What You'll Get

After completing this assessment and purchasing the package ($799), you'll receive:

1. Information Security Policy
2. Acceptable Use Policy
3. Access Control & Identity Management Policy
4. Data Classification & Handling Policy
5. Logging, Monitoring & Alerting Policy
6. Incident Response Policy
7. Backup & Recovery Policy
8. Vendor & Third-Party Risk Management Policy

Before You Begin

Set aside 15-20 minutes to complete the assessment in one session. Your progress is automatically saved in your browser, but the best results come from completing it while the details are fresh in your mind.

Gather this information beforehand:

• Number of employees, endpoints (laptops/desktops), and servers
• Your cloud platforms (AWS, Azure, Google Cloud, etc.)
• Current security tools in use (antivirus, SIEM, backup solutions)
• Any compliance requirements you're subject to (HIPAA, PCI-DSS, SOC 2, etc.)
• Names/roles of your security and IT leadership

How the Assessment Works

The assessment has 10 sections covering different aspects of your security program:

1. Organization Profile - Basic info about your company and data types
2. Infrastructure & Technology - Your IT environment and platforms
3. Access & Authentication - How users log in and access systems
4. Asset Management & Data - How you track and protect assets
5. Vulnerability & Patch Management - How you find and fix weaknesses
6. Monitoring & Detection - How you detect threats
7. Backup & Recovery - How you protect against data loss
8. Incident Response - How you handle security incidents
9. Third-Party Risk - How you manage vendor security
10. Business Continuity & Risk - Your resilience and overall security posture

Tips for Best Results

Answer Based on Current State, Not Goals

The AI generates policies based on where you are today. If you answer based on where you want to be, your policies won't address your actual gaps.

Be Specific in Text Fields

The more detail you provide, the more tailored your policies will be.

Don't Skip Optional Fields

Optional fields provide context that significantly improves policy quality. The expandable sections (marked with ▶) contain valuable questions about:

• Technical architecture details
• Risk tolerance and thresholds
• Data flows and lifecycle
• Governance structure

Use Realistic Numbers

The AI scales recommendations based on your organization size and resources. Accurate numbers lead to realistic timelines and appropriate controls.

Key numbers to get right:

• Employee headcount
• Number of endpoints (laptops, desktops, mobile devices)
• Number of servers/VMs
• Number of critical vendors
• Customer base size

Be Honest About Gaps

This assessment is confidential. Acknowledging gaps doesn't hurt you, it helps generate policies that address your real needs.

It's okay to select:

• "No formal process"
• "Never tested"
• "Not in place"
• "Ad-hoc"

These honest answers result in policies with clear remediation timelines.

Section-by-Section Guidance

Section 1: Organization Profile

Key fields that impact policy generation:

• Organization Name - Used throughout all policy documents
• Industry - Determines relevant compliance references and threat focus
• Employee Headcount - Scales role assignments and process complexity
• Data Types Handled - Determines encryption and handling requirements
• Business Overview - Provides context for all policies; 2-4 detailed sentences recommended

Section 2: Infrastructure & Technology

Key fields:

• Cloud Platforms - Policies will reference your specific platforms (AWS, Azure, etc.)
• Number of Endpoints - Used for EDR deployment timelines and monitoring scope
• Remote Work Model - Determines whether remote work controls are included

If endpoints seem high for your headcount, use the context field to explain (shared devices, contractor laptops, kiosks, etc.)

Section 3: Access & Authentication

Key fields:

• MFA Adoption Rate - Be accurate; if only admins have MFA, select "Limited (1-25%)"
• PAM (Privileged Access Management) - "Not in place" is common for smaller organizations
• Access Reviews - How often you verify who has access to what

The Identity Lifecycle expandable section covers JML (Joiner/Mover/Leaver) processes, service accounts, and password policies. Complete this for detailed access control policies.

Section 4: Asset Management & Data

Key fields:

• Asset Inventory - Do you know what devices and systems you have?
• Data Classification - Do you categorize data by sensitivity?
• Encryption - Is data encrypted at rest and in transit?

Honest answers here generate policies with appropriate remediation timelines for establishing these foundational controls.

Section 5: Vulnerability & Patch Management

Key fields:

• Vulnerability Scanning - How often you scan for vulnerabilities
• Patch Management - How quickly you apply security updates
• Penetration Testing - External security testing frequency

"Never" and "Ad-hoc" are valid answers. The resulting policies will include timelines to establish these practices.

Section 6: Monitoring & Detection

Key fields:

• Logging & Monitoring - Select all that apply (SIEM, SOC, MDR)
• EDR (Endpoint Detection & Response) - Critical for detecting threats on endpoints
• Alert Response Time - How quickly you respond to security alerts

The Security Operations expandable section helps capture MTTD/MTTR metrics and alert triage processes if you have them.

Section 7: Backup & Recovery

Key fields:

• Backup Solution - Whether backups exist and are tested
• RTO/RPO - Recovery time and data loss tolerances (auto-filled from Section 1)
• Ransomware Prevention - Controls specifically for ransomware resilience

If you select "No backups", the policy will include urgent remediation timelines.

Section 8: Incident Response

Key fields:

• IR Plan Status - Draft/Informal is better than nothing
• IR Testing - Tabletop exercises and simulations
• Prior Incidents - Helps calibrate recommendations

The expandable sections cover forensics capabilities, communication chains, and notification requirements, important for comprehensive IR policies.

Section 9: Third-Party Risk

Key fields:

• Number of Critical Vendors - Vendors with access to sensitive data
• Vendor Assessment Process - How you evaluate vendor security
• Security Requirements - What you require from vendors (SOC 2, NDAs, etc.)

Use the Critical Vendor Details section to document specific vendors. This creates vendor-specific requirements in your policy.

Section 10: Business Continuity & Risk

Key fields:

• BCP/DRP Status - Business Continuity and Disaster Recovery plans
• Security Budget - Helps scale recommendations to your resources
• Team Maturity - "No dedicated team" is common; policies will account for this
• Top Risks - Your biggest security concerns in your own words

Understanding Your Results

After completing all sections, you'll see:

NIST CSF Function Scores

Six scores (0-100%) across:

• Govern - Security governance and policy
• Identify - Asset and risk awareness
• Protect - Safeguards and access controls
• Detect - Monitoring and detection capabilities
• Respond - Incident response readiness
• Recover - Recovery and continuity capabilities

AI-Assisted Tier Analysis

Your overall Implementation Tier (1-4):

• Tier 1 (Partial) - Ad-hoc, reactive security
• Tier 2 (Risk-Informed) - Some processes, not organization-wide
• Tier 3 (Repeatable) - Formal, consistent processes
• Tier 4 (Adaptive) - Continuous improvement, proactive

Key Recommendations

Prioritized actions based on your specific gaps.

Data Quality Notes

Flags any inconsistencies in your answers that you may want to review.

Frequently Asked Questions

Need Help?

• Technical issues: info@strategydms.com
• Questions about results: info@strategydms.com
• Policy implementation guidance: Consider scheduling a consultation at strategydms.com/contact-us