Basic Security Policy Checklist

By Jo Blitz Escotal

Today’s heightened awareness and the need to secure IT infrastructures and protect mission critical data is leading more and more companies to reevaluate their security practices. An IT Security Policy should be in place to make sure your company has a standardize framework and checklist on what is your organizations best security practice.

Here is a Basic Security Policy Template that any Organization should have in place.

1. POLICY: Has management provided the necessary leadership and reduced liability by issuing comprehensive information security policies, operating procedures, and associated responsibility statements?
Do you a Security Policy in place. Do you an AUP Acceptable User Policy in place. Do you have a Social Media Policy in place these are just of the basics of setting up policies.

2. EMPLOYEE ACKNOWLEDGEMENT: Are all employees and contractors required to provide written acknowledgement of their understanding and acceptance of the organization’s information security policies?

3. CONFIDENTIALITY AGREEMENTS: Has the execution of properly signed confidentiality agreements been verified before proprietary and/or sensitive information is disclosed, in any form, to individuals outside the organization?

4. PHYSICAL SECURITY: Are there comprehensive business security systems in place to deter any and all criminal activity as well as keep all company resources secure? Are buildings, paper records, and sensitive IT resources (e.g., computer and network equipment, storage media, and wiring closets) properly secured from unauthorized access, tampering, damage, and/or theft by an intruder with malicious intent? Do you have on-site guards who can respond quickly if the security alarm goes off or intrusion takes place? You can also provide wireless communication devices to guards to contact each other if any issue arises in office premises during non-operational hours (click here to know more).

5. RESPONSE PLAN: Does the organization have a documented and frequently tested business resumption plan for critical computer system and associated office support infrastructure that includes frequent system backups, off-site data backup storage, emergency notification, replacement IT and office resources, alternate facilities, and detailed recovery procedures?

6. DETECTION: Are all computer systems protected with up-to-date Intrusion Detection Systems, Alert systems and other defenses against malicious software attacks?

7. TECHNICAL SECURITY: Are all dedicated connections to the Internet and other external networks properly documented, authorized, and protected by Anti-virus, Firewalls, Proxies, IPS, Virtual private networks (or other forms of encrypted communication,) and incident response capability?

8. REMOTE ACCESS: Are modem and wireless access point connections known, authorized, and properly secured connections such as PPP, PPPoE, VPN, ICA, VNC, RADIUS, SSH and TACACS?

9. PASSWORDS: Have all vendor-supplied, default passwords or similar “published” access codes for all installed operating systems, database management systems, network devices, application packages, and any other commercially produced IT products been changed or disabled? For existing access systems, has MFA (multi-factor authentication) been enabled?

10. SOFTWARE PATCHES: Are security-sensitive software patches, including the removal of unnecessary sample application software, promptly applied to systems that are accessible to users outside of the organization?

11. DATA PROTECTION: Is sensitive, valuable information properly protected from unauthorized access, and are data properly encrypted? If not, you might need the help of a data security team (look at IT Management services ne if interested) that can protect your business from potential cyber-attacks that can corrupt and steal your sensitive data. IT teams tend to be ready all the time and they can react quickly and resist future incidents.

12. AUDITS AND VULNERABILITY TESTING: Are all computers and network devices (e.g., routers, and switches) within your organization regularly tested for exploitable vulnerabilities and any unauthorized (or illegally copied!) software?

13. BIOMETRICS: Fingerprint, Face Recognition etc…

14. MONITORING and PROCEDURAL SECURITY: Group and User policies

15. EDUCATION and TRANING AWARENESS: Train Employees in Social Engineering Techniques

A negative or unsure response to one or more of the above questions places an organization in a position of unnecessary risk, not only to heightened possibility of direct financial loss and/or public embarrassment by a security incident, but also the loss of confidence and creditability in the organization.