1. Were you
already aware that your business must comply with specific federal, state and industry laws to protect your customers and employees against identity theft and fraud?
2. If your business accepts credit cards, are you already
Administrative / Physical Safeguards
3. Do you have a formal
Information Security Policy for your business? If so, have you done a complete review and update of your policy guidebook in the last 12 months? (Including Technical, Administrative and Physical security and/or policies and guidelines)
4. Do you have a dedicated
Information Security Administrator that is trained and responsible for managing your information security policies and procedures.
5. Do you have a "Red Flags"
identity theft detection/response program? (Including on-going staff training & reporting procedures)
6. Do you have an
employee/staff training program for information privacy and security? (And has everyone in your business completed this training?)
7. Do you have formal employee
hiring and firing policies and procedures to safeguard your business against insider security threats?
8. Have all your
employees signed an Information Security and Privacy Agreement protecting you from insider theft and abuse?
9. Do you have a detailed
security breach response plan? (Including reporting to proper authorities and required communications to affected customers)
10. Do you
securely dispose of customer and employee information? (Including secure computer data disposal, document shredding, etc.)
11. Do you restrict
physical and electronic access to customer and employee information? (Including passwords, user authentication, locked filing systems, keyed entry, etc.)
12. Have you installed a
hardware firewall to protect your Internet connection, and properly configured it by closing unnecessary and high risk data ports?
13. If you have a
computer network (of any size), do you have security software installed on your server(s)? (And updated daily)
security software installed an updated on every computer that connects to your business or your computer network? (Anti-malware, desktop firewall, etc.)
15. Have you changed the
manufacturer's default passwords on all your computers, servers, routers, wi-fi connection, etc.?
16. Do you
change passwords regularly for all employee and system logins?
17. Do you have a computer security professional perform a
manual security checkup on every computer and/or server regularly - at least quarterly or semi-annually? (To ensure there are no hidden viruses, keyloggers, rootkits, etc. that may be stealing info.)
18. Do you regularly check for an install all high priority
system patches on each computer and server? (To close security holes found and used by hackers to break in and steal information)
19. Do you
encrypt electronic copies of customer and employee information?
20. Do you conduct
vulnerability assessments for your business on a quarterly or semi-annual basis? (Including all Internet connections, network penetration testing, website scans, and computer vulnerability testing)