Small Business IT Risk Assessment



Similar documents
Client Security Risk Assessment Questionnaire

Payment Card Industry Self-Assessment Questionnaire

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Cyber Self Assessment

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Policies and Procedures

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Supplier Security Assessment Questionnaire

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

System Security Plan University of Texas Health Science Center School of Public Health

HIPAA Privacy and Security Risk Assessment and Action Planning

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

CSU, Chico Credit Card PCI-DSS Risk Assessment

Instructions for Completing the Information Technology Examination Officer s Questionnaire

SECURITY OVERVIEW FOR MY.ENDNOTE.COM. In line with commercial industry standards, Thomson Reuters employs a dedicated security team to protect our

PCI Requirements Coverage Summary Table

HIPAA RISK ASSESSMENT

PCI DSS Requirements - Security Controls and Processes

HIPAA Security Alert

Information Security & Management Systems

Controls for the Credit Card Environment Edit Date: May 17, 2007

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

UNIFIED MEETING 5 SECURITY WHITEPAPER INFO@INTERCALL.COM INTERCALL.COM

How To Protect Research Data From Being Compromised

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Network and Security Controls

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

BMC s Security Strategy for ITSM in the SaaS Environment

IBX Business Network Platform Information Security Controls Document Classification [Public]

Symposium (FBOS) PCI Compliance. Connecting Great Ideas and Great People. Agenda

White Paper: Librestream Security Overview

PII Compliance Guidelines

VRH s Internal Customer Service Policy

Security Threat Risk Assessment: the final key piece of the PIA puzzle

OIT OPERATIONAL PROCEDURE

Best Practices For Department Server and Enterprise System Checklist

SITECATALYST SECURITY

PCI DSS COMPLIANCE DATA

PCI Data Security and Classification Standards Summary

Vendor Risk Assessment Questionnaire

Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s

PCI Data Security Standards

Aug. Sept. Oct. Nov. Dec. Jan. Feb. March April May-Dec.

Data Security in the Insurance Industry: WHAT YOU NEED TO KNOW

Supplier Information Security Addendum for GE Restricted Data

CHIS, Inc. Privacy General Guidelines

OCR LEVEL 3 CAMBRIDGE TECHNICAL

Chapter 84. Information Security Rules for Street Hail Livery Technology System Providers. Table of Contents

FINAL May Guideline on Security Systems for Safeguarding Customer Information

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

Intel Enhanced Data Security Assessment Form

PCI Requirements Coverage Summary Table

Birst Security and Reliability

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

IT - General Controls Questionnaire

A Practical Approach to Network Vulnerability Assessment AN AUDITOR S PERSPECTIVE BRYAN MILLER, IT DIRECTOR JOHN KEILLOR, CPA, AUDIT PARTNER

Physical Protection Policy Sample (Required Written Policy)

FormFire Application and IT Security. White Paper

Becoming PCI Compliant

H.I.P.A.A. Compliance Made Easy Products and Services

HIPAA Security. assistance with implementation of the. security standards. This series aims to

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

IT Security in Higher Education Survey Questionnaire

Introduction to Cyber Security / Information Security

Course: Information Security Management in e-governance. Day 1. Session 5: Securing Data and Operating systems

Security Controls What Works. Southside Virginia Community College: Security Awareness

Payment Card Industry (PCI) Compliance. Management Guidelines

Corporate Account Takeover (CATO) Risk Assessment

Credit Card Acceptance Policy. Vice Chancellor of Business Affairs. History: Effective July 1, 2011 Updated February 2013

County Identity Theft Prevention Program

Retention & Destruction

On-Site Computer Solutions values these technologies as part of an overall security plan:

F G F O A A N N U A L C O N F E R E N C E

worldpay.com Understanding the 12 requirements of PCI DSS SaferPayments Be smart. Be compliant. Be protected.

Vendor Questionnaire

Through the Security Looking Glass. Presented by Steve Meek, CISSP

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

Estate Agents Authority

Security Controls for the Autodesk 360 Managed Services

Print4 Solutions fully comply with all HIPAA regulations

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Payment Card Industry Technical Requirements

Agenda. Cyber Security: Potential Threats Impacting Organizations 1/6/2015. January 10, 2015 Scott Petree

SMS. Cloud Computing. Systems Management Specialists. Grupo SMS option 3 for sales

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

Payment Card Industry Compliance

Rajan R. Pant Controller Office of Controller of Certification Ministry of Science & Technology rajan@cca.gov.np

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014

Transcription:

