Skip to content
859-737-4400
info@boxlake.com
Facebook
Twitter
LinkedIn
IT Services
Managed Services
Network Management
Cloud & Hosted Services
Back Up & DR
Security
Virtualization
Websites & Hosting
Security Awareness Training
VoIP
Industries
Banking & Financial
Managed Services for Banking
Security in Banking
Architects and Engineers
Healthcare
Non Profit Organizations
Government
About
Client Success Stories & Testimonials
Partners
Certifications
Careers
Blog
Contact
Get Support
Open mobile menu
Close mobile menu
Cybersecurity Readiness Assessment
Home
»
Cybersecurity Readiness Assessment
Please enable JavaScript in your browser to complete this form.
-
Step
1
of 13
How well does your organization meet a 7-day patching standard for security updates?
No Patch Management: Patches are rarely or never applied, and no defined process exists.
Reactive / Inconsistent Patching: Patches are applied occasionally or only after issues occur; timelines vary widely.
Defined but Not Enforced: A patching policy exists, but patches are not consistently applied within 7 days.
Consistently Applied Within 7 Days: Most systems are patched within 7 days, with limited exceptions tracked.
Fully Managed & Verified Within 7 Days: All systems are patched within 7 days, with monitoring, reporting, and verification in place.
Select the option that most closely reflects how your organization applies security patches.
Next
To what extent is multi-factor authentication (MFA) enforced across all systems, including email?
Not Implemented: MFA is not in use for most systems, including email.
Limited Implementation: MFA is enabled for a small number of systems or select users only.
Partial Enforcement: MFA is enforced for some critical systems, but not consistently across all platforms or users.
Broad Enforcement: MFA is enforced for most systems, including email, with limited exceptions.
Fully Enforced: MFA is enforced across all systems and users, including email, with ongoing monitoring and policy enforcement.
Select the option that most closely reflects how your organization enforces multi-factor authentication (MFA) across systems, including email.
Next
How well does your organization track and maintain an inventory of all IT assets (PCs, servers, printers, and other devices)?
Not Tracked: Assets are not formally tracked or inventoried.
Informal / Manual Tracking: Some assets are tracked manually or inconsistently, with no centralized inventory.
Partially Tracked: Most assets are tracked, but the inventory is incomplete or not regularly updated.
Consistently Tracked: All major assets are tracked in a centralized system and updated periodically.
Fully Tracked & Managed: All assets are fully inventoried, regularly updated, and actively managed throughout their lifecycle.
Select the option that most closely reflects how your organization tracks and manages IT assets.
Next
How consistently does your organization perform data wipes and obtain certificates of destruction for all decommissioned devices?
Not Performed: Devices are decommissioned without formal data wiping or certificates of destruction.
Inconsistent: Data wipes or certificates are completed for some devices, but not consistently.
Partially Implemented: Data wiping is standard practice, but certificates of destruction are not always obtained or documented.
Consistently Performed: All decommissioned devices are securely wiped and certificates of destruction are obtained, with limited exceptions.
Fully Enforced & Documented: Secure data wiping and certificates of destruction are required for all devices, fully documented, and regularly audited.
Select the option that most closely reflects how your organization handles data wiping and destruction documentation for decommissioned devices.
Next
How regularly does your organization conduct phishing simulation testing?
Not Conducted: Phishing simulations are not performed.
Ad Hoc / Infrequent: Simulations are conducted occasionally, but not on a regular schedule.
Periodic but Not Monthly: Simulations are conducted on a scheduled basis, but less frequently than monthly.
Monthly Simulations Conducted: Phishing simulations are conducted monthly for most users, with limited exceptions.
Monthly & Program-Driven: Monthly phishing simulations are conducted for all users, with reporting, follow-up training, and trend tracking.
Select the option that most closely reflects how your organization conducts phishing simulation testing.
Next
How does your organization provide ongoing cybersecurity awareness and training for all employees?
Not Provided: No formal cybersecurity training is provided to employees.
One-Time or New-Hire Only: Training is limited to onboarding or a one-time session, with no ongoing program.
Occasional Training: Training is provided periodically, but not on a regular or recurring schedule.
Ongoing Training Program: Cybersecurity training is provided regularly to all employees.
