|
| Company Completing the Form |
|
| |
| Name of Person Completing the Form |
|
| |
| Title of Person Completing the Form |
|
| |
| No. of employees |
|
| |
| Please identify any agency management programs you use and for what purposes. |
|
| |
| Does your organization/agency qualify for limited exemption under the NY DFS Cybersecurity Regulation (23 NYCRR 500.19)? | |
| |
|
| Do you have a Chief Information Security Officer or another named individual who is responsible for regularly reviewing / updating policies and communicating to appropriate constituents about cybersecurity? | |
| |
| Do you have a formally documented Security Incident Response plan? | |
| |
| Is access restricted based on the principle of least privilege ("need to know")? | |
| |
| If you answered "Yes" above, is the principle of least privileged reviewed at least annually to ensure it remains appropriate over time? | |
| |
| Do you have a data retention and disposal policy? | |
| |
| Do you monitor activity of authorized users to detect unusual downloading, copying, or altering of NPI? | |
| |
| Will 3rd parties access Kingstone Insurance Nonpublic Information? | |
| |
| Does your company have a formal 3rd party service provider management policy? | |
| |
| Do you risk assess your 3rd parties as part of that policy? | |
| |
| Do you store data in the cloud? If so, in the "Notes" field please identify all cloud providers that you use. | |
|
| |
| If you answer "Yes" above and you responded that you have a 3rd party service provider management policy, are your cloud providers included in that policy? | |
| |
| Is entry to all buildings housing Nonpublic Information (including offices and data centers) protected by appropriate physical and environmental controls? | |
| |
| Is physical access to areas where Nonpublic Information is stored restricted to those who need access to the data? | |
| |
| Are all visitors required to sign in, wear a visitor's badge and be escorted during their visits? | |
| |
| Is access to building entrances and sensitive areas monitored and are exceptions and alerts followed-up in a timely manner? | |
| |
| Are users required to secure their workstation session (e.g. locking screens) before leaving their area unattended? | |
| |
| Has your company experienced any security breaches in the last 5 years? If so, please describe in the "Notes" field. | |
|
| |
|
| Have you conducted a risk and vulnerability assessment to help identify, assess and manage your own cyber risks? | |
| |
| How often is risk assessment performed. |
|
| |
| Please detail frequency of risk assessment |
|
| |
| When was your last cybersecurity risk assessment? |
|
| |
| Was your assessment conducted in-house or by a 3rd party? |
|
| |
| Please identify 3rd Party by name. |
|
| |
| Do you have a disaster recovery and business continuity plan that addresses information security events? | |
| |
| Is there insurance coverage for Cyber Liability (Network Security and Data Privacy Liability)? | |
| |
|
| Do you have a security and privacy awareness program in place that identifies best practices and corporate policy measures? | |
| |
| Do you conduct training on an ongoing basis? | |
| |
|
| Check all of the following security practices you utilize and where applicable identify any 3rd party vendor/software application you utilize for each control. |
| |
| Firewalls at the network perimeter | |
|
| |
| Firewalls in front of sensitive resources inside the network | |
|
| |
| Anti-malware/Anti-virus software | |
|
| |
| Multi-factor authentication for internal network access to Nonpublic Information from an external network (If you use an alternative control, please identify in the "Notes" field) | |
|
| |
| Spam Filters | |
|
| |
| Encryption of Nonpublic Information at rest | |
|
| |
| Encryption of Nonpublic Information in-transit | |
|
| |
| Encryption for Data Back-ups to Removable Media (i.e. tapes, thumb drives, etc.) | |
|
| |
| Proactive vulnerability scanning/penetration testing | |
|
| |
| How frequently is vulnerability scanning performed? |
|
| |
| What timeframe is remediation for high and critical vulnerabilities required to be complete? |
|
| |
| Intrusion detection/prevention systems | |
|
| |
| Automatic software update policy (if your process is not automatic, please identify how often you check for updates in the "Notes" field). | |
|
| |
| Restrict the use of unsupported software within your environment | |
|
| |
| Security logging capabilities | |
|
| |
| A person dedicated to review logs and alerts |
|
| |
| Please explain who reviews logs and alerts |
|
| |
| Filter employee web access to protect from malicious sites | |
|
| |
| Dedicated wireless network connections for guest and employee personally owned device access that is separate and distinct from the same networks where your internal desktops laptops and or product servers connect. | |
|
| |
| A Virtual Private Network (VPN) used for remote access to a corporate network | |
|
| |
| A teleworking policy that includes equipment securing the protection of data or teleworking requirements included in the appropriate information security policies | |
|
| |
| Remote access controls for employees who access their email or company systems via personal computers. | |
|
| |