Small Business IT Risk Assessment Company name: Completed by: Date: Where Do I Begin? A risk assessment is an important step in protecting your customers, employees, and your business, and well as complying with the law. This Information Technology Risk Assessment survey helps identity all of the information assets you handle, the controls in place, and areas of high risk or threats. Steps for completing this risk assessment: Step 1: Step 2: Step 3: Step 4: Step 5: Complete the questionnaire below. Use additional paper as needed to add notes or new survey questions. Based on your responses apply a risk rating for each of the applicable categories. Rate your risk on a scale of 1-5, with 1 being the least secure, and 5 the most secure. List specific areas of high risk or threats, along with any new control that may be needed Present your findings to management and the board, and implement new controls as needed. Update your risk assessment at least once a year, comparing your results to previous versions I. Company Information Business primary address: Phone: Date company was formed: Number of employees (FTE): Type of business (check one): Corporation Partnership Individual Other Nature of business: Website url(s): Do you conduct business outside the US? Yes No If yes, identify countries: II. Management Supervision Management and board supervision are essential for an effective information security program, and often mandated by state and federal regulations. Do you have a written information security plan? Are you aware of, and in compliance with, any laws mandating information security? Are adequate data protection procedures in place and monitored by management? Do you use third party vendors for managing your network? Do third party vendor contracts provide adequate controls? Are third party contracts monitored at least annually? Are sufficient procedures in place for incident reporting? Do you have a business continuity plan and/or disaster recovery plan? Do you deliver up-to-date security training to management and staff? Is the Board actively involved with your information security plans and procedures? Page 1

Rate your Management Supervision risk on a scale of 1-5, with 1 being the least secure, and 5 the most secure: Least Secure 1 2 3 4 5 Most Secure Reason for the rating: List areas of high risk (threats): List new controls needed: III. Personnel Security Pre-employment screening, such as background checks, should be conducted for individuals that will handle sensitive information. Do you perform background checks on all employees with access to sensitive information? Do background checks include criminal history? Are photo IDs required for employment? Are photo IDs or visitor badges worn in the workplace? Do you delete security access immediately upon employee termination? Rate your Personnel Security risk on a scale of 1-5, with 1 being the least secure, and 5 the most secure: Least Secure 1 2 3 4 5 Most Secure Reason for the rating: List areas of high risk (threats): List new controls needed: Page 2

IV. Physical Security This section helps identity the physical security controls in place, and determine if any physical weaknesses exist for protecting sensitive information Is access to the building(s) securely maintained during business hours and after hours? Are sufficient locks maintained on all doors, windows, and entrances? Do you have a security alarm system? Do you have security cameras on premise? Are employees and/or visitors required to wear badges? Is the building(s) adequately protected against fire? Does the building(s) have a fire alarm system? Is the building(s) protected with sprinklers? Are sensitive files and documents stored in fireproof files or vaults? Is the building(s) adequately protected against water damage? Is access to network equipment such as servers and storage media containing sensitive data physically protected? (Check all that apply) Areas are restricted to authorized employees only List other physical security issues for your business: Software permission controls Rate your Physical Security risk on a scale of 1-5, with 1 being the least secure, and 5 the most secure: Least Secure 1 2 3 4 5 Most Secure Reason for the rating: List areas of high risk (threats): List new controls needed: Page 3

V. Identify Your Information Assets Using the list of common types of information assets below, identify all types of consumer, employee and business information that your company handles. Mark the level of risk (Low, Medium, or High) for each item, or N/A if it is not applicable to your business. Use the following risk level descriptions as a guideline: Level 1: Low Risk Level 2: Medium Risk Level 3: High Risk Customer and Employee Information Information you handle for customers, personnel, and your business that is publicly available. This level of information generally includes information that is not Personally Identifiable Information (PII), or information that would not harm your customers, employees, or your business such as, phone numbers, office policies, vendor information, etc. Highly sensitive information your business handles or has access to such as customer records, personnel files, credit/debit card numbers or other payment information, financial reports, passwords, PIN, social security numbers, etc. Note: If this type of information is used by your company and is present on websites, computer systems, mobile devices or emails, it must be rated as Level 3: High Risk. Level of Risk Individual addresses/phone numbers 1-Low 2-Medium 3-High N/A Email addresses 1-Low 2-Medium 3-High N/A Date of birth 1-Low 2-Medium 3-High N/A SSN 1-Low 2-Medium 3-High N/A Password/PIN 1-Low 2-Medium 3-High N/A Photos/signatures 1-Low 2-Medium 3-High N/A Account information 1-Low 2-Medium 3-High N/A Purchase/transaction history 1-Low 2-Medium 3-High N/A Criminal history 1-Low 2-Medium 3-High N/A Employee records 1-Low 2-Medium 3-High N/A Medical records 1-Low 2-Medium 3-High N/A Financial/banking 1-Low 2-Medium 3-High N/A Legal documents 1-Low 2-Medium 3-High N/A Credit/debit card information 1-Low 2-Medium 3-High N/A ACH/electronic payments 1-Low 2-Medium 3-High N/A Paper checks 1-Low 2-Medium 3-High N/A List other highly sensitive customer/employee information: Business Information Level of Risk Public information/brochures 1-Low 2-Medium 3-High N/A Press releases 1-Low 2-Medium 3-High N/A Social media postings 1-Low 2-Medium 3-High N/A Office policies 1-Low 2-Medium 3-High N/A Vendor information 1-Low 2-Medium 3-High N/A Page 4

