SAMPLE AUTO-FILLED APPLICATION
14-employee Auto industry · Prosper, Texas · 6 endpoints
This is what your application looks like after you click Auto-fill. Every answered field carries the citation back to the assessment control or signup data it was drawn from. 3 of the 47 fields are flagged for your input, the things only you can know.
Who can sign in to your systems, and how.
Do you require multi-factor authentication for all administrative accounts?
PR.AC-01 (Multi-factor authentication), implemented 12 April 2026
Do you require multi-factor authentication for all employee accounts?
PR.AC-01 (Multi-factor authentication), implemented 12 April 2026
Do you enforce strong password policies (minimum 12 characters, complexity requirements)?
PR.AC-01 password policy, enforced via M365 baseline
Do you maintain a list of authorized personnel with access to sensitive data?
ID.AM-06 (Asset inventory), score 2.9 of 3.0, reviewed quarterly
Are former employee accounts disabled within 24 hours of departure?
PR.AC-04 (Access management), same-day revocation policy
Do you use single sign-on (SSO) for company applications?
M365 SSO covers email and core productivity. Third-party apps not yet consolidated.
Do you conduct quarterly access reviews?
ID.AM-06, most recent review April 2026
How many privileged or administrative accounts exist in your environment?
Owner plus two designated administrators per asset inventory
Do you maintain a centralized identity directory (e.g., Microsoft 365, Okta)?
Microsoft 365, primary identity provider
Are passwords stored in a managed password vault?
1Password Business, included with managed-services package
The laptops, desktops, and devices your team uses.
How many endpoint devices (laptops, desktops, mobile) are in your environment?
Syxsense device snapshot, 04 May 2026, 6 endpoints
Do you have endpoint detection and response (EDR) software installed on all endpoints?
DE.CM-04 (Endpoint detection), score 1.6 of 3.0, Cylance install scheduled June 2026
Are all endpoints managed by a mobile device management (MDM) tool?
Syxsense Cloud Management Suite, 6 of 6 endpoints enrolled
Are critical security patches applied within 30 days of release?
Syxsense patch compliance, 6 of 6 endpoints current as of 04 May 2026
Is encryption enforced on all endpoint hard drives?
PR.DS-01 (Data at rest), score 0.8 of 3.0, FileVault on for 2 of 3 Macs, BitLocker rollout in progress
How many of your endpoints run Windows?
Syxsense fleet inventory, 3 Windows 11 Pro endpoints
How many of your endpoints run macOS?
Syxsense fleet inventory, 3 macOS 14.5 endpoints
Do you use a secure web gateway or DNS filtering?
Email Security Basic package, DNS filtering included
Is anti-malware software installed on all endpoints?
Syxsense AV inventory, Microsoft Defender on all 6 endpoints
Do you have a documented endpoint hardening standard?
Not documented in current assessment. Hardening baseline planned for Q3 2026.
How your customer data is handled, encrypted, and backed up.
Do you classify customer data (e.g., PII, financial, health)?
Information Security Policy §05, three categories defined: customer-PII, vehicle-records, payment-references
Is customer data encrypted at rest?
PR.DS-01 (Data at rest), in progress, expected complete end of June 2026
Is customer data encrypted in transit (TLS)?
PR.DS-02, TLS 1.2+ enforced on all customer-facing endpoints
Do you store payment card data?
Information Security Policy §05, only last-four digits and authorization codes are retained for reconciliation
Do you have a documented data retention policy?
Information Security Policy §08, annual review and material-change cadence
Approximately how many customer records do you store?
Estimated from 14-employee Auto industry profile and 4-year operating history
Do you back up customer data regularly?
PR.IP-04 (Backups), daily incremental, weekly full
Are backups stored offsite or in cloud?
Microsoft 365 cloud backup, geographically redundant
Are backups tested for successful restoration at least quarterly?
PR.IP-04 (Backup verification), score 0.4 of 3.0, last successful test recorded 90+ days ago
What you do when something goes wrong.
Do you have a written incident response plan?
Information Security Policy §07, Incident Response Plan referenced; standalone IRP doc in progress
Have you conducted an incident response tabletop exercise in the past 12 months?
RS.IM-01, no tabletop exercise recorded in audit history. Scheduled for Q3 2026.
Do you currently have a cyber insurance policy in force?
Customer signup did not record an existing cyber insurance policy
Have you experienced a cyber incident, breach, or data loss event in the past 24 months?
Prior-incident disclosure must come from the owner directly. The platform does not infer claims history.
Do you have a designated incident response team or external retainer?
H2Cyber retainer, Paul Horn, Practitioner, 30 years
What is your committed time-to-detect for security incidents (in hours)?
DE.AE-02, 4-hour detection commitment per Information Security Policy
What is your committed time-to-notify customers and regulators after a confirmed breach (in hours)?
Texas Business and Commerce Code §521.053, 24-hour notification requirement
Do you maintain logs of system access for at least 90 days?
PR.PT-01, Microsoft 365 audit logs retained 180 days
Have you ever paid a ransomware demand?
No ransomware payment recorded in customer history
Your company profile and regulatory posture.
What is your industry sector?
Customer signup data, industry: Auto
How many employees do you have?
Customer signup data, 14 employees
What is your approximate annual revenue?
Revenue is not in the assessment scope. The owner enters this directly.
Are you registered with the SEC?
Regulatory profile, state-AG only
Are you registered with FINRA?
Regulatory profile, state-AG only
Are you registered with NYDFS?
Regulatory profile, state-AG only
Do you operate in states with active cyber notification or data-protection requirements?
State of Texas, Texas Business and Commerce Code §521.053
How many third-party vendors have access to customer data?
Vendor inventory, Microsoft (M365) and Syxsense, both with active DPAs
What policy limit are you requesting on this application?
Coverage limit is the owner's decision. The platform does not recommend a number.
Get yours
Take the 11-question free assessment. The platform answers every question on every form your insurer or your customer sends, with citations your underwriter can verify.