Security Policy Checklist

Today’s heightened awareness and the need to secure IT infrastructures and protect mission critical data is leading more and more companies to reevaluate their security practices. A IT Security Policy should be in place
to make sure your company has a standardize framework and checklist on what is your organizations best security practice.

Here is a Basic Security Policy Template that an Organization should have in place.

  • POLICY:
    Has management provided the necessary leadership and reduced liability by issuing comprehensive information security policies, operating procedures, and associated responsibility statements?
    Do you a Security Policy in place. Do you an AUP Acceptable User Policy in place. Do you have a Social Media Policy in place these are just of the basics of setting up policies.

  • EMPLOYEE ACKNOWLEDGEMENT:
    Are all employees and contractors required to provide written acknowledgement of their understanding and acceptance of the organization’s information security policies?

  • CONFIDENTIALITY AGREEMENTS:
    Has the execution of properly signed confidentiality agreements been verified before proprietary and/or sensitive information is disclosed, in any form, to individuals outside the organization?

  • PHYSICAL SECURITY:
    Are buildings, paper records, and sensitive IT resources (e.g., computer and network equipment, storage media, and wiring closets) within them properly secured from unauthorized access, tampering, damage, and/or theft by an intruder with malicious intent?

  • RESPONSE PLAN:
    Does the organization have a documented and frequently tested business resumption plan for critical computer system and associated office support infrastructure that includes frequent system backups, off-site data backup storage, emergency notification, replacement IT and office resources, alternate facilities, and detailed recovery procedures?

  • DETECTION:
    Are all computer systems protected with up-to-date Intrusion Detection Systems, Alert systems and other defenses against malicious software attacks?

  • TECHNICAL SECURITY:
    Are all dedicated connections to the Internet and other external networks properly documented, authorized, and protected by Anti-virus, Firewalls, Proxies, IPS, Virtual private networks (or other forms of encrypted communication,) and incident response capability?
  • REMOTE ACCESS:
    Are modem and wireless access point connections known, authorized, and properly secured connections such as PPP, PPPoE, VPN, ICA, VNC, RADIUS, SSH and TACACS?


  • PASSWORDS:
    Have all vendor-supplied, default passwords or similar “published” access codes for all installed operating systems, database management systems, network devices, application packages, and any other commercially produced IT products been changed or disabled?


  • SOFTWARE PATCHES:
    Are security-sensitive software patches, including the removal of unnecessary sample application software, promptly applied to systems that are accessible to users outside of the organization?


  • DATA PROTECTION:
    Is sensitive, valuable information properly protected from unauthorized access, and are data properly encrypted?


  • AUDITS AND VULNERABILITY TESTING:
    Are all computers and network devices (e.g., routers, and switches) within your organization regularly tested for exploitable vulnerabilities and any unauthorized (or illegally copied!) software?


  • BIOMETRICS:
    Fingerprint, Face Recognition etc…


  • MONITORING and PROCEDURAL SECURITY:
    Group and User policies


  • EDUCATION and TRANING AWARENESS:
    Train Employees in Social Engineering Techniques

A negative or unsure response to one or more of the above questions places an organization in a position of unnecessary risk, not only to heightened possibility of direct financial loss and/or public embarrassment by a security incident, but also the loss of confidence and creditability in the organization.

More Recipes
Why computer security is important?