Risk Level

Based on your responses, the calculated risk level for your business is:

Low risk (Green): Your business demonstrates strong adherence to the Safeguards Rule and has implemented comprehensive safeguards to protect customer information.

Medium risk (Yellow): Your business has some measures in place but may need to improve certain aspects of the information security program to ensure better protection of customer information.

High risk (Red): Your business has significant gaps in complying with the Safeguards Rule and needs to take immediate action to enhance its information security program and safeguard customer information.

risk level formula based on the provided survey questions, we can assign weights to each question and calculate the total score. Here’s a sample formula:

Risk Level Formula:

Score = (Q6 * W6) + (Q7 * W7) + (Q8 * W8) + (Q9 * W9) + (Q10 * W10) + (Q11 * W11) + (Q12 * W12) + (Q13 * W13) + (Q14 * W14) + (Q15 * W15) + (Q16 * W16) + (Q17 * W17) + (Q18 * W18)

where:

  • Q6 to Q18 represent the responses to each respective question (0 or 1).
  • W6 to W18 represent the weights assigned to each question based on their importance in determining the risk level.

Risk Level Categories:

  • Low Risk: Score ≤ Threshold1
  • Medium Risk: Threshold1 < Score ≤ Threshold2
  •  High Risk: Score > Threshold2

Please note that you would need to determine the appropriate weights and threshold values based on the specific requirements and priorities of your business. Adjusting these values will allow you to customize the formula according to your needs.

Additionally, the formula assumes a binary response (0 or 1) for each question, where 0 represents a negative response (e.g., “No”) and 1 represents a positive response (e.g., “Yes”). If your survey includes additional response options, you may need to adjust the scoring mechanism accordingly.

example of how the report could be generated for the three types of risk levels:

Low Risk Report: Based on your responses, we have assessed your business as having a low risk level in terms of compliance with the Safeguards Rule. Your information security program demonstrates strong adherence to the required administrative, technical, and physical safeguards. You have implemented comprehensive measures to protect customer information, including access controls, encryption, regular monitoring, and staff training.

However, we recommend continuing to monitor and update your information security program to stay vigilant against emerging threats and ensure ongoing compliance. Regular risk assessments, testing of safeguards, and maintaining a written incident response plan are essential components of maintaining a low-risk status.

Medium Risk Report: Based on your responses, we have assessed your business as having a medium risk level in terms of compliance with the Safeguards Rule. While your information security program has implemented some safeguards, there are areas that require further improvement to ensure the protection of customer information.

We recommend conducting a comprehensive risk assessment to identify potential risks and threats, and implementing additional safeguards based on the results. It is crucial to address any gaps in access controls, encryption measures, monitoring and testing of safeguards, and staff training. Regular updates and revisions to your information security program are necessary to mitigate risks and maintain compliance.

High Risk Report: Based on your responses, we have assessed your business as having a high risk level in terms of compliance with the Safeguards Rule. Significant gaps have been identified in your information security program, which may put customer information at risk.

Urgent action is required to improve your information security program. We recommend conducting a thorough risk assessment to identify vulnerabilities and implementing robust safeguards to protect customer information. It is crucial to address access controls, encryption measures, monitoring and testing of safeguards, staff training, incident response planning, and regular program updates. By taking immediate steps to enhance your information security program, you can mitigate risks and ensure compliance with the Safeguards Rule.

Sales packages:** the prices are example not determined yet

Good Package – Essentials:

Information Security Program Template: A comprehensive template to help you develop your information security program.

Risk Assessment Toolkit: Tools and resources to conduct a risk assessment for identifying potential risks and threats.

Security Awareness Training Materials: Training materials to educate your staff on information security best practices.

Incident Response Plan Template: A template to create a written incident response plan.

Onboarding Fee (Average): $500 – $1,000

Price Range (Per Package): $1,000 – $2,000

All items from the Good Package, plus:

Information Security Program Consultation: Expert consultation to tailor the information security program to your specific business needs.

Vulnerability Assessment Tools: Tools to perform vulnerability assessments and system-wide scans to test for security vulnerabilities.

