Small Business Security Assessment

Assessment questions

1. Governance and business profile

Scope, accountability, and business context for security and privacy.

1.1 Do you have a written, approved information security policy that is shared with relevant staff?

Includes scope, roles, and responsibility for security and privacy.

Fully in place Partially in place Informal only Not in place

1.2 Is there a named person or small team accountable for cybersecurity decisions and risk acceptance?

Could be an owner, director, IT lead, or managed service provider contact.

Clearly defined Mostly defined Informal only Not defined

1.3 Have you identified the most important business services that must stay available or be restored first?

Examples include booking systems, point of sale, finance, email, or patient scheduling.

Fully identified and documented Informally identified Partially considered Not identified

1.4 Do you maintain a simple, up to date register of key regulations, contracts, or insurance obligations that mention security or privacy?

For example cyber insurance terms, data protection laws, or client contracts that reference security controls.

Comprehensive register Partial register Ad hoc awareness No register

2. Asset inventory and data classification

Knowing what systems and data you have, where they live, and who uses them.

2.1 Do you maintain a list of laptops, desktops, servers, and key mobile devices that access business data?

Inventory should include owner, location, and basic technical details.

Complete and current list Mostly complete Partial or outdated No inventory

2.2 Do you keep a record of the main software and cloud services in use, including who administers each one?

Examples include email platforms, CRM, finance, file storage, and web hosting.

Documented and maintained Documented but not updated Informal only Not tracked

2.3 Have you identified which data sets are sensitive, for example cardholder data, health records, financial details, or confidential client information?

Includes where that data is stored and which systems process it.

Fully identified and documented Mostly identified Rough idea only Not identified

2.4 Do you have a simple classification or tagging approach for documents and systems, such as public, internal, confidential?

Tags can be informal but should drive how data is protected and shared.

Classification used consistently Defined but not consistent Informal only No classification

3. Identity and access management

Accounts, authentication, and access to systems and data.

3.1 Does each user have their own unique account for business systems rather than sharing logins?

Shared accounts should be rare and tightly controlled if they exist at all.

Unique accounts only Mostly unique accounts Frequent shared accounts Shared accounts common

3.2 Is multi factor authentication enabled on email, remote access, finance systems, and other critical tools?

For example using an authenticator app, security key, or SMS where no better option exists.

Enabled on all critical systems Enabled on most critical systems Limited or pilot use Not enabled

3.3 Do you have a defined onboarding and offboarding process that includes creating, changing, and disabling access promptly?

Includes staff, contractors, and third party administrators.

Documented and followed Mostly followed Ad hoc only No process

3.4 Are privileged accounts, such as administrators, subject to extra controls and regular review?

For example separate admin accounts, stronger authentication, and scheduled access reviews.

Strong controls in place Some controls in place Minimal controls No special treatment

4. Endpoint and server protection

Operating system hardening, patching, and malware protection.

4.1 Are all supported operating systems kept up to date with security patches in a timely manner?

Includes laptops, desktops, on premises servers, and cloud hosted instances.

Patches within 30 days Most within 60 days Irregular patching Rarely patched

4.2 Is reputable antivirus or endpoint protection installed and active on all supported endpoints?

Includes centrally managed tools where possible and alerts being reviewed.

Present and monitored Present but not monitored Partial coverage Not present

4.3 Do standard builds or baselines exist for workstations and servers that enforce secure settings?

For example DISA STIG inspired or CIS benchmark aligned baselines.

Baselines defined and used Baselines for some systems Informal standards only No baselines

4.4 Are local administrator rights on endpoints restricted to only those who genuinely need them?

Includes periodic review of who has local admin capabilities.

Rare and well controlled Some controls in place Common but loosely controlled Widely allowed

5. Network and remote access security

Firewalls, wireless networks, and remote connectivity.

5.1 Are network firewalls configured with explicit rules that restrict inbound and outbound traffic?

Includes internet edge devices and cloud security groups.

Rules defined and reviewed Basic rules configured Minimal restrictions Default open

5.2 Are guest and staff wireless networks separated, with encryption enabled and strong passphrases?

Guest devices should not have direct access to internal business systems.

Segmented and secured Some separation Single shared network Open or weakly protected

5.3 Is remote access, for example VPN or remote desktop, restricted and protected with multi factor authentication?

If no remote access is allowed, you can mark this not applicable.

Strongly protected Some protections Basic authentication only Open or unmanaged Not applicable

6. Application, website, and email security

Public facing services, web applications, and email protections.

6.1 Is your main website and any web applications kept patched and maintained by you or a trusted provider?

Includes content management systems, plugins, and custom code.

Regularly patched and monitored Patched occasionally Rarely patched Not maintained

6.2 Are basic email protections such as spam filtering and malware scanning in place and monitored?

Could be built into your email platform or managed by a service provider.

