22. Is the data being backed up at a frequency appropriate to its sensitivity and
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
importance to the organisation?
Does the back-up procedure include checking the data for hostile code such as
Trojan horses or viruses?
If the information being backed up is proprietary or sensitive, is the information
encrypted and stored as such during the back-up process?
Are all copies of back-ups protected from loss by fire, theft and accidental
damage?
When storage media is no longer required are there secure procedures for
destroying or reusing the media?
Are there multiple backups so that if one is lost or corrupted, the system could
still be restored?
Are the backups being retained long enough so that there would still be an
uncorrupted copy if the data was gradually being corrupted or the system was
shut down as part of a ransom or other malicious attack?
Are all relevant logs of activity backed up and securely stored to prevent
alteration?
Are the configurations of switches and routers backed up on a regular basis?
Are the backups regularly stored at a physically remote location?
Are the backups regularly tested to ensure they are working as they should?
Are there procedures to deal with the loss or theft of unencrypted backup data
that is proprietary or of a sensitive nature?
Security of Hardware, Data & Records
34. Is all electronic equipment (hardware and software) listed on an accurate
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
inventory listing and where appropriate housed in a secure area?
Are there documented, quick and easy, procedures for updating the inventory
whenever it is to be moved or the person allocated to use/protect it changes?
Is each piece of equipment labelled with a bar code or other identifier for easy
tracking?
Is there a procedure for the removal and destruction of hard discs or other media
when the equipment reaches the end of its useful life or is otherwise taken out of
service permanently?
Do you have procedures for disposing of waste material?
Where equipment is being reassigned to a different employee, is there a
procedure in place to ensure that sensitive information is not left on the machine
that would not normally be accessible by the employee entrusted with the
equipment moving forward?
Are there periodic checks to ensure that the equipment is where it is reported to
be?
Do you have policies covering laptop security (e.g. cable lock or secure
storage)?
Are especially important items of electronic equipment housed in a secure
datacenter, room or cabinet?
Are their physical barriers of access to the equipment commensurate to the
value of the equipment and the data contained on it?
Do you have a process for effectively cutting off access to facilities and
information systems when an employee/contractor terminates employment?
Are there clear and rigorously enforced restrictions on who has access to the
datacenter, computer room or cabinets?
Do your policies and procedures specify the methods used to control physical
access to your secure areas, such as door locks, access control systems,
security officers, or video monitoring?
Are there strict policies outlining the procedures for afterhours access to the
datacenter, or computer room by personnel such as custodians?
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐
☐