“Stop the Stupid….” Was a mantra that one security vendor used (internally) to describe the purpose of their solutions. They felt that if they could stop the inherently unsafe activities of their customers, the world of IT would be more secure. So, I have compiled a list of questions & checkpoints that I think every organisation should be asking of themselves……and to plagiarise Pareto, this would be my 80/20…. or should that be 79/21?
After 20 years in data security, I think it is fair to say that people are the most likely cause of a security breach or data loss, and in most cases, your staff. The likelihood is that this will be inadvertent, so a continual drip feed of training is required to develop a culture of security. This should be sponsored from the top down, so as to ensure it is taken seriously. Once trained, accountability and openness are to be encouraged. For that reason, I’ll start by focussing on people, before looking at the processes and IT systems in use.
Questions (in no particular order):
- Who is responsible for data security / privacy?
- When was the last time that training was provided to staff on security best practice on:-
- Password policy (the easiest way into your IT)
- Email security (do staff know how to look out for fake emails?)
- Social media policy (you can be liable for employee comments on LinkedIn)
- Is the current approach to BYOD based on an agreed assessment of risk?
- Do your staff know the regulatory compliance requirements (GDPR/PECR/PCI), and therefore their obligations?
- Who has administration access to what?
- Have IT adopted a principle of least privilege?
- What is the process for staff leavers, and is it adhered to?
- Where exactly is sensitive data stored? (servers, DC’s, Cloud applications, laptops, USB drives etc)
- What % of servers, pc’s & laptops are fully up to date with OS & application patches?
- What % of servers & pc’s are fully up to date with a quality AV solution, do we have a network firewall in place, and is it configured for security?
- Have all of our software & hardware default passwords been changed?
- When was the last test recovery of data and systems from backup? (Gartner Best Practice)
- How secure is the Wifi – is secure separate guest access configured?
- Are cctv, video & audio files protected in the same way as other sensitive data?
- Are all laptops encrypted?
- Do staff install their own software on corporate devices? (Phones/Laptops etc)
- Does BYOD mean that company & personal data is stored on staff devices?
- How secure is our website? (esp if taking payments)
- How do we ensure cloud services are secure?
- Are there policies & processes to capture and communicate best practice of the above requirements? (Privacy, Leavers, Backup, DR, Social Media, Breach notification etc)
- Who is our Security partner and advisor? Do you trust them?
Security best practice is not binary, often subjective and complex. For that reason, this list is best used to instigate discussion, gain input from the stakeholders and achieve a greater understanding from management.
For additional information, the NIST publication “Generally Accepted Principles and Practiced for Securing Information Technology Systems” is a good place to start.
If you would like to know more about us, take a look at our website, or to talk about how we could help with any of the questions above, or your IT in general, please get in touch using firstname.lastname@example.org