Content-type: text/html Information Security Assessment Checklist: A Benchmarking Tool for Managers

Information Security Assessment Checklist: A Benchmarking Tool for Managers

Questions for this quiz were compiled from CSI's Computer Security Compliance Test, a comprehensive assessment document containing 120 questions from eight basic information security categories. The complete test contains instructions for weighting and scoring each question for percentage of compliance, providing a useful measurement of your security posture vs. where you want to be. The Computer Security Compliance Test may be self-administered each year to provide a quantifiable indicator of your program's progress. The complete test is priced at $97 per copy. Inquiries may be directed to CSI at 415-905-2626.

Check all that apply:


Computer security is identified as a separate and distinct budget item.
Definite steps have been taken to create and maintain security awareness for data processing employees and users of systems and networks (such as awards for suggesting good security ideas).
A serious formal risk analysis has been made to identify threats, quantify and rank potential loss exposures.
There is a detailed current contingency plan covering emergency and disaster procedures with well defined tasks that make specific assignments of responsibilities.
There is a formal written procedure for reporting security breaches or suspicious incidents and for checking follow-up actions.
Your internal audit function is well-versed in computer controls and security and works closely with computer security personnel to improve the overall program.
"Adherence to security policies and procedures" is a measured line item on individual personnel reviews.
All newly hired network and systems users are given an initial security briefing, followed by periodic refreshers.
Liaison between personnel and security administration groups ensures prompt removal of obsolete users' IDs.
The organizations would seek to prosecute employees or outsiders found guilty of a serious premeditated criminal act against the organization.
Employees must take vacations that provide at least one week without any network or system interaction, thus giving an opportunity to expose unauthorized practices.
LAN servers are kept in protected areas, not generally accessible.
Audit and/or security conduct random, after-hours inspections of work areas and report findings to management.
Documents containing sensitive information are not discarded in whole, readable form; they are shredded, burned or otherwise mutilated.
Telephone bills are checked each month by responsible managers to discover potential toll fraud, prevent unnecessary loss and prepare for prosecution.
Special procedures and audited IDs have been set up for application and network troubleshooting activity.
A formal change control procedure, including security testing, is used to manage all normal modifications to any software running as production on any platform.
When repeated attempts to use invalid passwords or illegal procedures cause an ID to get suspended, security contacts both the owner of that ID and the owner's manager.
Risk analysis has identified individual programmers, networks analysts or other personnel upon whom the organization is excessively dependent or who are in a position to inflict significant harm.
If the computer installation was entirely destroyed, critical operations on backup equipment could be reinitiated and a return to normal operations could be accomplished within timeframes designated in the disaster recovery plan.
Criticality of applications is reviewed and updated regularly in light of new technology, business changes and migration of application to LANs and other downsized platforms.
Each individual wishing to access the network must supply a valid, current user ID and password before being granted access.
In addition to ID/password, an extra level of control will be implemented on dial-up access to the network.
Transmission of sensitive information between security domains in the network or outside the organization's network will be encrypted.
Electronic mail security features have been turned on and are being used; users know their messages are subject to monitoring.
LAN operating systems' security controls are fully implemented and used.
A policy forbidding software piracy has been published and disseminated to organizational PC users.
The organization provides all PC users with regularly updated software to prevent, detect and recover from attacks by computer viruses or malicious code.
The organization has chartered an emergency response team to help user quickly and effectively recover from virus incidents.
With maximum value of