Customer Questionnaire CloudFortress Customer Onboarding Questionnaire Follow all steps for complete submission! Section 1: Users & Endpoint Total numbers of Total numbers of Total numbers of Operating Systems (check all) Windows 7 Windows 10 Windows 11 Windows 2019 Windows 2022 Linux Debian Linux Redhat Linux Ubuntu MacOS Other? Remote Workers Yes No If yes? How many? Locally Hosted Microsoft Exchange Server Yes No Number of mailboxes Locally Hosted Domain Controllers Yes No How many? OS Version(s): File Server/DFS Yes No Storage Size Network Switches (brand/model) Quantity: Patch Panel Organized Needs Improvement Unknown Firewall Present Yes No Wi-Fi Acess Points Yes No Models & Quantity VPN Cisco Check Point Fortinet Other Guest Wi-Fi Separated Yes No Key Applications & Software Productivity Suite Microsoft 365 Google Workspace Other Numbers of Licenses: Section 2: Local IT Support Provider Yes No If yes? Please Provider Contact Information Cybersecurity Insurance? Yes No If yes? What's the Coverage Annual Premium Cost? Current Cybersecurity & IT Practices (check all that apply) Network Firewall Endpoint Antivirus Endpoint Detection & Response (EDR/XDR) Multi-Factor Authentication (MFA) Email Security Filtering Web/URL Filtering Data Backup Offsite/Cloud Backup Security Awareness Training Written Security Policy Regular Software/OS patching Remote Desktop Acess Controls Mobile Device Management 24/7 Security Monitoring Vulnerability Scanning Penetration Testing Incident Response Plan None of the above Other? Services & Upgrades of Interest (check all apply) Virtual Chief Information Security Officer (vCISO, vCIO) Exchange/Email Migration Virtualized Application Hosting Network/Cabling Cleanup Other? Managed Services Contract Yes No Estimated Existing Annual IT Spend: Additional Notes of Requirements: Section 3: Azure Services Essentials Microsoft Entra ID (Azure AD): Yes No Microsoft Entra ID (Azure AD): Yes No Azure Virtual Network (VNet) Yes No Azure Backup Yes No Azure Files / Blob Storage Yes No Azure Virtual Desktop Yes No Azure Site Recovery Yes No Microsoft Sentinel (SIEM) Yes No Section 3: AWS Services Essentials EC2 Instances Storage Databases Network Setup Additional AWS Services Resource Usage and Capacity Approximate Monthly AWS Spend Peak vs. Average Resource Utilization Data Volume Section 4: Entra and Hybrid Integration Do you have a Hybrid Join (on-prem AD+Entra ID) Yes No Existing on-prem Active Directory Yes No Number of Domain Controllers Using Azure AD Connect for sync Yes No Conditional Acces Policies Implemented Yes No Multi-Factor Authentication (MFA) Enable Yes No Section 5: Network, Connectivity & Infrastructure Existing Fiber Connection? ExpressRoute or VPN Gateway in use? Yes No Type: Site-to-site Point-to-site ExpressRoute Bandwidth for user (Mbps)? Bandwidth for Servers (Mbps)? Backup Solution in place (Local/Cloud) Redundancy Required? Single Dual Uplink Multi-region Section 6: Data Encryption Requirements Number of office/branch locations Remote access method VPN RDP Azure Bastion Other Encryption at rest? Yes No Encryption in transit? Yes No Encryption in use (confidential computing)? Yes No Section 7: Select Applicable Regulatory Compliance Banking & Financial Services GLBA (Safeguards Rule) – Secure customer data via administrative, technical, and physical safeguards FFIEC CAT – Cybersecurity Assessment Tool for financial institutions OCC Guidance – Cyber risk management and third-party oversight FINRA – Cybersecurity protocols for broker-dealers and trading platforms FinCEN – AML, data retention, and Suspicious Activity Reporting (SAR) SOX – IT controls over financial reporting and data integrity NY DFS 23 NYCRR 500 – Cybersecurity requirements for financial institutions in NY Healthcare & Life Sciences HIPAA Security Rule – Safeguards for electronic Protected Health Information (ePHI) HITECH Act – Health IT provisions and breach notification mandates NIST SP 800-66 – Implementation of HIPAA Security Rule using NIST controls HITRUST CSF – Unified framework based on HIPAA, NIST, ISO, and PCI standards Stark Law – Health data relevance in self-referral relationships Anti-Kickback Statute – Risk of improper data-sharing incentives FDA 21 CFR Part 11 – Electronic records and signatures compliance GxP/Annex 11 – IT systems in pharma/lab processes Cross-Industry & General Cybersecurity Standards NIST Cybersecurity Framework (CSF) – Identify, Protect, Detect, Respond, Recover NIST SP 800-53 Rev. 5 – Comprehensive catalog of security and privacy controls NIST SP 800-171 – CUI protection in non-federal systems ISO/IEC 27001 – Information Security Management System (ISMS) ISO/IEC 27701 – Privacy Information Management System (PIMS) ISO/IEC 9001 – Quality Management System (QMS) SOC 2 Type I/II – Trust Services Criteria (Security, Availability, Confidentiality) PCI DSS – Payment card industry data protection CIS Critical Security Controls – 18 prioritized actions for cyber defense COBIT 2019 – IT governance and risk management Data Privacy & International Laws GDPR – Data protection for EU residents; lawful processing, DPIAs, DPOs CCPA / CPRA – Consumer privacy rights and data handling obligations in California NY SHIELD Act – Data security mandates for companies holding NY residents’ data PIPEDA (Canada) – Fair data practices for personal information LGPD (Brazil) – Consent-based data processing and privacy protection PDPA (Singapore, Thailand, etc.) – Regional privacy and security compliance laws Energy & Utilities NERC CIP – Critical Infrastructure Protection standards for BES cyber systems FERC Reliability Standards – Cybersecurity and risk oversight for regulated entities NRC 10 CFR 73.54 – Cybersecurity for nuclear facility digital systems DOE C2M2 – Cybersecurity Capability Maturity Model EPA Cybersecurity for Water Systems – Security best practices for public utilities ISA/IEC 62443 – Industrial Automation and Control Systems Security Defense, Aerospace & Export-Controlled Sectors ITAR – Controls on export/release of defense-related technical data EAR – Export restrictions for dual-use items and technology DDTC – Directorate of Defense Trade Controls compliance (registration, licensing, recordkeeping) CMMC 2.0 – Cybersecurity Maturity Model Certification (DoD supply chain) DFARS 252.204-7012 – Safeguarding Covered Defense Information (CDI) NIST SP 800-171 – Protecting Controlled Unclassified Information (CUI) in non-federal systems Send
