Free Assessment Tool

CBAR Readiness Score

Answer 43 questions based on real CBAR information security requirements. Get your score and gap analysis in 10 minutes — completely free.

43
CBAR requirements
12
Security domains
10
Minutes to complete
Free
Always
0 / 43 answered

Your details

Your information is confidential and will only be used to send your results report.

📋
Information Security Policy
3 questions
1
CRITICAL
Does the bank have an approved Information Security Policy signed by senior management?
2
HIGH
Is the IS Policy reviewed and updated at least annually?
3
HIGH
Are all employees informed of and trained on the Information Security Policy?
🔐
Access Control
5 questions
4
CRITICAL
Does the bank enforce role-based access control (RBAC) for all critical systems?
5
CRITICAL
Are privileged (admin) accounts reviewed and recertified at least quarterly?
6
CRITICAL
Is multi-factor authentication (MFA) enforced for remote access and privileged accounts?
7
HIGH
Are user access rights removed within 24 hours of employee termination?
8
HIGH
Does the bank maintain a current inventory of all user accounts and access rights?
🌐
Network Security
4 questions
9
CRITICAL
Is the bank network segmented (core banking, internet, staff, guest)?
10
CRITICAL
Are firewalls deployed and rules reviewed at least semi-annually?
11
HIGH
Is there an Intrusion Detection/Prevention System (IDS/IPS) in place?
12
HIGH
Are all external-facing systems scanned for vulnerabilities at least quarterly?
🛡️
Endpoint & Malware Protection
4 questions
13
CRITICAL
Is endpoint protection (antivirus/EDR) deployed on all workstations and servers?
14
CRITICAL
Are security patches applied to all systems within 30 days of release?
15
HIGH
Is removable media (USB drives) usage controlled and monitored?
16
HIGH
Are all employee workstations encrypted (BitLocker or equivalent)?
🔒
Data Protection & Encryption
4 questions
17
CRITICAL
Is all sensitive customer data encrypted at rest and in transit (TLS 1.2+)?
18
HIGH
Does the bank have a formal data classification policy?
19
HIGH
Is personal data processing documented and compliant with local data protection laws?
20
HIGH
Are database access logs maintained and reviewed regularly?
🚨
Incident Response
4 questions
21
CRITICAL
Does the bank have a formal Incident Response Plan (IRP)?
22
HIGH
Is the IRP tested via tabletop exercises at least annually?
23
CRITICAL
Does the bank have a defined process for notifying CBAR of security incidents within required timeframes?
24
HIGH
Are security incidents logged, tracked, and reviewed post-incident?
💾
Business Continuity & Backup
4 questions
25
CRITICAL
Does the bank have an approved Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)?
26
HIGH
Are BCP/DRP tested at least annually with documented results?
27
CRITICAL
Are all critical systems backed up daily and backups stored offsite or in a separate data center?
28
HIGH
Are backup restoration procedures tested at least quarterly?
📊
Monitoring & Audit Logging
4 questions
29
HIGH
Is a Security Information and Event Management (SIEM) system deployed?
30
HIGH
Are all critical system logs retained for at least 1 year?
31
HIGH
Is there 24/7 security monitoring or a SOC arrangement in place?
32
HIGH
Are audit logs protected from modification or deletion?
🤝
Third-Party & Vendor Risk
3 questions
33
HIGH
Does the bank conduct security assessments of critical IT vendors and outsourcing partners?
34
HIGH
Do contracts with IT vendors include information security requirements and audit rights?
35
MEDIUM
Is there a process for monitoring vendor security posture on an ongoing basis?
🎓
Security Awareness & Training
3 questions
36
HIGH
Do all bank employees receive information security awareness training at least annually?
37
MEDIUM
Does the bank conduct phishing simulation exercises to test employee awareness?
38
MEDIUM
Is information security training provided to new employees during onboarding?
🔍
Penetration Testing & Vulnerability Management
3 questions
39
CRITICAL
Does the bank conduct external penetration testing at least annually by an independent provider?
40
HIGH
Are penetration testing findings tracked to remediation with defined deadlines?
41
HIGH
Is there a formal vulnerability management process with SLAs for critical patches?
🏢
Physical Security
2 questions
42
HIGH
Is access to the data center and server rooms controlled and logged (badge/biometric)?
43
HIGH
Are data center environmental controls (UPS, fire suppression, cooling) in place and tested?
Please answer all 43 questions to see your score