Information Security Checklist
We have prepared a short and, we hope, helpful checklist which you can use to identify any areas of practice or policy where you may be at risk within your organisation. The list is not exhaustive, but highlights some of the key areas you might want to consider in the context of information security and data protection.
Insurance and denial of cover
One of the reasons you may want to use this short list is to ensure that your insurance cover (which may currently cover you against loss of data, consequential losses, cost of repairing insider attack or external hacking event, depending on your cover) is not denied. In the US, studies have put the cost of losses following a theft or loss of data at about $75 per record lost. So if you lost 20,000 customer records that is a lot of money to take off the bottom line. If your internal practices are not sound, then insurers could deny cover.
Is your data secure?
1 Do you take steps to ensure your staff and suppliers understand and comply with regulations on information security?
2 Would these steps be sufficient in the event of disciplinary or legal action?
3 Are you confident that your staff understand and comply with relevant data protection legislation?
4 Do staff have personal targets for compliance with security and data protection policies?
5 Can you provide up-to-date evidence that your staff understand their responsibilities towards security and operate within the guidelines of your security policies?
6 Are the results of data security training programmes aligned with staff development reviews?
7 Does your organisation issue a computer users’ Code of Practice?
8 Does the code extend to staff working from home, consultants and suppliers?
9 Do you take steps to ensure understanding and compliance with the Code of Practice?
10 Would you be able to present an up-to-date set of training records that an auditor could examine in the event of a security breach?
11 If you outsource your IT or other functional activities to an external agency, do you make provisions to ensure your data is secure?
12 Are those steps included in a contract? Are third-party electronic connections to your systems controlled and reflected in the contract?
13 Are you aware of the significant reductions that can be made to your insurance premiums when your staff are fully trained in information security?
14 Are you clear on the importance of your information, and is your protection of its confidentiality / integrity / availability proportionate to its importance?
15 If you hold information belonging to other companies or individuals, are your staff clear on the protection they must provide, and is that level of protection included in relevant contracts?
16 Are you confident that your colleagues respect the reputation of your organisation in the transmission of e-mails and Internet comments, especially in social networking sites such as Facebook and MySpace?
17 Can you produce evidence to demonstrate compliance with copyright and licence agreements with others?
18 Do you use intrusion detection systems that identify malicious activity, such as worms, viruses and hacking?
19 Can you provide up-to-date training records that would satisfy an auditor that you understood the basic principles of data encryption?
20 Do you have a business continuity plan?
21 If so, when was it last tested?
22 Are you concerned that you are unable to answer ‘yes’ to each of the above questions?
23 Would you like the reassurance of being able to access training from some of the UK’s top security experts quickly and cost-effectively?
If the answers to any of the above are ‘Yes’, then we suggest you view our training and reference materials.
This guide is not intended as nor to replace legal advice, nor will any liability be accepted for any loss, cost, expense or damage suffered or incurred by the user due to any reliance placed upon it by the user.
© E-Security Exchange 2009