|Procedures Certification Standards|
Information and Physical Security
a. Is there a contractor accreditation process?
b. Is there a security access process?
c. How often is your information security plan reviewed?
d. How often is your information security plan distributed and reiterated to employees?
e. What are the elements of your information security plan?
f. What methods are used to ensure the physical security of the facility?
g. Does your company conduct background checks prior to employment?
h. How often are the backgrounds of current employees re-checked?
i. What type of user credentials are required to gain access to secure information?
j. Are computers and servers that contain confidential and sensitive information physically isolated and secure?
k. What type of security levels, groups, and access are set up to limit viewing and changing confidential and sensitive data?
l. What type of security are personal computing items (laptops, smart phones, tablet, etc.) required to have?
m. How far back do user access logs go?
n. How often are cryptography methods updated, patches installed (if available)?
o. How often are security-related operating system patches installed?
p. How often are systems audited for user-related activities?
q. How often is compliance with security policies audited?
r. Are data files encrypted internally?
s. Are data files and other communications encrypted when transmitted off premises?
t. How often are critical data backed-up?
u. What type of anti-virus and anti-malware tactics are employed?
v. Are there multiple physical or virtual networks for administrative, corporate, and operational staff and equipment?
w. Are firewalls employed on all external network connections?
x. At what point is security considered when designing new services?
y. Are there controls in place to limit remote access from vendors and suppliers?
z. Do security breaches and vulnerabilities follow the same procedures as service events or incidents?
We invite you to submit your comments by email to Executive Director Robert Bell.