Questions to Ask Yourself BEFORE Security Risk Assessment
Before you hire me as a consultant for a security risk assessment, I advise you to review your business by asking yourself the following questions. Conducting this self assessment before paying for a security risk assessment, will save you money.
- Are physical controls documented?
- Are secure areas controlled?
- Are review and maintenance of access controls taking place?
- Are there non-standard entry points to secure areas?
- Are these non-standard entry points secured and/or monitored?
- Are visitors required to have supervision at the institution?
- Are visitors allowed within secure areas?
- If your organization shares access to your facility, does it have proper controls to segregate access?
- Is sharing physical access to the institution by other organizations documented?
- Are there contracts or agreements with the organization regarding this physical access?
- Has a physical penetration test been performed?
- Are magnetic media stored in accordance with regulatory requirements and manufacturers’ suggested standards?
- Do guards at entrances and exits randomly check briefcases, boxes or portable PCs to prevent unauthorized items from coming in or leaving?
- Do guards allow visitors to bring laptop computers into the institution without proper signoff or authorization?
- Are fire detectors and an automatic extinguishing system installed on the ceiling, below the raised flooring and above dropped ceilings in computer rooms and tape/disk libraries?
- Are documents containing sensitive information not discarded in whole, readable form? Are they shredded, burned or otherwise mutilated?
- Are DVD and CDs containing sensitive information not discarded in whole, readable form? Are they “shredded” or mutilated with no restoration possible? (This also should be asked of hard drives and other data storage technology prior to disposal).
- Are data center and server center activity monitored and recorded on closed-circuit TV and displayed on a bank of real-time monitors?
- Does access to a controlled area prevent “Tail-gating” by unauthorized people who attempt to follow authorized personnel into the area?