been forced by our competition and new competitors entering our market to improve the effectiveness and online capability and capacity of our website.

No, we are struggling to keep up with the latest technology and the costs of maintaining our website at the cutting edge from a content, functionality and security perspective.

No, not at all. Our website is locally hosted, very static and outdated, not interactive and is used merely to give out the address, contact numbers of our business and a very basic overview of what we do and/or the products and services we offer.

26. Does your business generate a significant portion of its revenue (sales) from digital channels (e.g. via your website/ ecommerce platform or digital sales channels)?

Yes, absolutely. Our business is heavily reliant on our e-commerce channel for the majority (65%+) of our revenue generation.

Yes, our e-commerce is an integral contributor (35-65%) to our revenue generation

Yes, to a degree. The digital channels our business makes use of are responsible for a large portion (10-35%) of our revenue.

Not particularly, no. While we generate some of our revenue (1-10%) from e-commerce, we do not consider it a vital contributor to our businesses revenue.

No, not at all. Our business does not make use of e-commerce platforms in generating revenue.

27. Do you rely extensively on inhouse software or systems (i.e. software developed for you or tailored for you)?

Yes. The majority of our software/ systems are sophisticated and have been specially developed inhouse for our business.

To a degree, yes. While we have some software/systems that have been developed inhouse, they are not particularly sophisticated .

To a degree, yes. While we have some software/systems that have been developed inhouse, they are not particularly sophisticated and only account for a small portion of what we use.

No, not at all. We use widely available software/ systems in our the day-to-day business activities.

28. Do you have ready access to suitably qualified and competent technology support?

Yes, absolutely. We have suitable qualified technology support who are more than competent in providing our business with all our needs.

Yes. We have competent technology support who are able to help us with the majority of issues our business faces.

Yes, to a degree. While we have a provider for technology support, they tend to take extended periods of time in addressing our concerns.

Not particularly, no. While we have a provider for technology support, they tend to take extended periods of time and are not always able to provide the necessary support we require.

Not at all, no. We do not have access to any technological support.

29. Who are your technology providers/ partners?

EOH? Sahara?

30. Is your technology environment very dependent on a single individual or group of individuals?

Yes. We have a specialised department/ individual who are solely responsible for all of our technology requirements/ solutions.

Yes, to a degree. We have a department/ individual who are responsible for a large portion of our technology requirements/ solutions.

Not particularly, no. While we have a individual that is responsible for our technology requirements/ solutions, he can be or is aided by a 3rd party provider.

No. We outsource all of our needs to reputable 3rd party providers.

31. Have you taken the steps required to protect client data?

Yes, absolutely. We have a comprehensive system for which client data is stored and protected. We are confident that there is an extremely slim chance of this system being compromised.

Yes. We have consulted specialists who have advised us on best practices and we adhere to them. We assume the system is protected as we have implemented the advice given to us from the consultations.

Yes, to a degree. We stress the importance of client data and our employees are aware of this. While we do not have a formal system, we don't see it likely that client data will be compromised.

Not particularly, no. While we are careful to not share client data freely, we have not taken formal steps in protecting client data.

No, not at all. We have not taken any steps towards ensuring client data is protected.

Score

Score 0 to 29

Your score indicates that there is a lack of Advanced Technology controls and/ or discipline that exposes your organisation to massive risk. We suggest that you URGENTLY address the issue of risk management generally, and also identify the biggest risks individually and put the necessary policies and programs together without delay to minimise these risks.

Score between 30 and 44

Your score reveals that your Advanced Technology controls and or discipline are weak and expose your organisation to significant risk. We suggest you address the area of control risk as a priority and look to make improvements in this area as soon as possible.

Score between 45 and 54

Your score suggests that there are significant potential weaknesses in your Advanced Technology controls and that this should receive attention as a matter of priority. While an overall improvement may be required, it is also possible that your vulnerability is limited to one or two areas.

Score between 55 and 64

Your score suggests you could and should improve your Advanced Technology controls, but that this area probably doesn't represent a massive risk (generally). There may however be some vulnerability in a couple of areas that should be addressed in the reasonably near future.

Radio Button

Option 1

Option 2

Score between 65 and 79

Your score suggests that you probably have strong Advanced Technology controls and are therefore probably not hugely at risk. We would however recommend that you identify possible areas of weakness and address these in due course.

Radio Button

Option 1

Option 2

Score 80 and above

Your score suggests that you have strong Advanced Technology controls and have therefore greatly reduced your risk in this area. We would still advise you however to identify possible areas of weakness and address these in due course.

reCAPTCHA

If you are human, leave this field blank.