Elemenents of a Comprehensive Security Checklist

A comprehensive security checklist is the best way to help you feel comfortable that your systems are properly locked down and your policies and procedures are safe from unsavory cyber criminals. It is important to remember, however, that no matter how thorough your checklist are that, you need to have a plan for an ongoing review of your policies and procedures to keep up pace with advances in technology and the changing regulatory environment.

Access Control Policies / Procedures: Access control policies are high-level requirements that specify how access is managed and who may access information under what circumstances.


Segregation of Duties Policies / Procedures: The person approving and the person granting access should be two different people. This should be recorded either in a ticketing system or via some other means such as a spreadsheet with a description of what is requested, by whom, when, and who granted the access

3. Remote Access Policies / Procedures: A remote access policy is a document which outlines and defines acceptable methods of remotely connecting to the internal network. It is essential in large organization where networks are geographically dispersed and extend into insecure network locations such as public networks or unmanaged home networks.

4. Asset Management Policies / Procedures: Asset management is the process of receiving, tagging, documenting, and eventually disposing of equipment. ... Proper asset management procedures and protocols provide documentation that aid in recovery, replacement, criminal, and insurance activities.

5. Acceptable Use Policy: An Acceptable Use Policy (AUP), (also known as an Acceptable Usage Policy or Fair Use Policy, is a set of rules applied by the owner, creator or administrator of a network, website, or service, that restrict the ways in which the network, website or system may be used and sets guidelines as to how it should be used.)

6. Antivirus / Malware Policies / Procedures: Antivirus software (anti-virus software or AV software), also known as anti-malware, is a computer program used to prevent, detect, and remove malware.

7. Confidentiality Agreements / Non-Disclosure Agreements: A non-disclosure agreement (NDA), also known as a confidentiality agreement (CA), confidential disclosure agreement (CDA), hush agreement, proprietary information agreement (PIA) or secrecy agreement (SA), is a legal contract between at least two parties that outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes, but wish to restrict access to or by third parties. It is a contract through which the parties agree not to disclose information covered by the agreement. An NDA creates a confidential relationship between the parties to protect any type of confidential and proprietary information or trade secrets. As such, an NDA protects non-public business information. Like all contracts, they cannot be enforced if the contracted activities are felonies.

8. Change Management / Change Control Policies / Procedures: Change control within quality management systems (QMS) and information technology (IT) systems is a formal process used to ensure that changes to a product or system are introduced in a controlled and coordinated manner.

9. Audit / Compliance Policies / Procedures: An audit is a systematic and independent examination of books, accounts, statutory records, documents and vouchers of an organization to ascertain how far the financial statements as well as non-financial disclosures present a true and fair view of the concern.

10. Data Backup Policies / Procedures: In information technology, a backup, or the process of backing up, refers to the copying and archiving of computer data so it may be used to restore the original after a data loss event.

11. Data Destruction / Disposal Policies / Procedures: The storage media is made unusable for conventional equipment.

12. Business Continuity Management / Disaster Recovery Policies / Procedures: Business continuity encompasses planning and preparation to ensure that an organization can continue to operate in case of serious incidents or disasters and is able to recover to an operational state within a reasonably short period. As such, business continuity includes three key elements and they are Resilience: critical business functions and the supporting infrastructure must be designed in such a way that they are materially unaffected by relevant disruptions, for example through the use of redundancy and spare capacity; Recovery: arrangements have to be made to recover or restore critical and less critical business functions that fail for some reason. Contingency: the organization establishes a generalized capability and readiness to cope effectively with whatever major incidents and disasters occur, including those that were not, and perhaps could not have been, foreseen. Contingency preparations constitute a last-resort response if resilience and recovery arrangements should prove inadequate in practice. Typical disasters that business continuity is meant to account for include natural disasters such as fires and floods, accidents by key personnel in the business, server crashes or virus infections, insolvency of key suppliers, negative media campaigns and market upheavals such as stock market crashes. Such disasters may not necessarily have to occur in the place of business to have a catastrophic impact due to the globalized economy.

