Has a risk assessment been conducted within the last 12 months?

Do you perform quarterly vulnerability scanning of your information systems?

Is there a risk assessment program that has been approved by management, communicated to appropriate constituents and an owner to maintain and review the program?