The Ultimate Network Security Checklist: 20 Questions to Help You Evaluate your IT Security
Having strong IT security is an absolute necessity in today’s hyper technology and threat laden world; and it will forever remain a top priority for organizations of all sizes and industries. While there’s no way to ensure that your organization is 100% protected against cybersecurity threats, you can significantly reduce your risk of becoming a victim. We’ve put together this checklist of security best practices to help guide you in evaluating your IT security and avoid security breaches.
> Human Resources Policies:
☐ Does your organization have clear security and privacy policies that are known to all employees? These would include things like using appropriate controls to ensure that information is kept secure, complying with applicable laws and regulations, nondisclosure policies and restricting access of sensitive information to certain people, to name a few. Your employees should also have a copy of your security and privacy policies as part of their employee handbook and acknowledge that they have read and understand it.
☐ Does your organization have confidentiality agreements for contractors and vendors? Just like your employees, your contractors, suppliers, trading partners and vendors should also be aware of your security and privacy policies and be required to sign confidentiality agreements if they have any access to protected information.
☐ Do you educate employees on security best practices? Security education is extremely important and should be required annually at the very least. Employees should be educated on current cyber security attack methods such as phishing and threats including ransomware and social engineering.
> Data Backup & Recovery:
☐ Do you have a backup and disaster recovery plan and is it updated frequently? If a breach were to occur, you should have the backup and recovery capabilities to restore information quickly if necessary. A good backup and disaster recovery plan will help you minimize costly downtime.
☐ Do you have multiple or hybrid backups in place and are they tested regularly? Critical data (anything needed in day-to-day operations, including customer information) should be backed up nightly to two locations for redundancy. Typically, a local backup and another to a remote location or to the cloud. Important data (anything important to the business but that doesn’t get updated frequently), should be backed up at least semi-regularly off-site or to the cloud.
> Desktop & Device Security:
☐ Are all computers and devices updated with the latest system updates and security patches? It’s critical that your software is maintained to keep it running smoothly and to fix any security vulnerabilities. Keep your software up-to-date by checking regularly for updates and applying them. Most software can also be set to update automatically.
☐ Do all of your computers and devices have working anti-virus software? These days you absolutely need to have advanced anti-virus or anti-malware products regularly scanning your computers and devices to prevent or detect threats before they can infect your network. The advanced anti-virus should provide local IDS/IPS and Firewall to that device.
☐ Do you protect mobile technology? While laptops have often been cited as the top mobile theft risk, mandatory passwords and encryption should also be extended to smartphones and tablets. Organizations should have a process to notify IT personnel if a device is misplaced or stolen and a tested process to erase the mobile device of all data remotely.
☐ Do you have a strong password policy? IT policies should mandate complex passwords, meaning at least eight characters with a combination of upper and lower case letters, numbers and special characters. Network settings should require personnel change their passwords every 90 days and personnel should not be able to utilize any of their previous ten passwords.
> Internet & Network Security:
☐ Do you have a next generation firewall that includes Intrusion Detection System (IDS) and Intrusion Prevention Systems (IPS)? These are very important and your first line of defense against would-be hackers. They’ll also alert you if anything looks fishy, before any of your systems begin to fail. Other things to consider: Geo location filtering, Application level filtering, Sandbox, and Advanced Threat Detection.
☐ Do you use a virtual private network for remote access? If you have employees working away from the office, protect your travelling users who may be on insecure wireless networks by tunneling all their traffic through the VPN.
☐ Are all modem and wireless access connections known and secured? Establish a guest network for visiting customers and vendors, etc., but do not permit connectivity from the guest network to the internal network.
☐ Do you deploy advanced network security systems and processes to further protect your network? Data Packet Analysis, System Information & Event Management (SIEM), DNS Intercept, Public IP Scanning, Abnormal Network Behavior Analysis and Employee Tracking & Monitoring are just some of the additional systems that you can implement to lessen the risk of a network breach.
> Privacy & Sensitive Information:
☐ Is customer financial (or patient health) information encrypted and only accessible to those who actually need it? Whether it’s PCI or HIPAA compliance, with many regulations now carrying penalties for data breaches, it’s more important than ever that your organization protect this sensitive information.
☐ Are paper files kept in locked filing cabinets with controlled access? Use appropriate controls to ensure that any paper files with confidential or sensitive information are kept secure and only viewed or used by the proper personnel.
☐ Are files and emails being sent securely? You should standardize tools that allow for the secure sending and receiving of files. All personnel should be educated on using the organization’s portal or encrypted email solution for any file containing confidential data.
☐ Do you have a breach response plan? Every organization should have a security incident response plan in place. In the event that there is concern data has been compromised or a breach has occurred you’ll need it. This plan would include educating personnel on how to document the events leading up to the breach discovery, notifying appropriate personnel of the breach so they can take necessary steps to stop it, and developing an internal and external communications plan.
☐ Do you have cybersecurity insurance? Unfortunately, organizations can do all the right things in regards to information security and still fall victim to an attack. To protect against that possibility, cybersecurity insurance should be considered.
☐ Do you outsource your security to IT security experts? Hire security experts when implementing firewalls and security-related features such as remote access and wireless routers so that it is properly configured the first time. Chances are your internal IT people have not been exposed to optimum security training or have experience with setting up a new device. External resources can also be called upon to do penetration testing to identify and lock down any system vulnerabilities.
☐ Do you perform a periodic audit or assessment (every six months at least) of your network and IT security? Network and security assessments should be done regularly to ensure the health and security of your network. Assessments can identify network issues and security vulnerabilities that once addressed will increase your network performance and security posture.
Visual Edge IT Technology Solutions, along with our sister company ThreatSHIELD Security, provides a unique set of managed services to assist customers with their IT needs and/or their Security needs. Along with our skilled IT professionals and CISSP security experts, we have developed a unique 12 Layers of Security approach to maximize the protection of your network and data. Whether you’re interested in our customized Managed Security Services or just need help with your Backup & Disaster Recovery plans, we’d be happy to answer any questions you may have.
Not sure where to start? Your organization could probably benefit from one of our Comprehensive Network and Security Assessments. Contact us today to learn more!
[button text=”Click Here to Contact Us” class=”font-16 uppercase” link=”/contact-us/” type=”primary” size=”medium”]
(RELATED: The Essential End of the Year IT Checklist)
(RELATED: Managed Services for Cyber Security)