Basic Security Policy Checklist

By Jo Blitz Escotal

Today’s heightened awareness and the need to secure IT infrastructures and protect mission critical data is leading more and more companies to reevaluate their security practices. An IT Security Policy should be in place to make sure your company has a standardize framework and checklist on what is your organizations best security practice.

Here is a Basic Security Policy Template that any Organization should have in place.

1. POLICY: Has management provided the necessary leadership and reduced liability by issuing comprehensive information security policies, operating procedures, and associated responsibility statements?
Do you a Security Policy in place. Do you an AUP Acceptable User Policy in place. Do you have a Social Media Policy in place these are just of the basics of setting up policies.

2. EMPLOYEE ACKNOWLEDGEMENT: Are all employees and contractors required to provide written acknowledgement of their understanding and acceptance of the organization’s information security policies?

3. CONFIDENTIALITY AGREEMENTS: Has the execution of properly signed confidentiality agreements been verified before proprietary and/or sensitive information is disclosed, in any form, to individuals outside the organization?

4. PHYSICAL SECURITY: Are buildings, paper records, and sensitive IT resources (e.g., computer and network equipment, storage media, and wiring closets) within them properly secured from unauthorized access, tampering, damage, and/or theft by an intruder with malicious intent? Are there comprehensive business security systems in place to deter any and all criminal activity as well as keep all company resources secure?

5. RESPONSE PLAN: Does the organization have a documented and frequently tested business resumption plan for critical computer system and associated office support infrastructure that includes frequent system backups, off-site data backup storage, emergency notification, replacement IT and office resources, alternate facilities, and detailed recovery procedures?

6. DETECTION: Are all computer systems protected with up-to-date Intrusion Detection Systems, Alert systems and other defenses against malicious software attacks?

7. TECHNICAL SECURITY: Are all dedicated connections to the Internet and other external networks properly documented, authorized, and protected by Anti-virus, Firewalls, Proxies, IPS, Virtual private networks (or other forms of encrypted communication,) and incident response capability?

8. REMOTE ACCESS: Are modem and wireless access point connections known, authorized, and properly secured connections such as PPP, PPPoE, VPN, ICA, VNC, RADIUS, SSH and TACACS?

9. PASSWORDS: Have all vendor-supplied, default passwords or similar “published” access codes for all installed operating systems, database management systems, network devices, application packages, and any other commercially produced IT products been changed or disabled?

10. SOFTWARE PATCHES: Are security-sensitive software patches, including the removal of unnecessary sample application software, promptly applied to systems that are accessible to users outside of the organization?

11. DATA PROTECTION: Is sensitive, valuable information properly protected from unauthorized access, and are data properly encrypted?

12. AUDITS AND VULNERABILITY TESTING: Are all computers and network devices (e.g., routers, and switches) within your organization regularly tested for exploitable vulnerabilities and any unauthorized (or illegally copied!) software?

13. BIOMETRICS: Fingerprint, Face Recognition etc…

14. MONITORING and PROCEDURAL SECURITY: Group and User policies

15. EDUCATION and TRANING AWARENESS: Train Employees in Social Engineering Techniques

A negative or unsure response to one or more of the above questions places an organization in a position of unnecessary risk, not only to heightened possibility of direct financial loss and/or public embarrassment by a security incident, but also the loss of confidence and creditability in the organization.