NIST Security Assessment Form

Section A – Organization Profile

Please provide basic information about your organization. This helps us size risk and tailor recommendations.

Organization Name

Legal or primary operating name of your organization.

Industry / Primary Business

Select the best fit for your organization.

Approximate Annual Revenue (optional)

This helps us size organizational risk and scale.

Number of Employees

Approximate number of full-time and part-time employees.

Work Model

Fully On-site
Fully Remote
Hybrid
Distributed workforce across multiple states/countries

Check all that apply.

Number of Office / Physical Locations

Approximate number of physical offices or operational sites.

How is your IT currently managed?

Internal, outsourced, or hybrid.

Section B – Technology Environment

These questions help us understand your core platforms, systems, and data footprint.

Identity & Access Provider(s)

Select all identity providers that you use.

Critical Business Systems & Applications

Check all systems that are critical to day-to-day operations.

Section C – Business Risks and Context

Help us understand your top cybersecurity concerns and any past incidents.

What are your biggest security concerns right now?

Describe your top cybersecurity concerns (e.g., ransomware, phishing, vendor risk, compliance, remote work).

Any cybersecurity incidents or close calls in the past 12–18 months?

Describe what happened, approximate dates, impact, and how it was resolved (if known).

Section D – NIST: Govern (GV)

Questions about cybersecurity governance, policies, leadership, and accountability.

Do you have documented security policies?

Indicate whether your security policies are formally written and approved.

When were your security policies last updated?

Helps determine the currency and maturity of your policies.

Do you have someone formally responsible for cybersecurity?

Identifies who owns cybersecurity responsibilities.

Are cybersecurity roles and responsibilities clearly defined?

Measures how clearly cybersecurity responsibilities are defined across the organization.

Do you conduct regular security awareness training for employees?

Helps assess security culture and human risk management.

Do you have a cybersecurity budget?

Indicates how cybersecurity investments are planned and funded.

Governance notes or additional context

Use this space to provide any additional details about your cybersecurity governance structure, policy challenges, leadership involvement, or decision-making processes. Examples: outdated policies, unclear ownership, lack of executive support, competing priorities, or any governance constraints.

Section E – NIST: Identify (ID)

Identify focuses on understanding assets, data, systems, and risk across the organization.

Do you maintain an inventory of your IT assets (devices, servers, applications)?

Determines whether the organization tracks hardware and software assets.

Do formal vendors

If yes or partially, what tools or methods do you use for asset inventory?

Examples: Intune, Jamf, RMM, CMDB, spreadsheets, manual processes.

Do you classify data based on sensitivity (e.g., public, internal, confidential)?

Indicates maturity of data handling and protection practices.

Have you conducted a formal cybersecurity risk assessment in the last 12 months?

Helps determine organizational risk assessment maturity.

Do you maintain a list of vendors and third parties with access to your systems or data?

Assesses awareness and management of third-party and supply-chain risks.

Do you document your mission, critical functions, and key business dependencies?

Indicates how well your business environment and dependencies are understood.

Identify function notes or additional context

Add any relevant details about your assets, data, business functions, or risk identification processes. Examples: gaps in asset tracking, undocumented systems, data flow concerns, reliance on specific vendors, or unique business operations that impact risk.

Section F – NIST: Protect (PR)

Protect focuses on safeguarding systems and data through security controls and practices.

Do you enforce multi-factor authentication (MFA) for users?

Indicate whether MFA is enforced across your organization. MFA greatly reduces the risk of unauthorized access.

Do you use endpoint protection or EDR on company devices?

Endpoint protection tools such as antivirus or EDR help prevent and detect threats on workstations and servers.

Do you centrally manage devices (Intune, MDM, RMM)?

Device management tools enforce security settings and help track devices.

Do you implement least-privilege access (users only have the access they need)?

Addresses access control and privilege management for users and administrators.

Do you have a regular process for patching operating systems and applications?

Measures how consistently systems are updated to fix known vulnerabilities.

Are backups performed regularly for critical systems and data?

Indicate whether critical systems and data are backed up on a consistent schedule.

Is your network segmented (e.g., separating servers, workstations, guest Wi-Fi)?

