All Collections
Risk Assessment & Risk Management
Risk Assessment Questions
Risk Assessment Questions

What questions are included in the annual risk assessment in Drata?

Ashley Hyman avatar
Written by Ashley Hyman
Updated over a week ago

The following questions make up the 6 surveys you will complete within Drata for your annual risk assessment. Click here learn more about how risk assessment works in Drata.

Depending on your response to the questions below, you may be queried for additional details:

If answered “No” to a question (Risk is now identified):

[*Risk*] Describe a problem that this could potentially cause.

How likely is this to occur?

How severe would the impact of this be?

*Remediation Tasks*: What could you do to make this less likely to occur or reduce the impact?

If answered “Yes” to a question:

If applicable, where and/or how do you track this or maintain evidence for it?

If answered “Not Applicable” to a question:

Why do you consider this to be Not Applicable to you?

Risk Assessment Questions:

ENGINEERING/TECH:

Do you use industry standards (i.e. OWASP Software Assurance Maturity Model, ISO 27034, BSIMM) to build in security for your Systems/Software Development Lifecycle (SDLC)? *

Are file integrity (host) and network intrusion detection (IDS) tools implemented to help facilitate timely detection, investigation by root cause analysis, and response to incidents? *

Do you use a synchronized time-service protocol (e.g., NTP) to ensure all systems have a common time reference? *

Do you segregate production and non-production environments? *

Are system and network environments protected by a firewall or virtual firewall to ensure business and customer security requirements? *

Do you use manual and/or automated source-code analysis to detect security defects in code prior to production? *

Do you review your applications for security vulnerabilities and address any issues prior to deployment to production? *

Do you conduct application penetration tests of your cloud infrastructure regularly as prescribed by industry best practices and guidance? *

Does your organization have a plan or framework for business continuity management or disaster recovery management? *

Are there policies and procedures in place to triage and remedy reported bugs and security vulnerabilities for product and service offerings? *

Do you have controls in place to restrict and monitor the installation of unauthorized software onto your systems?

Do you have policies/procedures in place to ensure production data shall not be replicated or used in non-production environments? *

Do you have key management policies binding keys to identifiable owners? *

Do you encrypt tenant data at rest (on disk/storage) within your environment as well as data in transit? *

Do you restrict, log, and monitor access to your information security management systems (e.g., hypervisors, firewalls, vulnerability scanners, network sniffers, APIs, etc.)? *

Are infrastructure audit logs centrally stored, retained, and reviewed on a regular basis for security events (e.g., with automated tools)? *

Does your system's capacity requirements take into account current, projected, and anticipated capacity needs for all systems used to provide services to the tenants? *

Do you regularly update network architecture diagrams that include data flows between security domains/zones?

Do you collect capacity and use data for all relevant components of your cloud service offering? *

Do your engineers review code changes for injection flaws, such as SQL injections and OS command injection? *

Do you deliver SDLC and/or OWASP Top 10 training to full time and contractor developers who develop or maintain code and infrastructure that can affect the security of the system? *

Do you consistently identify systems that contain user data as containing user data in an inventory list of digital assets? *

Do you configure networks to restrict inbound and outbound traffic to only that which is absolutely necessary, especially for sensitive assets, such as databases and storage points that contain sensitive user data? *

Do you conduct functionality testing on new code changes to ensure changes do not adversely affect the availability or security of the system? *

Do you enforce a QA stage within your development practices that includes testing functionality on a staging server before code is pushed to production? *

Regarding security headers, do your web endpoints meet an 'A' grade according to securityheaders.io ? (note: this could be scripted if a list of URLs is provided) *

Does your web framework encode all rendered output, e.g., React JSX? *

Do you enforce application password requirements? *

Do you monitor for and apply security patches for vulnerabilities in third party libraries and their dependencies? Do you use a software composition analysis tool? *

INFORMATION SECURITY:

Are your information security policies and procedures made available to all impacted personnel and business partners, authorized by accountable business role/function and supported by the information security management program as per industry best practices (e.g. ISO 27001, SOC 2)?

Do you disclose which controls, standards, certifications, and/or regulations you comply with?

Are your technical, business, and executive managers responsible for maintaining awareness of and compliance with security policies, procedures, and standards for both themselves and their employees as they pertain to the manager and employees' area of responsibility?

