Title Page
-
Site conducted
-
Conducted on
-
Prepared by
-
Location
Staff
-
Do your staff wear ID badges?
-
Is a current picture part of the ID badge?
-
Are authorized access levels and type (employee, contractor, visitor) identified on the badge?
-
Do you check the credentials of external contractors?
-
Do you have policies addressing background checks for employees and contractors?
-
Do you have a process for effectivley cutting off access to facilities and information systems when an employee/contractor terminates employment?
Physical Security
-
Do you have policies and procedures that address allowing authorized and limiting unauthorized physical access to electronic information systems and the facilities in which they are housed?
-
Do your policies and procedures specify the methods used to control physical access to your secure areas, such as door locks, access control systems, security officers or CCTV monitoring?
-
Is the access to your computing area controlled (single point, reception or security desk, sign-in/sign-out log, temporary/visitor badges)?
-
Are visitors escorted into and out of controlled areas?
-
Are your PCs inaccessible to unauthorized users (e.g. located away from public areas)?
-
Is your computing area equipment physically secured?
-
Are the procedures in place to prevent computers from being left in a loggedon state, however briefly?
-
Are screens automatically locked after 10 minutes idle?
-
Are modems set to AUTO-ANSWER OFF (not to accept incoming calls)?
-
Do you have procedures for protecting data during equipment repairs?
-
Do you have policies covering laptop security (e.g. cable lock or secure storage)?
-
Do you have seperate WIFI access for any visitors?
-
Do you have policies in place for BYOD in the workplace (Bring Your Own Device)?
-
Do you have an emergency evacuation plan and is it current?
-
Does your plan identify areas and facilities that needs to be sealed off immediately in case of an emergency?
-
Are key personnel aware of which areas and facilities need to be sealed off and how?
Accounts and Password Management
-
Do you have policies and standards covering electronic authentication, authorization and access control of personnel and resources to your information systems, applications and data?
-
Do you ensure that only authorized personnel have access to your computers?
-
Do you require and enforce appropriate passwords?
-
Are yor passwords secure (not too easy to guess, regularly changed, no use of temp or default passwords)?
-
Are your computers set up so others cannot view staff entering password?
-
Do you have policies in place for forgotten password (only system admins can change passwords)?
-
Do you have MFA in place (Multi Factor Authentication)?
Confidentiality of Sensitive Data
-
Do you classify your data, identifying sensitive data versus non sensitive data?
-
Are you excercising responsibilities to protect sensitive data under your control?
-
Is the most valuable or sensitive data encrypted?
-
Do you have policies for identifying the retention of information (both hard and soft copies)?
-
Do you have procedures in place to deal with credit card information?
-
Do you have procedures covering the management of personal private information?
-
Is there a process for creating retrievable back up and archival copies of critical information?
-
Do you have procedures for disposing of waste material?
-
Is the waste paper binned or shredded?
-
Is your shred bin locked at all times?
-
Do your policies for disposing of old computer equipment protect against loss of data (e.g. by reading old disks and hard drives)?
-
Do your disposal procedures identify appropriate technologies and methods for making hrdware and electronic media unusable and inaccessible (such as shredding CDs and DVDs, electronically wiping disk drives, burning tapes, etc..)?
Disaster Recovery
-
Do you have a current business continuity plan?
-
Is there a process for creating retrievable back up and archival copies of critical information?
-
Do you have an emergency/incident management communications plan?
-
Do you have a procedure for notifying authorities in the case of a disaster or security incident?
-
Does your procedure identify who should be contacted, including any contact information?
-
Is the contact information sorted and identified by incident type?
-
Does your procedure identify who should make the contacts?Have you identified who would speak to the press/public in the case of an emergency or an incident?
-
Does your communications plan cover internal communications with your employees and their families?
-
Can emergency procedures be appropriately implemented, as needed by thoes responsible?
Security Awareness
-
Are you providing information about computer security to your staff?
-
Do you provide traing on a regular basis?
-
Are employees taught to be alert to possible security breaches?
-
Are your employees taught about keeping their passwords secure?
-
Are your employees able to identify and protect classified data, including paper documents, removable media and electronic documents?
-
Are your employees aware about the use of removable drives that do not belong to them (for example, if a usb drive was found outside the building, if used on the companys computer it may contain malware)?
-
Are your employees aware of phishing attacks (do not open any suspicious links or urls sent via email)?
-
Are your employees aware of social engineering techniques that are used by attackers to gain information?
Compliance
-
Do you review and revise your security documents, such as: policies, standards, procedures and guidelines on a regular basis?
-
Do you audit your processes and procedures for compliance with established policies and standards?
-
Do you test your disaster plans on a regular basis?
-
Does management regularly review lists of individuals with physical access to sensitive facilities or electronic access to information systems?
Audit Complete
-
Completion
Overall Recomendations
-
undefined
IT Personnel Name and Signature
-
Add signature