13. Application Development Policies / Procedures: Software development is the process of conceiving, specifying, designing, programming, documenting, testing, and bug fixing involved in creating and maintaining applications, frameworks, or other software components.

14. Secure Coding Policies / Procedures: Securing coding is the practice of developing computer software in a way that guards against the accidental introduction of security vulnerabilities.

15. Email Use and Security Policies / Procedures: Email security refers to the collective measures used to secure the access and content of an email account or service. It allows an individual or organization to protect the overall access to one or more email addresses/accounts.

16. Encryption Policies / Procedures: In cryptography, encryption is the process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot.

17. Human Resource Screening Policies / Procedures: A screening interview is a type of job interview that is conducted to determine if the applicant has the qualifications needed to do the job for which the company is hiring. A screening interview is typically the first interview in the hiring process.

18. Human Resource Termination Policies / Procedures: Termination is when an employee's job ends. There are two types of job terminations. Termination can be a voluntary termination of employment by the employee. Voluntary termination includes resignation or retirement.

19. Security Awareness Training Policies / Procedures: Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical, and especially informational, assets of that organization

20. Incident Response Policies / Procedures: An incident is an event that could lead to loss of, or disruption to, an organization's operations, services or functions. Incident management (IcM) is a term describing the activities of an organization to identify, analyze, and correct hazards to prevent a future re-occurrence. These incidents within a structured organization are normally dealt with by either an incident response team (IRT), an incident management team (IMT), or Incident Command System (ICS). Without effective incident management, an incident can disrupt business operations, information security, IT systems, employees, customers, or other vital business functions.

21. Information Security Policies / Procedures: Information security, sometimes shortened to InfoSec, is the practice of preventing unauthorized access, use, disclosure, disruption, modification, inspection, recording or destruction of information.

22. Mobile Media / Devices Policies / Procedures: A mobile device is a general term for any type of handheld computer. These devices are designed to be extremely portable, and they can often fit in your hand. Some mobile devices—like tablets, e-readers, and smartphones—are powerful enough to do many of the same things you can do with a desktop or laptop computer.

23. Network Security Management Policies / Procedures: Network security consists of the policies and practices adopted to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator.

24. IT Operations Policies / Procedures: Information technology operations, or IT operations, are the set of all processes and services that are both provisioned by an IT staff to their internal or external clients and used by themselves, to run themselves as a business. The term refers to the application of operations management to a business's technology needs.

25. Patch Management Policies / Procedures: A patch is a set of changes to a computer program or its supporting data designed to update, fix, or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually being called bugfixes or bug fixes, and improving the usability or performance.

26. Physical Security Policies / Procedures: Physical security describes security measures that are designed to deny unauthorized access to facilities, equipment and resources and to protect personnel and property from damage or harm (such as espionage, theft, or terrorist attacks).Physical security involves the use of multiple layers of interdependent systems which include CCTV surveillance, security guards, protective barriers, locks, access control protocols, and many other techniques.

27. Risk Management / Risk Assessment Program Policies / Procedures: Risk management is the identification, evaluation, and prioritization of risks (defined in ISO 31000 as the effect of uncertainty on objectives) followed by coordinated and economical application of resources to minimize, monitor, and control the probability or impact of unfortunate events or to maximize the realization of opportunities. Risk management’s objective is to assure uncertainty does not deflect the endeavor from the business goals.

28. Data Retention Policies / Procedures: The data retention policies within an organization are a set of guidelines that describes which data will be archived, how long it will be kept, what happens to the data at the end of the retention period (archive or destroy) and other factors concerning the retention of the data.

29. Third Party Management Policies / Procedures: Third-party management is the process whereby companies monitor and manage interactions with all external parties with which it has a relationship. This may include both contractual and non-contractual parties. Third-party management is conducted primarily for the purpose of assessing the ongoing behavior, performance and risk that each third-party relationship represents to a company.

30. Vulnerability Management Policies / Procedures: Vulnerability management is the "cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities", particularly in software.