Do you have the capability to continuously monitor and report the compliance of your infrastructure against your information security baselines?

Do you conduct risk assessments associated with data governance requirements at least once a year?

Is a formal disciplinary or sanction policy established for employees who have violated security policies and procedures?

Are employees made aware of what actions could be taken in the event of a violation via their policies and procedures?

Do you perform, at minimum, annual reviews to your privacy and security policies?

Is the likelihood and impact associated with inherent and residual risk determined independently, considering all risk categories?

Do you have a documented security incident response plan?

Have you tested your security incident response plans in the last year?

Do you conduct application-layer and network-layer vulnerability scans regularly as prescribed by industry best practices?

HUMAN RESOURCES (HR):

Does your company require employment agreements to be signed by newly hired or onboarded workforce personnel prior to granting access to corporate facilities, resources, and assets? *

Does your company conduct background verification screening for all employees and contractors?

Do your employment offers include non-disclosure or confidentiality agreements reflecting the organization's needs for the protection of data and operational details? *

Do you define allowance and conditions for BYOD devices and its applications to access corporate resources? *

Do you provide a formal security awareness training program for all applicable personnel at least once per year? *

Do you document employee acknowledgment of training they have completed? *

Do you specifically train your employees regarding their specific role and the information security controls they must fulfill? *

Is successful completion of the security awareness training considered a prerequisite for acquiring and maintaining access to sensitive systems?

Are personnel informed of their responsibilities for maintaining awareness and compliance with published security policies, procedures, standards, and applicable regulatory requirements? *

Are personnel informed of their responsibilities for maintaining a safe and secure working environment?

Are personnel informed of their responsibilities for ensuring that equipment is secured and not left unattended?

Do you have asset return procedures for terminated employees outlining how company assets should be returned within an established period?

FINANCE:

Does your company restrict and/or control access to your accounting software and digital records?

Does your company compare two independent sets of records for one set of transactions? (ex: matching delivery receipts to vendor payments, matching bank statements to the general ledger)

Does your company continuously monitor its financial performance? (ex: comparing budgeted to actual cash flow)

Does your company segregate various financial responsibilities? (ex: requiring two people to make purchases: one signs checks, one authorizes the purchase)

Are new Finance employees trained on your financial reporting control requirements?

Are new bank accounts or credit cards only opened through the direction and approval of the Board of Directors?

Are all manually generated checks reviewed and approved by a Finance Manager?

Do Finance personnel prepare amortization schedules for all recorded prepaid expenses, to then be reviewed and approved by management?

Does management periodically review a fixed assets register to verify the existence and right to the assets, and document and report on the findings?

Are employee benefit obligation adjustments regularly compared to budget and are significant variances investigated and reported on?

Does management conduct monthly financial statement reviews to compare to budget, and investigate significant variances?

Are invoices authorized and accompanied by appropriate supporting documentation, and only after confirming the customer exists in a master customer file?

LEGAL:

Do you have predefined communication channels for workforce personnel and external business partners to report incidents in a timely manner adhering to applicable legal, statutory, or regulatory compliance obligations?

Does legal counsel review all third-party agreements?

Do third-party agreements include provision for the security and protection of information and assets?

Do you have the capability to recover data for a specific customer in the case of a failure or data loss?

Do you have the capability to restrict the storage of customer data to specific countries or geographic locations?

Can you provide the physical location/geography of storage of a tenant’s data upon request?

Do you provide the client with a list and copies of all subprocessing agreements and keep this updated?

Do you mandate annual information security reviews and audits of your third party providers to ensure that all agreed upon security requirements are met?

Do you have external third party services conduct vulnerability scans and periodic penetration tests on your applications and networks?

SALES:

Are sales transactions, volumes, and values reviewed monthly and compared to budget, and are explanations documented for any significant variances or differences?

Are sales agreements reviewed by personnel with requisite experience to determine if the revenue recognition criteria are met?

Are sales transactions that trigger promotional allowances or discounts reviewed and approved by management prior to executing an agreement?

Are total promotional discounts reviewed monthly and compared to budget for significant variance?

Are the methods by which promotional discounts are calculated and granted reviewed monthly by management and documented?

Did this answer your question?