Strong and monitored Basic protections Minimal protections None or unknown

6.3 Are stronger security settings available in your email or collaboration platform, such as suspicious login alerts, geo restrictions, or safe link checks, and are they configured?

Settings vary by provider but often include advanced phishing protections.

Tuned and actively used Some enabled Defaults only Not reviewed

7. Data protection, encryption, and backups

Protecting confidential data at rest and in transit, plus reliable backups.

7.1 Are full disk encryption features enabled on laptops and other portable devices that store business data?

For example BitLocker, FileVault, or mobile device encryption.

Enabled on all relevant devices Enabled on most devices Enabled on a few devices Not enabled

7.2 Are regular backups taken for critical systems and data, including at least one copy that is offline or logically separated?

Backups should be tested periodically so that restores are known to work.

Regular, tested, and separated Regular but rarely tested Occasional backups No reliable backups

7.3 Is sensitive data in transit protected with secure protocols such as TLS when transmitted over networks or the internet?

Includes websites, remote access tools, and file transfers.

Always encrypted in transit Mostly encrypted Mixed Often unencrypted

8. Logging, monitoring, and detection

Capturing and reviewing signals that indicate possible attacks or misuse.

8.1 Are important systems configured to log security relevant events such as login attempts, admin actions, and configuration changes?

Includes cloud services, servers, endpoints, and network devices where possible.

Logging on most critical systems Limited logging Minimal logging No logging configured

8.2 Are important alerts, such as suspicious sign in events or malware detections, reviewed and acted on within a reasonable time?

Could be performed by internal staff or a managed service provider.

Reviewed routinely Reviewed occasionally Rarely reviewed Not reviewed

9. Incident response and recovery

How you prepare for, respond to, and recover from security incidents.

9.1 Do you have a simple written incident response plan that explains who does what if you suspect an attack or breach?

Includes who to contact, which systems to isolate, and when to involve external help.

Documented and known Partially documented Informal understanding No plan

9.2 Has the incident response plan been exercised or walked through with key people in the last 12 months?

Even a short tabletop review is valuable for small businesses.

Practiced in last year Practiced in last two years Discussed but not tested Never tested

9.3 Do you have recovery time objectives or at least target timeframes for restoring critical systems and data?

Recovery objectives do not need to be complex but should guide decisions.

Defined and known Informally understood Considered but not defined Not considered

10. Vendors, cloud, and third party risk

How you choose, review, and manage partners who handle your data or systems.

10.1 Do contracts or terms with key vendors address security responsibilities, incident notification, and data handling?

Includes cloud providers, IT support companies, and payment processors.

Addressed for most key vendors Addressed for some vendors Minimal contract language Not addressed

10.2 Do you keep track of which vendors have access to sensitive data or systems and review that list at least annually?

Often called a vendor or third party inventory.

Tracked and reviewed Tracked but not reviewed Informally tracked Not tracked

11. PCI DSS and payment handling

Only answer these if you accept card payments. If not, mark not applicable.

11.1 Do you know which PCI DSS Self Assessment Questionnaire type applies to your card payment environment?

For example SAQ A for fully hosted e commerce, SAQ B for imprint machines, and similar types.

Identified and documented Roughly understood Unsure Not considered Not applicable

11.2 Is cardholder data stored electronically by your business, or is it handled entirely by validated third party providers?

Storing card data locally increases your responsibilities under PCI DSS.

Never stored locally Stored in limited, controlled systems Stored in several systems Stored without controls Not applicable

11.3 Is there a documented process to complete PCI DSS self assessment annually if required by your acquirer or payment brand?

Often this is a formal SAQ and attestation of compliance.

Performed and documented annually Performed some years Planned but not performed Not performed Not applicable

Results and exports

Scores and summary

Fill in the assessment and select “Calculate scores” to generate a breakdown for each area.

Area	Score	%

A short narrative summary will be generated here after you calculate scores.

Text summary (plain). File name suggestion smb-security-assessment.txt

Markdown summary. File name suggestion smb-security-assessment.md

This assessment focuses on a practical subset of security and privacy questions tailored to real-world small businesses. It does not cover every control in STIG, NIST, CIS, or PCI DSS. Instead, it gives you a clear, actionable starting point to understand your posture and reduce your attack surface.

Important notice and legal disclaimer

This assessment and any generated summaries are provided for educational and informational use only. They do not replace professional advice and they do not guarantee compliance with DISA STIGs, NIST CSF, CIS Controls, PCI DSS, GDPR, or any other framework, law, or contract. All logic runs locally in your browser and any output stays on your systems unless you choose to share it, for example by email or upload. You are responsible for how you interpret and act on the results. Always verify findings against your own environment, involve qualified professionals where appropriate, and ensure you have reliable backups and incident response plans before making significant changes.