Annual Penetration Testing: Penetration testing services to evaluate the effectiveness of your safeguards against actual and attempted attacks.

Enhanced Security Awareness Training: Interactive training modules and ongoing refreshers to ensure staff awareness of emerging threats.

Onboarding Fee (Average): $1,000 – $2,000.

Price Range (Per Package): $3,000 – $6,000

Best Package – Advanced Protection:

All items from the Better Package, plus:

Encryption and Data Protection Software: Robust encryption software and data protection tools to secure customer information.

Continuous Monitoring and Security Analytics: Real-time monitoring of your systems, detection of unauthorized access, and proactive threat intelligence.

Service Provider Evaluation Toolkit: Tools and guidelines for evaluating and monitoring service providers’ security practices.

Compliance Audit Assistance: Support and guidance for preparing and undergoing compliance audits.

Onboarding Fee (Average): $2,000 – $3,000

Price Range (Per Package): $7,000 – $12,000

Title: Cybersecurity and Compliance Survey

Introduction:

Thank you for taking the time to complete this survey. Your responses will help us assess your organization’s cybersecurity and compliance needs and provide you with a tailored quote for our vCISO services. Please answer the following questions to the best of your knowledge.

Section 1: Organizational Information

Company Name:
Industry:
Number of Employees:
Annual Revenue:

Do you have an existing cybersecurity team? (Yes/No)

If yes, how many members are on your cybersecurity team?

If no, please proceed to the next section.

Benefits of a vCISO:

A vCISO can provide your organization with numerous benefits, such as:

Cost-effectiveness: Access experienced security professionals without the overhead costs of a full-time employee.

Expertise: Benefit from the knowledge and skills of a vCISO who stays up-to-date with the latest
threats and trends.

Flexibility: Engage a vCISO on a part-time or full-time basis, depending on your needs.

Comprehensive Approach: Develop and implement robust security policies, assess your security
posture, and remediate vulnerabilities with the guidance of a vCISO.

Section 2: Cybersecurity Assessment

Have you experienced any cybersecurity incidents in the past year? (Yes/No)

If yes, please provide a brief description of the incidents.

Are you currently compliant with relevant industry regulations and standards? (Yes/No)

If yes, please specify the regulations and standards.

If no, please proceed to the next question.

Which compliance frameworks are you required to follow? (Select all that apply)

GDPR (General Data Protection Regulation)
HIPAA (Health Insurance Portability and Accountability Act)
PCI DSS (Payment Card Industry Data Security Standard)
ISO 27001 (International Organization for Standardization)
NIST (National Institute of Standards and Technology)
Other (Please specify)

Do you have a documented incident response plan? (Yes/No)

If yes, how frequently is it tested and updated?

Section 3: Security Policies and Procedures

Do you have clearly defined security policies and procedures in place? (Yes/No)

If yes, are they regularly reviewed and updated?

If no, please proceed to the next question.

Are employees trained on cybersecurity best practices? (Yes/No)

If yes, how often is cybersecurity training conducted?

If no, please proceed to the next section.

Section 4: Risk Assessment and Vulnerability Management

Have you conducted a recent risk assessment? (Yes/No)

If yes, how frequently are risk assessments conducted?

If no, please proceed to the next question.

How do you currently manage vulnerabilities within your organization?

Regular vulnerability scans
Patch management system
External penetration testing
Internal vulnerability assessments
Other (Please specify)

Section 5: Additional Information

What are your top cybersecurity concerns or challenges?

What are your primary goals for improving your organization’s cybersecurity posture?

Are there any specific compliance or regulatory requirements that are critical for your organization?

Do you have a dedicated budget for cybersecurity initiatives?

Is there any other information you would like to share or any specific questions you have regarding our vCISO services?

Conclusion:

Thank you for completing the survey. Your responses will assist us in understanding your cybersecurity and compliance needs better. Our team will review your information and provide you with a customized quote for our vCISO services. If you have any further questions, please feel free to reach out to us.

Using the information above formulate reports and best practices.

Scroll to Top