Management/board member credentials 1-Low 2-Medium 3-High N/A Management/board reports 1-Low 2-Medium 3-High N/A Email correspondence 1-Low 2-Medium 3-High N/A Purchase orders 1-Low 2-Medium 3-High N/A Accounting/financial 1-Low 2-Medium 3-High N/A Marketing/sales 1-Low 2-Medium 3-High N/A Legal/contracts 1-Low 2-Medium 3-High N/A Medical/insurance records 1-Low 2-Medium 3-High N/A Trade secrets/patents 1-Low 2-Medium 3-High N/A List other highly confidential information that is the lifeblood of a company: Public-Facing Website Level of Risk Identify and rate all information you collect and/or share with customers via a Website? Personal information (names, address, phone, etc.) 1-Low 2-Medium 3-High N/A Account information 1-Low 2-Medium 3-High N/A Purchase/transaction history 1-Low 2-Medium 3-High N/A Accept online credit/debit card payments 1-Low 2-Medium 3-High N/A Online enrollment or application forms 1-Low 2-Medium 3-High N/A Financial information 1-Low 2-Medium 3-High N/A Medical records 1-Low 2-Medium 3-High N/A Legal documents 1-Low 2-Medium 3-High N/A List other sensitive information located on customer-facing Website(s) VI. Network Security All of the sensitive information assets listed in the previous section must be protected. This section will help to define your company s network security strengths and vulnerabilities, and assign a risk rating for the level of security provided. If you use a third-party to manage networks, you may need to verify controls with them. Basic Network Controls Do you use firewalls, routers and other devises to protect your network? Are firewalls, routers, and other devices securely configured to control access? Have the following configuration steps been completed? Changed the default admin passwords Removed unneeded services Do you use updated anti-virus and anti-spyware software: Page 5

On all desktop computers with automatic update On all computers and servers with automatic update To Scan all incoming email Do you regularly update software and security patches: On all desktop computers with automatic update, where available On all computers and servers with automatic update, where available Secure Access to Information: Network Servers How do you limit access to your network? (Check all that apply) No controls, or use shared log on Unique user ID and password Unique user ID, password, plus additional authentication is required Do you use employee permission controls to restrict access to authorized users? Is employee access to the network monitored? Are unsuccessful log on attempts monitored? Is email used to send or receive sensitive information? If so, is the email encrypted? Secure Access to Information: Wireless and Remote Access Do you allow remote access to your network? If Yes, how do your secure your remote access? (Check all that apply) Unique user ID and password VPN or similar VPN with additional authentication required Do you require minimum security standards (anti-virus, firewall, etc) for computers with remote access? Do you have a wireless network? If Yes, is the wireless network secured? (Note, WEP is not a secure encryption protocol for wireless networks.) Is the wireless network for guest access and is it on a separate subnet from the rest of the network? Secure Access to Information: Public-Facing Website Do you have sensitive customer information on your Website? (If no, skip this section) Is your public-facing Website hosted by a third party vendor? If yes, are third party vendor contracts up-to-date and cover all expectations for security? How is your public-facing Website(s) secured? (Check all that apply) Unique user ID and password Additional authentication is required Firewall Encrypted with Secure Socket Layer (SSL) Other Page 6

Secure Access to Information: Payment Card Handling Do you accept credit cards and other payments from your Website? (If no, skip this section) If yes, Is the payment process PCI certified? Do you use a third party vendor(s) to process credit cards and other payments from customers? If yes, are third party vendor contracts up-to-date and cover all of expectations for security? If yes, does your business follow PCI, SSAE 16, SAS70, HIPAA or other guidelines for controlling employee access to this information? Storage of sensitive information Do you store sensitive information on any of the following media? If Yes, is it encrypted? Sensitive Data Encrypted Network files/database Yes No Yes No Desktop computers Yes No Yes No Laptops/tablets Yes No Yes No Mobile phones/devices Yes No Yes No Flash drives, CD, DVD, or other portable storage Yes No Yes No Backup tapes and other media Yes No Yes No Cloud data storage Yes No Yes No Other: Yes No Yes No Disposal of Information Do you remove unnecessary files or data at least annually, especially sensitive information? How is sensitive information permanently destroyed? (Check all that apply) Electronic files and data are securely removed Paper checks and records with sensitive data is cross-shredded Third party vendor is used to shred documents or remove data Data is permanently removed before equipment is sold or discarded Are there regular audit reviews of the company s disposal policies? Data Breach Loss/Back up/disaster Recovery Do you have alternative (redundant) hosting facilities in the event of failure? Do you have an acceptable procedure for back up of your data? Where is your back up data stored? (Check all that apply) On a redundant storage device on site Backup media is moved to a secure off-site storage location Online backup provider Is the backup information encrypted? (Check all that apply) The backup media is encrypted (tapes, hard drives, etc.) Online backups use a secure connection (e.g. SSL) Backups are encrypted at rest (e.g. redundant storage device or online backups are encrypted on the server) Page 7

Intrusion Systems Is there an intrusion detection or prevention system used in the company s network? Is a vulnerability scan or penetration test performed on all Internet-facing systems? List other network security issues for your business: Rate your Network Security risk on a scale of 1-5, with 1 being the least secure, and 5 the most secure: Least Secure 1 2 3 4 5 Most Secure Reason for the rating: List areas of high risk (threats): List new controls needed: Page 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information