Okta Compliance & Regulation Risk Assessment

Eight simple questions to test where your organisation currently stands

As cybersecurity and IT landscapes continue to expand, keeping up with increasingly stringent data privacy and compliance regulations can be a major challenge. To help determine where your organisation currently stands and how you match up against your peers, please answer the following six questions.

Take the assessment

1

Regulations for modern workplaces

All relevant security requirements for modern workplaces should be documented in a mandatory security guideline for all workers and work-places. It should also be coordinated with the existing business owners of the institution and with all relevant departments, and shall be clarified under which conditions employees with mobile IT systems are allowed to access internal information of their institution.

Close
Has the organisation appropriate policies and procedures documented to define a guideline for modern workplaces for the organisation?
No policy
Informal policy
Partial written policy
Written policy
Monitored policy

A: No policy

0 %

YOU

B: Informal policy

0 %

YOU

C: Partial written policy

0 %

YOU

D: Written policy

0 %

YOU

E: Monitored policy

0 %

YOU

2

Strategy and security policy for cloud use

The legal and organisational framework conditions as well as the technical requirements resulting from the use of cloud services must be examined. It must be determined which services in which delivery model are to be obtained from a cloud service provider in the future. This should document security requirements for the cloud service provider as well as the defined level of protection for cloud services in terms of confidentiality, integrity and availability.

Close
Has a security policy for use been established based on the cloud usage strategy?
No policy
Informal policy
Partial written policy
Written policy
YOU

{{={p} Q2A / Q2Total}}

A: No policy

YOU

{{={p} Q2B / Q2Total}}

B: Informal policy

YOU

{{={p} Q2C / Q2Total}}

C: Partial written policy

YOU

{{={p} Q2D / Q2Total}}

D: Written policy

3

Workplace everywhere

The framework conditions of labour law and occupational health and safety law should also be observed and regulated for mobile working. All relevant points should be regulated either by company agreements or by individual agreements between the mobile employee and the employer in addition to the employment contract.

Close
Has a company agreement for modern workplaces been established for your employees in the company, which reflects the legal frameworks of the employees in the respective regions?
Not created
Created for some employees and regions
Created for most employees and regions
Created for all employees and regions
YOU

{{={p} Q3A / Q3Total}}

A: Not created

YOU

{{={p} Q3B / Q3Total}}

B: Created for some employees and regions

YOU

{{={p} Q3C / Q3Total}}

C: Created for most employees and regions

YOU

{{={p} Q3D / Q3Total}}

D: Created for all employees and regions

4

Digital Identity Management

Digital Identities are the new perimeter of organisational architectures. When using an identity and access management system, it should be appropriate for the institution and its respective business processes, organisational structures and workflows as well as its protection requirements. Permissions may only be assigned on the basis of actual need and necessity for the fulfilment of tasks (principle of least privileges and need-to-know).

Close
Has the organisation implemented a centralised authentication service that supports all resources used by the organisation?
Not Implemented
Implemented on some systems
Implemented on most systems
Implemented on all systems

A: Not Implemented

B: Implemented on some systems

C: Implemented on most systems

D: Implemented on all systems

5

Workplace everywhere

The framework conditions of labour law and occupational health and safety law should also be observed and regulated for modern working. All relevant points should be regulated either by company agreements or by individual agreements between the mobile employee and the employer in addition to the employment contract.

Close
Has your organisation settled on a company agreement about rights and duties on how to use modern workplaces and infrastructures?
Not automated
Parts of policy automated
Automated on some systems
Automated on most systems
Automated on all systems

A: Not automated

{{={p} Q5A / Q5Total}}

YOU

B: Parts of policy automated

{{={p} Q5B / Q5Total}}

YOU

C: Automated on some systems

{{={p} Q5C / Q5Total}}

YOU

D: Automated on most systems

{{={p} Q5D / Q5Total}}

YOU

E: Automated on all systems

{{={p} Q5E / Q5Total}}

YOU

6

Loss of confidentiality of sensitive information

Users of modern workplaces must be made particularly aware of the value of mobile IT systems and the value of the information stored on them. They must be educated about the specific threats and measures of the IT systems they use. They must also be informed about what kind of information it is allowed to process on which IT systems. All users must be made aware of the applicable regulations.

Close

Has the organisation’s employees been properly trained in the organisation’s standards for confidentiality of sensitive information?

Not trained
Trained for some employees
Trained for most employees
Trained for all employees
YOU

{{={p} Q6A / Q6Total}}

A: Not trained

YOU

{{={p} Q6B / Q6Total}}

B: Trained for some employees

YOU

{{={p} Q6C / Q6Total}}

C: Trained for most employees

YOU

{{={p} Q6D / Q6Total}}

D: Trained for all employees

7

Timely detection of security events

A proven and systematic approach is needed to centralise log monitoring and observe unwanted behaviours and events across your organisation. Aggregated data from multiple systems must be analysed to catch abnormal behaviour or potential cyberattacks. All digital identities, services and devices should report into a centralised alerting system.

Close

Has the organisation deployed central components to detect, process and evaluate security-relevant events?

Not implemented
Parts of companies assets are implemented
Implemented  on some systems, services and identities
Implemented on most systems, services and identities
Implemented on all systems, services and identities
YOU

{{={p} Q7A / Q7Total}}

A: Not implemented

YOU

{{={p} Q7B / Q7Total}}

B: Parts of companies assets are implemented

YOU

{{={p} Q7C / Q7Total}}

C: Implemented  on some systems, services and identities

YOU

{{={p} Q7D / Q7Total}}

D: Implemented on most systems, services and identities

YOU

{{={p} Q7E / Q7Total}}

E: Implemented on all systems, services and identities

8

Establish a policy for handling security incidents

A security incident handling policy shall be established. It must define the purpose and objective of the policy and regulate all aspects of security incident handling. It shall describe the rules of conduct for the different types of security incidents. All employees shall be aware of the policy. All affected internal and external departments must be informed of a security incident in a timely manner.

Close

Has the organisation implemented incident playbooks to describe security-relevant events and written reporting routes for each of these events?

Not implemented
Parts of companies assets are implemented
Implemented  on some systems, services and identities
Implemented on most systems, services and identities
Implemented on all systems, services and identities

A: Not implemented

{{={p} Q8A / Q8Total}}

YOU

B: Parts of companies assets are implemented

{{={p} Q8B / Q8Total}}

YOU

C: Implemented  on some systems, services and identities

{{={p} Q8C / Q8Total}}

YOU

D: Implemented on most systems, services and identities

{{={p} Q8D / Q8Total}}

YOU

E: Implemented on all systems, services and identities

{{={p} Q8E / Q8Total}}

YOU