Continuous & Reinforced: Program Ongoing training is provided to all employees, reinforced with testing, updates, and measurable outcomes.
Select the option that most closely reflects how your organization conducts phishing simulation testing.
Next
according organization and
To what extent does your organization’s email security include data loss prevention (DLP), SPF, DKIM, and impersonation protection?
Not Implemented: Email filtering and advanced protections are not in place.
Basic Filtering Only: Basic spam filtering is used, but DLP, SPF, DKIM, or impersonation protection are missing or misconfigured.
Partially Implemented: Some protections (such as SPF or DKIM) are in place, but not all features are fully implemented or enforced.
Mostly Implemented: DLP, SPF, DKIM, and impersonation protection are implemented for most users, with limited gaps.
Fully Implemented & Managed: All email security controls—including DLP, SPF, DKIM, and impersonation protection—are fully implemented, monitored, and maintained.
Select the option that most closely reflects how your organization conducts phishing simulation testing.
Next
To what extent does your organization’s endpoint protection include EDR/XDR capabilities?
Not Implemented: Endpoint protection does not include EDR or XDR capabilities.
Basic Antivirus Only: Traditional antivirus is in place, but no EDR/XDR functionality exists.
Partially Implemented: EDR or XDR is deployed on some endpoints, but not consistently across the environment.
Broadly Implemented: EDR/XDR is deployed on most endpoints and actively used for detection and response.
Fully Implemented & Managed: EDR/XDR is deployed on all endpoints, with active monitoring, response procedures, and regular review.
Select the option that most closely reflects the level of endpoint protection in place within your organization.
Next
How consistently does your organization review and update IT policies (such as Acceptable Use, Access Control, Password, and MFA policies)?
Not Reviewed: IT policies are not formally reviewed or updated.
Infrequently Reviewed: Policies are reviewed occasionally, but not on a defined annual schedule.
Defined but Inconsistent: An annual review process exists, but policies are not consistently updated or documented.
Reviewed Annually: IT policies are reviewed and updated annually, with minor exceptions.
Reviewed, Approved & Documented Annually: Policies are reviewed, updated, formally approved, and documented annually, with version control and audit evidence.
Select the option that most closely reflects how your organization reviews and maintains IT policies.
Next
How are user accounts offboarded upon an employee’s exit?
Not Performed: User accounts are not consistently disabled or removed after employee exits.
Ad Hoc / Delayed Offboarding: occurs inconsistently and often takes longer than 24 hours.
Partially Timely: Most users are offboarded, but not within 24-hours.
Consistently Within 24 Hours: User accounts are offboarded within 24 hours in most cases, with limited exceptions.
Fully Enforced & Verified Within 24 Hours All user accounts are offboarded within 24 hours, with documented procedures and verification.
Select the option that most closely reflects how your organization handles user offboarding after employee exits.
Next
How consistently does your organization test its disaster recovery (DR) plan?
Not Tested: Disaster recovery testing is not performed.
Infrequently Tested: DR testing occurs occasionally, but not on a regular or annual schedule.
Defined but Inconsistent: Annual DR testing is planned, but tests are not consistently completed or documented.
Tested Annually: Disaster recovery testing is conducted annually, with minor gaps or limited scope.
Tested, Documented & Improved Annually: DR testing is conducted annually, fully documented, and used to improve recovery procedures.
Select the option that most closely reflects how your organization tests and maintains its disaster recovery capabilities.
Next
How consistently does your organization replace devices according to a defined lifecycle policy?
No Defined Lifecycle: Devices are replaced only after failure, with no formal lifecycle policy.
Informal Lifecycle: General replacement expectations exist, but they are not documented or consistently followed.
Defined but Inconsistently Applied: A lifecycle policy exists, but devices are not always replaced within the defined timeframe.
Consistently Replaced per Policy: Devices are replaced according to the defined lifecycle policy, with limited exceptions.
Fully Enforced & Tracked Lifecycle: Devices are replaced according to policy, tracked throughout their lifecycle, and reviewed regularly.
Select the option that most closely reflects how your organization manages device replacement and lifecycle policies.
Next
Enter your information below to get your results:
Name
*
First
Last
Email
*
Phone
Questions about your cybersecurity posture or recommended improvements? Our team is here to help.
Submit
Back To Top
