1. POLICY: Has management provided the necessary leadership and reduced liability by issuing comprehensive information security policies, operating procedures, and associated responsibility statements?
2. EMPLOYEE ACKNOWLEDGEMENT: Are all employees and contractors required to provide written acknowledgement of their understanding and acceptance of the organization's information security policies?
3. CONFIDENTIALITY AGREEMENTS: Has the execution of properly signed confidentiality agreements been verified before proprietary and/or sensitive information is disclosed, in any form, to individuals outside the organization?
4. PHYSICAL SECURITY: Are buildings, paper records, and sensitive IT resources (e.g., computer and network equipment, storage media, wiring closets) within them properly secured from unauthorized access, tampering, damage, and/or theft by an intruder with malicious intent?
5. BUSINESS RESUMPTION PLAN: Does the organization have a documented and frequently tested business resumption plan for critical computer system and associated office support infrastructure that includes frequent system backups, off-site data backup storage, emergency notification, replacement IT and office resources, alternate facilities, and detailed recovery procedures?
6. ANTI-VIRUS: Are all computer systems protected with up-to-date anti-virus software and other defenses against malicious software attacks?
7. INTERNET SECURITY: Are all dedicated connections to the Internet and other external networks properly documented, authorized, and protected by firewalls, intrusion detection systems, virtual private networks (or other forms of encrypted communication,) and incident response capability?
8. REMOTE ACCESS: Are modem and wireless access point connections known, authorized, and properly secured?
9. PASSWORDS: Have all vendor-supplied, default passwords, or similar "published" access codes for all installed operating systems, database management systems, network devices, application packages, and any other commercially produced IT products been changed or disabled?
10. SOFTWARE PATCHES: Are security-sensitive software patches, including the removal of unnecessary sample application software, promptly applied to systems that are accessible to users outside of the organization?
11. DATA PROTECTION: Is sensitive, valuable information properly protected from unauthorized access, including Windows network file shares and undocumented (desktop) Web and FTP servers?
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.