Risk Analysis Form

NIST Cybersecurity Self-Assessment

Please answer all 16 questions to calculate your risk score

This self‑assessment is intended for a preliminary overview. The information provided is for informational purposes. Results are preliminary and based solely on the data you submit. They may not represent full compliance with NY DFS (23 NYCRR 500), NIST, CIS, or other applicable standards, and do not constitute legal, regulatory, accounting, or cybersecurity advice.

For a detailed cybersecurity assessment, NIST gap analysis, and a prioritized remediation plan, contact our team.

By proceeding with this self-assessment, you acknowledge and agree to the above terms.

How to answer:

Yes = in place and working

Partial = underway or inconsistent

No = not in place

Unsure = don't know

Your Information

Please provide your contact details to receive your assessment results.

Full Name *

Email Address *

Phone Number

Organization

Ar you DFS?

Q1: Do we keep an up-to-date list of all devices that can connect to our network?

Q2: Do we keep an up-to-date list of all software/apps in use (including cloud/SaaS)?

Q3: Is sensitive data (e.g., student/consumer/health/financial) identified and labeled?

Q4: Is sensitive data protected (encryption in transit/at rest; access on least-privilege)?

Q5: Do we have defined retention rules and secure disposal for data we no longer need?

Q6: Are systems configured to a secure baseline and kept patched (OS & apps)?

Q7: Do all admins use separate admin accounts, and is MFA required for admin/remote/cloud access?

Q8: Are dormant/unused accounts found and disabled promptly?

Q9: Do we centrally collect and review security logs, with enough storage retained?

Q10: Are anti-malware/EDR tools deployed and auto-updated on endpoints/servers?

Q11: Do we filter risky web/DNS traffic and restrict to supported browsers/email clients?

Q12: Are backups automated, tested, and include an offline/isolated copy?

Q13: Do we maintain an inventory of critical vendors and assess their cyber risk?

Q14: Do staff receive regular security awareness training and phishing simulations?

Q15: Do we have named incident handlers, current contact lists, and a simple reporting process?

Q16: Do we run an external penetration test at least annually?

Calculating your risk assessment...