I am often approached by owners of small businesses who ask me how can they be assured that they have taken the basic steps to protect their information assets.  These companies often do not have any internal IT or information securty expertise and rely on external vendors or contractors to secure their systems.  What these owners want is a list of questions that they can ask themselves and their IT/Information Security experts to ensure they have taken the appropriate steps.  The following is what I recommend they check on and if they have any incomplete or negative responses then these areas need to be addressed;

People Check Item


Responsibility Does a director, or equivalent, have responsibility for information security?  
Employee Buy-in Have all members of staff given written acknowledgement that they have read, understood and accepted the information security policy?  
Employee awareness Do all users on your computer systems receive regular training on their security responsibilities and how to identify and deal with various security threats?  
Training Do staff members with specific security responsibilities receive proper and regular training to support their role?  
Computer security policy Have you a documented security policy, with associated operating procedures, signed off and fully supported by senior management?  
Non-disclosure agreements Does senior management authorise third party access to confidential and/or commercially sensitive information pending completion of appropriate confidentiality forms?   


Process Check Item Answer
Audits Are critical systems such as firewalls and routers regularly tested for vulnerabilities and are computers checked to ensure no copies of illegal software are present?  
Incident Planning and response Are documented and frequently tested plans in place, with clearly defined roles and responsibilities, to ensure the company can respond to any security breaches such as a virus attack, fraud or natural disasters such as fire?  
Passwords Are all default passwords on all systems reset from the default vendor installed passwords?  Are users forced to use complex and hard to guess passwords?  
Software patches Is there a mechanism to ensure that critical security patches are deployed to systems in a timely and audited fashion?  
Data Protection Are systems and databases that store personal data secured properly to ensure compliance with regulatory and legal requirements such as the Data Protection Act?  


Tech Check Item Answer
External Network Security Are external connections, such as to the Internet, authorised by senior management, properly documented and secured using Firewalls?  
Anti-Virus Are all computer systems protected with the most up to date anti-virus software?  Are users educated on how to identify and deal with suspect files that may contain computer viruses?  
Content Monitoring Do you properly monitor the content of emails and Internet browsing activity to protect your company from computer viruses, SPAM, or litigation due to the nature of the content?  
Monitoring Are the log files of important security devices actively monitored to detect potential security breaches?  
Physical security Are critical IT resources, such as file servers, located in a secured area that is protected from unauthorised access?  

If you have any ideas on how to improve the above list please let me know via the comments.