Security Foundation Assessment

Use the Security Foundation Assessment to start conversations about cyber security, see where clients might be vulnerable and recommend solutions to improve their security posture. Once you complete the assessment, you'll be invited to participate in a consultative session to discuss the results of your report as well as next steps for building out your value-added security offer.

Start online

What our assessment does

The Security Foundation Assessment is available for Sherweb partners to use free of charge. While similar tools are either too shallow for actionable advice or too expensive for the average managed service provider (MSP) to obtain, our assessment has the level of detail required to make worthwhile security recommendations for clients, affirm your value and create opportunities to grow your business. The assessment was designed in accordance with the National Institute of Standards and Technology (NIST)’s Cyber Security Framework as well as guidelines supported by the Center for Internet Security (CIS) to ensure the validity and credibility of its recommendations.

Assess clients’ security posture

Get a bird’s-eye view of clients’ current approach to cyber security

Justify security measures

Includes rationales for each point of inquiry

Provide product recommendations

Receive concrete examples of relevant solutions to suit clients’ needs

Suggest next steps

Proposals for how to implement recommendations for clients

Security Foundation Program

The Security Foundation Program includes three main steps for strengthening your managed security offer:

Step 1


Identify gaps in clients' security posture and get solution recommendations to address them

Step 2


Review results of your assessment with a Sherweb expert and draft a plan for pitching solutions to clients

Step 3


Present recommendations to clients, equipped with dedicated Security Foundation Program marketing materials

Question 1 - Identify

Do you have a way to determine how many electronic devices and cloud services are in your environment?

Why we ask

Unaccounted for systems are a key vector for attackers. In 2017, manufacturing companies were hit hard by the WannaCry ransomware attack because many of them used unsupported legacy systems.

Question 2 - Identify

Do you have the tools to ensure an inventory of sensitive data?

Why we ask

Sensitive data is often stored in places no one intended, causing it to be forgotten and potentially made accessible to users without proper permissions.

Question 3 - Identify

Do you know who actually has accounts in your environment?

Why we ask?

An often-overlooked aspect of security is that end-users may have too many account privileges, or may not be authorized to have accounts in the first place.

Question 4 - Protect

Do you automatically and regularly patch your systems?

Why we ask?

60% of companies that have experienced security breaches say they could have occurred because a patch was not applied (Ponemon, 2019). Regular patching is necessary.

Question 5 - Protect

Do you block unnecessary or harmful files from reaching you via email?

Why we ask

Email is the biggest vector for attacks. Despite transition to fileless attacks and phishing, attachments are nevertheless a common way to be breached.

Question 6 - Protect

Do you scan removable media or block auto-running of content in your environment?

Why we ask?

In 2016, Univerity of Illinois researchers left 300 unmarked usb flash drives around the campus, and nearly half of them were plugged into a computer within six minutes.

Question 7 - Detect

Do you keep track of how admin privileges are assigned among end-users?

Why we ask

The admin role has powerful permissions but its assignment is often unchecked, making it far too easy to miss hackers with illegitimate high-level access.

Question 8 - Detect

Do you look for patterns of malware events in your environment?

Why we ask

Malware events can occur as singular incidents, but hackers often launch large coordinated attacks with a barrage of malware.

Question 9 - Detect

Do you monitor login behaviors in your environment?

Why we ask

A popular way for hackers to breach systems is try logging directly into a targeted environment.

Question 10 - Detect

Do you regularly and automatically disable inactive accounts?

Why we ask

Half of all user accounts are dormant, and are favored targets for cyber criminals.

Question 11 - Respond

Do you regularly compare consecutive vulnerability scans?

Why we ask

Studying snapshots of vulnerabilities is a good short-term practice, but is insufficient long term.

Question 12 - Respond

Do you enforce policies for removing unauthorized hardware and software?

Why we ask

Unauthorized devices and software are easy paths for malware and other threats to enter your environment

Question 13 - Recover

Do you automatically and regularly back up your most important systems and data?

Why we ask

Hard drives can fail, risking data breaches or permanent loss of critical information.

Question 14 - Recover

Do you have three copies of your data: two stored on different media, and at least one stored off-premises?

Why we ask

Backups kept in the same place as your original data are as at-risk as what you're trying to protect.

Question 15 - Identify

Are you able to restore critical systems after a breach or disaster within 90 minutes?

Why we ask

Restoring your data as quickly as possible can be the difference between your business closing its doors or keeping them open. The average cost of a data breach is $3.92 million (Ponemon, 2019).

Use the Security Foundation Assessment

Register below to get started with the Security Foundation Assessment. Don’t worry about finishing it in one sitting—we’ll send you a reminder email if you leave any questions incomplete!

Start online
We use cookies to give you tailored experiences on our website. Talk to us for COVID19 Support