Audit Checklist of Information Security Program
Cybersoft, Inc. (Cybersoft) monitors, tests and evaluates the efficiency and effectiveness of the safeguards’ key controls, systems and procedures of its Information Security Program; and accordingly, makes such adjustments to it, or effect material changes to Cybersoft’s operations or business arrangements, or causes any other modification brought about by circumstances known or have reason to know may have a material impact on its Information Security Program.
​
Toward this end, Cybersoft designated a Program Coordinator tasked to monitor and assess on a continuing basis the efficiency and sufficiency of Customer Information safeguards’ key controls, systems and procedures installed to address identifiable as well as foreseeable risks with a view of making appropriate adjustments and adaptations when circumstances arising from enhancements to SafeboxIQ, changes to the Cybersoft’s operations, business relationships and technological advancements that may have a material impact on Cybersoft’s Information Security Program occur.
To undertake its task, Program Coordinator utilizes the following Audit Checklist.
AUDIT QUESTIONNAIRE
​FINDINGS
RECOMMENDATIONS
RISK ASSESSMENT
Employee Management and Training
Are background checks, reference verifications and consumer/criminal report researches being conducted on current employees and new hires who have or will have access to Customer information?
Have employees who have access to Customer information signed an agreement to abide by Cybersoft’s Information Security Standards as an essential part of his/her duties and a condition to continued employment?
Is access to Customer Information restricted to designated employees only?
Is access to Customer Information limited solely for purposes of completing an employee’s work assignment and only on a “need to know” basis?
Have employees been taught what to do in case Current Information is requested outside the field of Cybersoft’s ordinary business or beyond the scope of an employee’s authority?
Do employees observe caution in the use of computer passwords?
Do employees know the guidelines regarding proper and improper disclosure of Customer Information?
Have employees been instructed on and apply the secure use of the Internet, e- mails and download of software, applications and electronic records?
Have employees been educated about spear phishing and phone phishing, act accordingly?
Are employees trained to recognize and handle security threats and vulnerabilities, e.g. a lost or stolen laptop may indicate possible security breach, and are prepared to apply or have applied the same?
Do employees know, and have applied or are prepared to apply the steps to take when security threat and vulnerabilities are observed, particularly immediately notifying Program Coordinator?
Are Statements of Information Security Standards posted as reminders to employees?
Has Cybersoft taken measures to foster and encourage security consciousness among its employees?
Are security safeguards practiced when an employee is transferred to another unit within Cybersoft or ceases employment?
Are employees observed to have imbibed the “culture of security” that Cybersoft aspires for the company?
Information Systems
Has a reasonably recent updated inventory of all computers, information, transmission, storage and disposal systems, and other equipment been conducted, particularly in areas where Customer Information is handled?
Have the pathways in the handling of Customer Information, including who sends it to Cybersoft and how; who receives it for Cybersoft and how; and, how it moves through and out of Cybersoft been examined for possible security issues? Have vulnerabilities been exposed and fixed?
Have proper information systems and equipment disposal practices been established and applied?
Detecting Data Breaches
Is the intrusion detection system in use functioning properly and recently updated?
Are central log files of security-related information to monitor activity on Cybersoft’s network to spot and respond to attacks being properly and currently maintained?
Are incoming traffic being monitored for signs of hacking, including new user activity, multiple log-in attempts and higher-than-average traffic at unusual times of the day?
Are outgoing traffic being monitored for signs of data breach, i.e. transmission of unexpectedly large amounts of information from Cybersoft’s network?
Data Breach Response Plan
Has a Supervising Officer been designated and is on call for immediate notification of a data breach?
Has the team of experts to be assembled to conduct a comprehensive breach response been designated and on call for immediate action?
Is contact information of file of the local police department, local FBI or U. S. Secret Service current?
Are steps to close off existing vulnerabilities or threats to Customer Information in place and ready for execution?
Is Cybersoft’s breach response team read to mobilize to prevent additional data loss right away?
Are procedures for the investigation of data breach and security incidents set for immediate deployment?
Are contact information of independent forensic investigator who will determine source and scope of breach current?
Are steps in place to remove improperly posted information from the Web and ready for implementation?
Is Cybersoft’s communication plan to reach all affected audiences ready for immediate execution?
Does Cybersoft’s correspondence (Model Letter) to affected Customers advising to obtain free fraud alert and credit freeze contain current contact information and ready for prompt mailing?
Is contact information of legal counsel current for consultation on state and federal laws?
Customer Information Safeguards
Physical Safeguards
Has the location of Cybersoft’s physical plant continued to be safe and secure?
Do posted security guards adequately secure the building and Cybersoft’s premises?
Do the CCTV cameras monitor all sensitive areas and properly function?
Are security procedures which involve the screening, sign-in and issuance of ID badges to employees and visitors effective and being efficiently implemented?
Have practices of how to handle and store documents and paper files containing Customer Information been established and applied? These cover workplaces and storage, under lock and key, as well as, restricted areas.
Do storage areas for paper and electronic records limited to authorized employees continue to be secure?
Are paper and electronic records securely stowed in durable cabinets with locks and safe fireproof receptacles?
Electronic and System Safeguards
Is current access to electronic Customer Information password controlled?
Are electronic records stored in secure servers located in locked rooms?
Verify that Customer Information is stored on computer without Internet connection unless it is essential for the performance of service product.
Are encryption software update and in use for Customer Information?
Are updated virus protection and anti- malware software in use and regular scanning is conducted?
Are computers on Cybersoft’s network regularly scanned to locate open network services that may not be needed and are disabled to prevent hackers?
When shipping Customer Information using outside carriers, is information encrypted and are overnight shipping couriers that track deliveries used?
Is backup system functional and religiously in use?
Are properly configured firewalls and security patches downloaded on a regular basis; and access controls reviewed periodically?
Is access by wireless devices to Cybersoft’s network limited to a minimum?
Selection and Oversight of Service Providers
Is service provider willing to comply with Cybersoft’s Information Security Program?
Is data security program of service provider compatible with Cybersoft’s Information Security Program?
Will Cybersoft be able to verify records maintained by service provider regarding security of Customer Information?
Assess the service provider’s knowledge and attitude towards regulations relevant to the services provided, particularly the Safeguards rule.
Does service provider have the experience, financial stability and reputation for data security?
Shall Cybersoft have the right to audit service provider’s records regarding Customer Information, documentation pertaining to resolution of disclosed deficiencies and to inspect service provider’s facilities?
Is Service Provider willing to be contractually accountable for securing Customer Information and corrective measures in the event of data breach?