Cyber Security Checklist
v1.0
Item #
Question
Yes
No
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
Documented Security Procedures & Accountability
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
Have you created security policies commensurate with the size and culture of
your organisation?
Are security policies documented and updated?
Is maintaining the security of the organisation made part of each employee’s job
description?
Are all employees required to sign confidentiality agreements?
Are all contractors, facility managers, couriers, maintenance companies,
cleaners explicitly informed of the organisations policies and standards that
apply to their activities?
Are legal notices posted on log-on and authentication screens warning that
unauthorised access or use constitutes an illegal intrusion?
Does the organisation restrict employee access to critical systems and
information?
Do you classify your data, identifying sensitive data versus non sensitive?
Are maintenance and cleaning staff prevented from entering areas unsupervised
which contain mildly sensitive systems and information and above?
Are employees prohibited from installing personal, or unauthorised software on
their organisation supplied computer, laptop, tablet, smart phone or any other
device?
Are employees required to have a ‘strong’ password on personal smart phones
and other devices on which they have access to company emails or other
sensitive information?
Does the organisations polices define the proper use of email, internet access,
instant messaging by employees?
Are employees prohibited from sharing passwords and allowing other employees
to use their computers and portable devices?
Are there procedures in place to prevent computers from being left in a loggedon state, however briefly?
Is the employee who is responsible for a given piece of information equipment
required to oversee the security of that equipment?
Is each piece of equipment tagged using a permanent identifier and or the serial
number recorded to determine who is entrusted with the piece of equipment?
Are there measures to prevent employees from leaving the business premises
with sensitive information carried on USB or other media devices?
Are employees provided sufficient incentives to report security breaches and
improper security practices and at the same time protected from retribution or
blame from making such a report?
Is there a procedure in place to immediately revoke all passwords and/or prevent
access to company property, data intellectual property, customer records,
restricted physical areas and to any supplier or customer of the organisation?
Are employees prohibited from allowing other staff or any other person to use
their swipe card, keys, pin numbers and the like to gain access of information
facilities or systems?
Backup Procedures & Security
21. Are the operating systems, programs and operating information backed up as
well as the data/records?