This instrument was developed to provide measures of your organization’s cybersecurity risk management processes based on the NIST Cybersecurity Framework’s Functions, Categories and Implementation Tiers. The questions are based on the framework’s 98 subcategories, and the answers are based on its Implementation Tiers. Each answer is assigned a risk factor–the riskier the practice at your organization, the higher the score. Scores are calculated to determine Overall and Function Risk Factors for your organization.
NIST Tier Definitions
Adaptive (Tier 4)
Management is continuously improving by applying lessons learned from personal and 3rd-party experiences. Has made risk management part of corporate culture and actively contributes risk information to larger industry efforts.
Repeatable (Tier 3)
Coherent policies and practices understood and implemented across the organization. Connected to larger industry effort to address risk and benefits from shared info.
Risk Informed (Tier 2)
Management is of high-level concern but still mostly in IT department. Initial policy created and considers role in the larger industry response to risk.
Partial (Tier 1)
Management processes not formalized and ad hoc. Viewed as “something that IT handles“, little to no collaboration on issues with external organizations.
An Important Note About Your Identifying Information
No identifying information will be stored with your survey answers, and it will not be shared with third parties.
The information entered on this page is kept separate from your responses on the NIST Cybersecurity Survey Instrument that follows. Your identifying information is kept only for communication purposes by Wipfli and will be dumped from the database within 6 hours.