Security tool

Security Posture Quiz

Gauge your overall security maturity in a few quick questions.

0 of 10 answered100 points possible

How is multi-factor authentication deployed across your organization?(15 pts)

Not deployed — passwords onlyMFA on email only; other systems are password-onlyMFA on most cloud apps; some exceptionsMFA enforced on all corporate apps via SSO/IdP with phishing-resistant methods (FIDO2/passkeys)

How do you manage software patching across endpoints?(12 pts)

Manual/ad-hoc — whenever individual users or IT gets around to itAutomated OS patches; applications are manualManaged patching for OS + major apps via MDM or RMMAutomated patching for OS, apps, and firmware; SLA tracked; exceptions approved

What endpoint protection is deployed on your fleet?(12 pts)

Built-in OS AV only (Windows Defender without Defender for Endpoint)Third-party AV with signature-based detectionEDR solution deployed but not centrally monitoredEDR centrally managed; alerts reviewed or SOC-monitored

Describe your backup and recovery posture.(10 pts)

No formal backup programBackups exist but untested; single destinationRegular backups with offsite/cloud copy; occasional test restoresAutomated daily backups; immutable/versioned storage; tested restores quarterly; documented RTO/RPO

How is privileged access managed?(10 pts)

Most or all users have local admin rightsIT has shared admin accounts; standard users limitedIndividual admin accounts; standard users for daily workJIT/PAM; individual named admin accounts with MFA; regular access reviews

Do you have a documented incident response plan?(10 pts)

No plan — we would figure it out when it happensSome informal runbooks; no tested planDocumented IRP; assigned roles; not recently testedDocumented IRP; tested at least annually; retainer with IR firm or MSSP

How do you handle security awareness training?(8 pts)

No formal trainingAnnual onboarding training onlyAnnual training + occasional phishing simulationsQuarterly training + monthly simulations; role-based curriculum for high-risk roles

How are third-party vendor/supplier risks managed?(8 pts)

No formal vendor security review processSecurity reviewed for critical vendors onlySecurity questionnaires for all new vendors; annual reviews for criticalFormal vendor risk program with tiered assessments, contractual requirements, and ongoing monitoring

How is network security managed?(8 pts)

Flat network; no segmentationBasic firewall; some network separationSegmented network; managed firewall; VPN for remoteZero-trust architecture or SASE; VLAN segmentation; DNS filtering; DLP

What visibility do you have into security events?(7 pts)

No centralized logging; relying on individual system logsCloud provider logs (M365/Azure/AWS) available but not actively reviewedSIEM or log aggregation; alerts configured; reviewed periodicallySIEM with real-time alerting; 24/7 SOC or managed detection and response (MDR)

Frequently asked questions

What security maturity level should a regulated mid-market firm target?

Firms under HIPAA, PCI DSS, or state privacy laws should be operating at a minimum at Level 3 (Defined) — documented policies, consistent controls, and evidence-based auditing. Level 4 (Managed) is the realistic target: quantitative metrics and incident response rehearsals.

How is this quiz different from a full security risk assessment?

This quiz gives you a directional maturity indicator in under three minutes. A full risk assessment (see our Security Risk Assessment tool) maps controls to specific frameworks, scores gaps quantitatively, and produces a remediation roadmap. Both are useful at different stages.

Want this handled for you?

Elevate manages IT & security for regulated Los Angeles firms.

Book a strategy call

Security Posture Quiz

Frequently asked questions

What security maturity level should a regulated mid-market firm target?

How is this quiz different from a full security risk assessment?

Want this handled for you?

Related security tools

Security Risk Assessment

Ransomware Cost Calculator

Password Strength Checker

SSL & Domain Health Checker