Information Security Checklists
The security checklists (also known as security checklist or security control list) contained within this site are based on the best practices advocated by international standards organisations and the things that we have found useful as we have carried out system and process reviews.
The scope of our checklists are based on control areas listed below.
- Policy Control - this is essentially a series of controls that makes sure policies are in place to ensure all parties understand an organisations security requirements, and that they are subject to the governance and penalties outlined in the policies.
- Security Organisation - these controls are in place to make sure that there is actually someone or something within an organisation to make sure that there is a set of security practices in place, and that they are effective and fit for purpose.
- Asset Management - this is a set of controls to make sure that assets such as information, software and hardware are catalogued and the effect of their compromise understood.
- Staff Security - the main focus here is the set of policies and procedures that are given to staff as part of recruitment and induction, carried over to their daily responsibilities and reiterated on departure from a company or organisation.
- Physical Security - relevant controls here are related to the physical aspects of security that should be applied to provide different depths of security to physically protect assets of different value.
- Operational Security - controls to be considered here cover a variety of technical and non technical areas that we expose to staff and suppliers who have an operational need to handle company assets with different levels of security asset value.
- Access Control - this covers physical access control and logical access control offered by technical process such as system login id's, network barriers such as firewalls and more obvious controls offered by things such as locks and doors.
- Systems Acquisition and Deployment - controls governing how systems are purchased form reliable sources, licensed correctly and change controlled to prevent security breaches.
- Incident Management - the focus of controls are based upon all parties understanding if an incident has occurred, how to calculate severity and put the correct processes in place to recover from incidents such as hacking, data leaks and virus outbreaks.
- Business Continuity Management - checks are carried out to make sure that the security of systems is not compromised in the event of business continuity being invoked, and that sensible and effective plans are put in place to make sure that scenarios are tested on a regular basis.
- Legal Compliance - Legislation such as the Data Protection Act are covered by these checks as well as the audit process that enable security controls to be measured to determine their effectiveness.
After a review of the controls you may come to the conclusion that most are based on a degree of common sense, it's a plain fact that good IT and security practices are based on an 80:20 rule.
Work to 80 percent and you wont go far wrong. If you have a system or service that needs 100 percent compliance, then maybe you shouldnt be holding the data unless you are either a government organisation or a national infrastructure or service provider for things like water and power.
It is also a fact that this set of controls will grow / shrink / change over time. Security evolves with the world we live in. This list may seem overkill in some areas and sparse in others. If you have a need for bespoke advice, then contact us and ask about consultancy or a pointer to other information resources on the matter.
Feel free to make comments (or requests for other checklists to be included) on our checklists via the Contact Form on this website.