May. 27, 2008 - Information Security Quiz for Non-Techies

I received yet another call from a  company that had suffered an information security breach and now needs help to assess and address issues. I  hate when companies wait until this point to start dealing with security. Everyone is stressed out and demoralized. Worst of all, in this case right after the breach they immediately fired the CTO - the person I would normally be working cooperatively with and providing a hands-on education on information security practices. IMHO, since the executive didn't have a comprehensive information security policy lifecycle in place to address the type of issue that cause the breach, he should have been fired himself, as he was to blame!

This is a quick five-question quiz for brokers and executives (not for techies) that can be used to gauge whether your business is taking key steps to protect itself from information security breaches.

1. Does your business perform initial background checks on staff?

[ ] Yes  [ ] No 

Without employee screening – initially and ongoing – you could be putting private consumer information at risk and exposing your company to privacy liability issues resulting from identity theft or other misuse of your client’s private information.

2. Are office visitors ever left unattended in employee areas where computers are left logged in or sensitive information is on desktops or in unlocked filing cabinets?

[ ] Yes  [ ] No 

Physical security is often a far bigger risk for information security than computer settings. Whether it’s a backup tape, a piece of paper from the listing or closing process that has sensitive consumer information on it, or information on an employee, physical security is your first line of defense in information security.

3. Do you have security policies covering everything from how to handle sensitive information to how to securely install and configure computers? Are new employees trained on these policies initially and are veteran employees “refreshed” at least annually?   

[ ] Yes  [ ] No 

Policies and procedure are the bedrock of an information security program. Without a thorough set of policies educating employees on how to help your business stay secure, and without ongoing education, monitoring and enforcement of policies, it’s likely that best practices in information security are not practiced in your business.

4. Does your IT person run a number of security tools on your web applications, network and all of your servers, workstations and laptops at least once per quarter (ideally each month) and give you an executive-level status update on the security of your applications, network and computers?

[ ] Yes  [ ] No 

Your IT person should have some formal education in information security, have a complete security tool-set, use it regularly, and keep the broker/owner/CEO apprised of risks, so that you can take management responsibility for information security and allocate resources to address emerging risks.

5. Have you had a security assessment performed by an independent third party in the past two years, reviewed the results with them, and understood your risks and created a project plan to address those risks?

[ ] Yes  [ ] No 

Information security is a specialized field – it takes an outside, independent expert to reliably assess the risk so that you can take steps to improve your business’s security practices.

If you answered any of these questions with a ‘No’, then you may want to think about taking a more active role to manage your company’s information security exposure. A security breach can cost six or seven figures to recover from and can also cause significant damage your organization's brand and reputation.