ISMG | Critical Infrastructure Research Survey Question Title * 1. Does your Organization have a documented, agency-wide cybersecurity policy? Yes No Implementation in Progress Planned Question Title * 2. To what extent have you implemented the NIST Cybersecurity Framework (CSF), NIST 800-53, or a similar recognized framework (e.g., CIS Controls)? Fully Implemented Partially Implemented In the planning phase Not Implemented Not Applicable/Don’t know Question Title * 3. Does your organization have a formally documented incident response plan? Yes No Partially Implemented In the planning phase Don’t Know Question Title * 4. How would you rate your organization’s current ability to quickly restore critical services following a cyberattack? Excellent (Minimal downtime, tested procedures) Good (We have a plan, but it not fully untested) Fair (We have some backup systems, but no formal plan) Poor (We are not prepared for a major recovery) Don’t Know Question Title * 5. What are the top cybersecurity threats your organization currently faces? (Select up to 3) Ransomware Phishing/social engineering Malware/viruses Insider threats Supply chain/vendor compromise IoT vulnerabilities AI-powered attacks (e.g. deepfakes, automated phishing) Other (please specify) Question Title * 6. Which types of systems are most vulnerable in your environment? Legacy IT systems OT/SCADA systems Cloud-based applications Mobile devices IoT/smart devices Third-party platforms Question Title * 7. Does your organization regularly conduct automated scanning or penetration testing to identify external vulnerabilities? Yes, Frequently (More than twice a year) Regularly (At least annually) Yes, but only on an ad-hoc basis No Don’t know. Question Title * 8. To what extent does your organization maintain a comprehensive and up-to-date inventory of all public-facing assets (e.g., websites, servers, remote access portals)? Fully comprehensive Partially comprehensive Not comprehensive Poor Question Title * 9. How would you describe your organization’s inventory of OT (e.g., SCADA, PLC) and IoT devices (video cameras, conference room equipment, VOIP phones, etc.)? Comprehensive and up-to-date inventory Partial, with some blind spots Poor Non-existent Question Title * 10. Are OT and IT networks at your agency segmented from one another? Fully segmented Partially segmented Not segmented Don’t know Question Title * 11. How frequently are firmware and software patches applied to your OT and IoT devices? Immediately upon release On a scheduled basis (e.g., quarterly, bi-annually) Only when a major vulnerability is identified Rarely or never Don’t know Question Title * 12. What are your top three biggest challenges in securing your OT and IoT environment? (number as 1 for biggest challenge, 2 for second, 3 for third) Question Title * 13. How is remote access to your organization’s internal networks and applications managed? Through a VPN or other secure gateway Through a Zero Trust Network Access (ZTNA) solution Directly over the internet with username/password authentication Remote access is not permitted Don’t know Question Title * 14. How does your organization manage remote access for third-party vendors or contractors (e.g., equipment manufacturers, maintenance providers)? They use the same remote access method as internal employees. We provide them with dedicated, separate access channels. Their access is managed by the vendor, with minimal oversight from us. Third-party remote access is not permitted. Don’t know Question Title * 15. Do you use a "just-in-time" or "least privilege" approach for remote access, where permissions are granted only when needed and for a limited duration? Yes, this is a core principle of our remote access policy. In some cases, but not universally across all systems. No, users are granted standing access based on their role. Don’t know. Question Title * 16. Which strategies have proven successful in mitigating cybersecurity concerns around critical infrastructure resilience? Tick your top three. Leveraging cloud-based AI solutions Improving in-house expertise (training) to reduce external costs Leveraging Outsourced providers/Vendor partner solutions Implementing Zero Trust Approaches Implementing inventory control Conducing regular compliance audits/Improving governance Regular pentesting/red teaming Automating patch management Question Title * 17. What is the single most important action your organization plans to take in the next 12 months to improve your cybersecurity posture? (Open-ended) Next