http://www.utah.gov/beready/business/documents/BRUCyberSecurityChecklist.pdf

This is a simple checklist designed to identify and document the existence and status for a recommended basic set of cyber security controls (policies, standards, and procedures) for an organization. Security controls are designed to reduce and/or eliminate the identified threat/vulnerabilities that place an organization at risk.

PERSONNEL SECURITY  Yes No

PHYSICAL SECURITY  Yes No

  1. Are visitors escorted into and out of controlled areas?  ○    ○
  2. Are your PCs inaccessible to unauthorized users (e.g. located away from public areas)?
  3. Is your computing area and equipment physically secured?  ○    ○
  4. Are there procedures in place to prevent computers from being left in a logged- on state, however briefly?
  5. Are screens automatically locked after 10 minutes idle?  ○    ○
  6. Are modems set to Auto-Answer OFF (not to accept incoming calls)?  ○    ○
  7. Do you have procedures for protecting data during equipment repairs?  ○    ○
  8. Do you have policies covering laptop security (e.g. cable lock or secure storage)?
  9. Do you have an emergency evacuation plan and is it current?  ○    ○
  10. Does your plan identify areas and facilities that need to be sealed off immediately in case of an emergency?
  11. Are key personnel aware of which areas and facilities need to be sealed off and how?

ACCOUNT AND PASSWORD MANAGEMENT  Yes No

CONFIDENTIALITY OF SENSITIVE DATA  Yes No

  1. Are you exercising responsibilities to protect sensitive data under your control?  ○    ○
  2. Is the most valuable or sensitive data encrypted?  ○    ○
  3. Do you have a policy for identifying the retention of information (both hard and soft copies)?
  4. Do you have procedures in place to deal with credit card information?  ○    ○
  5. Do you have procedures covering the management of personal private information?
  6. Is there a process for creating retrievable back up and archival copies of critical information?
  7. Do you have procedures for disposing of waste material?  ○    ○
  8. Is waste paper binned or shredded?  ○    ○
  9. Is your shred bin locked at all times?  ○    ○
  10. Do your policies for disposing of old computer equipment protect against loss of data (e.g.. by reading old disks and hard drives)?
  11. Do your disposal procedures identify appropriate technologies and methods for making hardware and electronic media unusable and inaccessible (such as shredding CDs and DVDs, electronically wiping drives, burning tapes) etc.)?

DISASTER RECOVERY                                                      Yes      No

  1. Do you have a current business continuity plan? ○    ○
  1. Is there a process for creating retrievable back up and archival copies of critical information?
  2. Do you have an emergency/incident management communications plan?  ○    ○
  3. Do you have a procedure for notifying authorities in the case of a disaster or security incident?
  4. Does your procedure identify who should be contacted, including contact information?
  5. Is the contact information sorted and identified by incident type?  ○    ○
  6. Does your procedure identify who should make the contacts?  ○    ○

SECURITY AWARENESS AND EDUCATION  Yes  No

COMPLIANCE AND AUDIT  Yes  No

Checklist Response Analysis

For each question that is marked “No,” carefully review its applicability to your organization. Implementing or improving controls decreases potential exposure to threats/vulnerabilities that may seriously impact the ability to successfully operate.

© 2019. NSU Socio-Cybersecurity Project. All Rights Reserved