09 Dec Secure Enough? A Security Audit Checklist for Your Business
Your Security Audit Checklist: The Big Picture
With intrusions, theft, and cybercrime in the news, you’re likely wondering how to keep your business safe. While you may have decent security policies in place, there are always weaknesses to address. With this in mind, we’ve created a list of questions to guide your business security audit. Our list covers all layers and access points in order to ensure proper protection from bad actors, system failures, and disastrous events.
If you’re concerned about the state of your business security, now may be a good time to conduct a security audit of your location, personnel, and computer systems. Below is a security audit checklist for your business, to help ensure you’ve covered all the bases.
Protecting Your Business Location
Here are some of the basic questions to consider when auditing your location security:
- Entry Points. Are your windows and doors properly locked and secured? Do you have good locks, whether manual or electronic, in place to protect your premises?
- Alarm and Fire Detection Systems. Do you have alarms for intrusion and fire? Does your alarm system include 24-hour monitoring, motion detection, and remote management?
- Access Control System. Do you have a system to control who gets access to your location, and to log when employees arrive and depart? Many companies implement card-access or biometric scanning systems. Have you considered the advantages of that?
- Keyholders. Do you have accurate documentation of all keyholders to your property? Do you have a process for tracking and updating this information?
- Emergency Plans. Do you have a plan in place in the case of a fire, security breach or power failure? A good emergency plan should include how to safely exit the building and secure the location if necessary. A proper disaster recovery plan (see below) should also be established.
- Employee IDs. Do employees wear badges with picture ID for easy identification?
- Guest Policy. Are guests escorted to and from their meetings? Do you provide them with access to a guest-designated WiFi connection?
- Vendor Policy. Are janitorial and maintenance staff properly screened before hiring, and have you trained them in your key/card access policies?
- Video Surveillance. Are you conducting video surveillance, and are the cameras in your video camera system up-to-date and properly installed?
- Video Camera Types. What kind of cameras do you have in place? If you haven’t considered it, now may be a good time to upgrade from a CCTV system a modern IP camera system, which can allow you to monitor your premises from your smartphone or personal computer.
- Video Camera Placement. Have you considered the placement of your video cameras? Entrances and exits are obvious locations, but so are the sites of valuable equipment. Also consider: staff often report feeling safer when video cameras are in place to monitor public areas such as lobbies and parking lots.
- Surveillance Footage. Is you surveillance camera footage properly managed and stored? Is it easily accessible if there’s an incident on your premises?
Employee Protocols and Access Management
- Employee Background Checks. Do you conduct background and reference checks during the hiring process?
- Access Privileges. Do you have a clear process in place for assigning or removing access privileges during the onboarding or off boarding process? Are user accounts controlled and managed by an authorized IT staff member?
- Laptop and Device Management and Retrieval. Do you have a process for retrieving company laptops and devices? Do you have a process in place for wiping or formatting smartphones and ensuring all information, including passwords, is removed? Do you allow employees to bring their own laptops or devices to work, and do you have a way to ensure those devices are not introducing security vulnerabilities?
- Remote Access Management. Do you have clear rules and expectations about employee use of company laptops when away from the office? Do they use Virtual Private Network for remote access to your business systems? Are there strict password protocols in place, and does your staff use a business password manager? If you work with an IT vendor using remote access management software, are you aware of their policies and security protocols?
- File Sharing and Collaboration. If your employees collaborate or share files on the cloud, are you able to track where and when your employees access and share files?
Email is one of the primary ways that intruders gain access to computer networks. Phishing and ransomware are two common tactics. If you haven’t already done so, you should implement clear and robust protocols for your employees around the creation of passwords and avoidance of suspicious emails and attachments. If possible, your email communications should be encrypted.
Computer Network Security
- Network Security. How secure are your networks? Do you have a firewall, intrusion detection, and updated antivirus software in place?
- Software Policy. Is all of your software properly licensed and regularly updated? Is there a policy in place regarding the download and installation of new software?
- Hardware Maintenance. Are you conducting regular maintenance of all computer hardware and systems? You should consider the importance of protecting your data from loss through failure, as well as hacking and theft.
- Data Backups. Is your data being backed up on a regular schedule? Have you considered backing up your data to the cloud, as well as local servers? Good data backup practices are one of the most important ways you can protect your business from ransomware attacks.
- Disaster Recovery. Do you have a good disaster recovery plan in place? Have you anticipated the various possible threats to your business, including flood, fire, earthquake, war, cyberattack, and more? When an emergency occurs, will you be able to recover your data and get back to business?
- Working With an IT Vendor. If you’re working with a third party IT vendor, have you checked their references and confirmed they have good security practices? Do they conduct background checks of their employees or do they have specific measures in place to confirm their employees are ethical and trustworthy? Do you require vendors to sign confidentiality or nondisclosure agreements?
- WiFi Passwords and Policies. Do you have good password protection for your WiFi connections? Do you have a separate WiFi account for company guests?
- Penetration Testing. Have you considered conducting cybersecurity penetration testing to protect your business from hackers by identifying any vulnerabilities in your computer networks?
Protecting Client Information
- Client Information Storage. Do you have a clear policy in place for the longterm storage of client information? Are you encrypting any financial, legal, or medical information, as is often designated by law?
- Document Security. Are filing cabinets properly locked and secured? Are there cable locks on your business computers?
Your Website as an Asset
- Web Hosting. Many business owners fail to consider the fact their website is a major business asset. Making sure your website is secure, updated, and supported by a quality web hosting provider, is an important of protecting the integrity of your business. If you run an e-commerce business, it’s your responsibility to ensure the proper protection of your customers’ credit card or payment details.
Regular Security Audits and Training
Finally, and perhaps most importantly, do you conduct regular security audits and employee trainings to ensure the safety of your business assets? Your employees can often be the weakest link in your security strategy, especially newly hired staff members, who may not have been present for prior company-wide trainings. Be sure that your hiring process includes proper security training for all personnel. If you’d like to schedule a security training, please let us know, and we can create a customized session for your team.
Don’t Wait for a Crisis
Don’t wait for a crisis or intrusion to take place before you address the state of your business security. Conduct thorough, regular audits to pre-empt problems before they occur. Even an informal audit will help you determine your points of weakness, as well as the kinds of questions you’ll want to ask prospective security vendors.
We hope this security audit checklist has been useful. If you’d like assistance conducting an audit of your business security, including IT systems and protocols, fill out the following form and a staff member from 24Online will get back to your promptly.
24Online provides IT outsourcing services and cloud-based solutions for high-growth companies from our headquarters in Amman, Jordan. We provide technical support to companies throughout Amman, and IT consulting services and remote support plans for companies across the greater Middle East region and beyond.