Information security involves protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction, and it is concerned with maintaining the confidentiality, integrity and availability of data regardless of the form the data may take: electronic, print, or other forms. Our information security consultants will work with you to secure your information and information systems and to develop dynamic, proactive, cost-effective information security policies and practices. Below you will find a very basic information security checklist that will give you an idea of the bare minimum that one should implement in order to provide a reasonable measure of information security. If your organization does not have these measures in place then feel free to contact us for no-obligations advice about getting started with information security.
Shucks, you beat us to it. We were trying to complete this page before you got here.
A basic information Security Checklist:
- Policy - does the organization have comprehensive information security policies, guidelines, operating procedures, and have these been formally issued by executive management?
- Employee Acknowledgement - are staff and contractors required to sign an acknowledgement of their understanding and acceptance of the organization's information security policies?
- Confidentiality Agreements - are binding confidentiality agreements in place before proprietary information is disclosed to individuals inside and outside the organization?
- Physical Security - are buildings, documents, information systems and storage media secured against unauthorized access, tampering, damage or theft?
- Business Continuity Plan - does the organization have formal, tested business continuity plan for critical information systems and infrastructure that includes regular (preferably off-site) data backup, detailed emergency notification, response and recovery procedures, and either replacement information systems or alternate facilities in the event of a catastrophic event?
- Anti-Malware - are all computer systems protected with up-to-date anti-virus software and other defenses against malicious software and cyber attack?
- Internet Security - are all dedicated Internet and external network connections documented, authorized, and protected by firewalls, intrusion detection systems, virtual private networks (or other forms of encrypted communication) and incident response capability?
- Remote Access - are modems, routers and wireless access points known, authorized, and properly secured, and are remote connections properly authenticated?
- Passwords - is there a password policy in place and controls that amongst other things, forces users to select secure passwords, requires passwords to be changed periodically, and ensures that all default passwords (for operating systems, applications and devices) are changed?
- Software Patches - are operating systems and software applications regularly updated, and are security patches immediately applied?
- Data Protection - is confidential information properly protected from unauthorized access, discovery or manipulation; have all web and file server permissions been examined and have web-accessible systems been probed for possible back doors and publically accessible directories?
- Audits and Vulnerability Testing - are all computers and network devices within the organization regularly tested for exploitable vulnerabilities and any unauthorized software?