Segmentation separates systems to limit the spread and impact of threats.

Which email security controls do you use? (if known)

Select any controls that help protect users from phishing, malware, and email-based threats.

Protect function notes or additional context

Use this area to describe any additional details about your security controls, exceptions, or unique circumstances. Examples: systems excluded from MFA, devices not under management, legacy apps that can’t be patched, backup challenges, or compensating controls used to mitigate risks.

Section G – NIST: Detect (DE)

Detect focuses on monitoring, logging, and identifying potential cybersecurity events quickly.

Are security logs being collected from key systems (servers, firewalls, endpoints)?

Indicate whether important systems generate and store logs that can be used to detect threats.

Do you have security monitoring in place (SIEM, MDR, SOC)?

Monitoring tools and services detect suspicious activity and alert you to potential incidents.

Do you receive alerts for suspicious activity on systems and accounts?

Indicate whether you receive alerts when unusual or risky activity occurs.

Do you review access logs on a regular basis?

Regular access log reviews help identify unauthorized activity or misuse.

Detect function notes or additional context

Provide details about your monitoring, logging, and alerting processes that weren’t covered above. Examples: log sources missing coverage, alert fatigue, manual log review challenges, gaps in SIEM/MDR visibility, or issues with correlation, tuning, or false positives.

Section H – NIST: Respond (RS)

Respond focuses on how your organization prepares for, manages, and communicates during cybersecurity incidents.

Do you have a documented Incident Response Plan (IRP)?

Determines whether a formal process exists for handling cyber incidents.

Has your Incident Response Plan been updated within the last 12 months?

Helps determine if the plan is current and actionable.

Who leads incident response if a major cybersecurity incident occurs?

Identifies who coordinates and leads response activities.

Have you conducted incident response tabletop exercises?

Tabletop exercises help validate readiness and uncover weaknesses in response plans.

Do you have a communications plan for cybersecurity incidents (internal and external)?

A communications plan ensures appropriate messaging to employees, clients, regulators, and other stakeholders during incidents.

Respond function notes or additional context

Add any additional context about your incident response readiness. Examples: escalation challenges, unclear roles, gaps discovered during incidents, communications issues, outdated runbooks, or concerns around coordination between internal teams and external partners.

Section I – NIST: Recover (RC)

Recover focuses on restoring operations and continuity after cybersecurity incidents or outages.

Do you have a documented Disaster Recovery Plan (DRP)?

A documented Disaster Recovery Plan outlines how your organization restores systems and operations after an outage or incident.

Have you tested your disaster recovery or backup restore process?

Testing validates whether backups and recovery processes work as expected and how long restoration takes.

How confident are you in your ability to restore critical systems quickly?

Indicate your confidence level in restoring critical systems following a major incident.

Do you currently have cyber insurance coverage?

Cyber insurance may help cover incident response, forensics, recovery costs, and legal liabilities.

Have you defined RTO/RPO (Recovery Time Objective / Recovery Point Objective) for critical systems?

RTO/RPO are key metrics that define how quickly systems must be restored and how much data loss is acceptable.

Recover function notes or additional context

Use this space to share any additional information about your disaster recovery or business continuity efforts. Examples: long restore times, difficulty validating backups, dependency issues, DR documentation gaps, untested recovery procedures, or concerns about restoring legacy systems.

Section J – Business Impact and Next Steps

These final questions help us understand operational impact, upcoming changes, and areas where you are most interested in strengthening your security posture.

What would be the impact if your business could not operate for 24–48 hours?

Describe the operational, financial, and customer impact of downtime (e.g., revenue loss, halted production, compliance issues).

Are there any significant technology or business changes planned in the next 12 months?

Examples: cloud migrations, new applications, office moves, mergers/acquisitions, major hiring, or process changes.

What types of security improvements or services are you most interested in exploring?

Examples: vulnerability assessments, SOC/MDR, cloud security, policy development, backup modernization, or security awareness training.

Additional Comments

Use this space to provide any context, concerns, or details that were not captured in the previous sections. This may include upcoming business initiatives, known security challenges, vendor changes, organizational shifts, unresolved issues, or anything else you believe is important for Ntreks to consider in your cybersecurity assessment.