Annual Risk Assessment Questionnaire
This risk assessment questionnaire will kick start your process for identifying threats across people, technology, and process. Include these Security Trust Services Criteria focused questions in your next internal risk assessment for tracking and mitigation.
People-Related Risks | |
Risks | Controls |
Unauthorized access to systems and data by former employees. | Inadequate offboarding process for revoking access. |
Phishing or social engineering attacks targeting employees. | Lack of mandatory, role-based security awareness training. |
Inappropriate access to sensitive data due to poor access management. | No formal process for granting or reviewing user access rights. |
Unauthorized disclosure of confidential information by a malicious insider. | Lack of monitoring for suspicious data exfiltration activities. |
Use of weak or reused passwords across company systems. | Absence of a policy enforcing MFA on all critical applications. |
Compromise of personal devices used for business due to a lack of security controls. | No bring-your-own-device (BYOD) policy or endpoint protection on personal devices. |
Inability to respond to an incident due to lack of a designated incident response team. | No clear assignment of security roles and responsibilities. |
Unauthorized physical access to remote workspaces or company equipment. | Absence of a physical security policy for home offices. |
Data compromise due to employees working on unsecured public Wi-Fi networks. | Lack of a policy mandating the use of a Virtual Private Network (VPN) for remote work. |
Employee theft or loss of company laptops and mobile devices. | No policy for encrypting hard drives on all company-issued devices. |
Technology-Related Risks | |
Risks | Controls |
Unauthorized access to customer data due to cloud misconfigurations. | No regular or automated scanning of cloud infrastructure settings. |
Zero-day or known vulnerabilities in the SaaS application code exploited by attackers. | Lack of a continuous vulnerability scanning program for the application. |
Loss of data due to a failure in the backup and recovery process. | Untested or incomplete data backup and restoration procedures. |
SQL injection or cross-site scripting (XSS) attacks on the application. | Lack of a Web Application Firewall (WAF) or security testing in the SDLC. |
Unauthorized access to production environments via a compromised API key. | No policy for rotating or managing API keys and secrets. |
Denial of Service (DoS) attack that makes the SaaS platform unavailable. | Insufficient DDoS mitigation services or capacity planning for infrastructure. |
Unauthorized access to source code repositories. | Lack of access controls or MFA on code repositories like GitHub or GitLab. |
Data breaches due to unmanaged third-party libraries in the application. | No software composition analysis (SCA) tool or process to manage third-party code. |
Compromised data in transit due to lack of encryption. | Absence of an enforcement policy for TLS/SSL on all data transfers. |
Unauthorized network access to production resources. | Lack of network segmentation or a least-privilege network access model. |
Process-Related Risks | |
Risks | Controls |
Unauthorized or untested changes to production environments. | No formal change management process for application or infrastructure updates. |
Failure to respond to a security incident in a timely and effective manner. | Absence of a documented and tested incident response plan. |
Sensitive customer data being improperly handled or disclosed by third-party vendors. | Inadequate vendor risk management or due diligence on service providers. |
Failure to protect confidential information in accordance with customer contracts. | No data classification policy to identify and secure sensitive customer information. |
Security vulnerabilities due to an informal or nonexistent Software Development Lifecycle (SDLC). | No documented SDLC that includes security activities like code review and testing. |
Inconsistent or unmonitored enforcement of security policies across the global team. | Lack of a centralized policy management system or regular audits. |
Failure to maintain the availability of services due to an unexpected disaster. | No documented disaster recovery (DR) or business continuity (BC) plan. |
Unauthorized access to system logs or audit trails. | Inadequate access controls and monitoring on log management systems. |
Violations of regulatory compliance (e.g., GDPR, CCPA) due to a lack of a formal compliance program. | Absence of a dedicated privacy officer or a documented compliance program. |
Loss of critical knowledge due to key personnel leaving the company. | No formal knowledge transfer or cross-training process for critical roles. |