GKS Insurance Agency: E-Business Insurance Specialist in CO, IA, CA, AZ, MO, NE, NM, OK & TX


			Insuring E-Business E-Risk Security Protection 8040 W. Hwy. 50 - Salida, Colorado, 81201 (719)539-0144 - (800)571-2026 - Fax (719)539-4696 Please Feel Free to Contact Us, Should You Have Any Questions.
	E-Risk Security Questionnaire
It is recommended that this questionnaire be completed by your head of Information Systems/Technology (IT). All negative answers must be explained. They indicate areas which should be carefully examined for possible correctives.
		GKS Home - E-Risk Home

Name of Institution

Security Policy

Is there a current, documented corporate security policy N/A yes no If No, List Details

Does the policy explicitly define "acceptable use" of all company resources N/A yes no If No, List Details

Does the security policy specify the security responsibilities of managers N/A yes no If No, List Details

Does the security policy specify the security responsibilities of employees N/A yes no If No, List Details

Is there a specific policy defining "acceptable use" of the internet N/A yes no If No, List Details

Security Organization

Is there a position or organization responsible for overseeing the company's overall security program N/A yes no If No, List Details

Is there a position or organization responsible for overseeing the company's security with respect to your company's external electronic business activities N/A yes no If No, List Details

Is there a position or organization responsible for overseeing the company's security with respect to your company's third party relationships N/A yes no If No, List Details

Asset Classification and Control

Is there an inventory of all business critical information and IT assets N/A yes no If No, List Details

Is there an information classification program that specifies different levels of security required based on the classification N/A yes no If No, List Details

Has your company published a formal privacy policy to all employees N/A yes no If No, List Details

Has your company's formal privacy policy been approved by legal counsel N/A yes no If No, List Details

Has your company made its formal privacy policy available to the public N/A yes no If No, List Details

Personnel Security

Are employees, consultants, and contract personnel educated about their IT security responsibilities when hired N/A yes no If No, List Details

Are employees, consultants, and contract personnel reminded about their IT security responsibility at least annually N/A yes no If No, List Details

Are employees, consultants, and contract personnel informed about the proper process for reporting suspected security incidents N/A yes no If No, List Details

As part of the hiring/contracting process, are applicants for system administration, security administration, sensitive programming and other positions requiring high level access to mission critical systems subject to background checks with law enforcement authorities (and government agencies if warranted) N/A yes no If No, List Details

Are there specific processes to control physical, logical on-site, and remote access of all third party contractors N/A yes no If No, List Details

Physical and Environment Security

Are all IT equipment and terminals in areas protected from unauthorized access N/A yes no If No, List Details

Are mission critical IT components protected from unauthorized access N/A yes no If No, List Details

Are the components that control access to the company's trusted systems to and from all external neetworks (e.g. firewalls, routers, web servers, application servers, etc.) physically isolated from other IT components N/A yes no If No, List Details

Computer and Network Management

Are firewalls used to prevent unauthorized access on all connections from internal networks and systems to external networks N/A yes no If No, List Details

If you have an externally accessible web server, does the web server run in non-priveleged mode N/A yes no If No, List Details

Are remote users authenticated before being allowed to connect to internal networks and systems N/A yes no If No, List Details

Are there documented operating procedures for security requirements of internal networks N/A yes no If No, List Details

Are there documented operating procedures for security requirements of all mission critical systems N/A yes no If No, List Details

Are there documented operating procedures for security requirements of the components that control access to the company's trusted systems to and from all external networks (e.g. firewalls, routers, web servers, application servers, etc.) N/A yes no If No, List Details

Is there enforced separation of duties in all critical process steps for all sensitive operations N/A yes no If No, List Details

Is all sensitive information encrypted when it is transmitted over all external networks N/A yes no If No, List Details

Are digital signatures required for non-repudiation of three party electronic commerce transactions N/A yes no If No, List Details

Are security requirements specified in change management procedures N/A yes no If No, List Details

Are security requirements specified in problem management procedures N/A yes no If No, List Details

Are anti-virus procedures used on desktops and mission critical servers N/A yes no If No, List Details

Are backup and recovery procedures documented for all mission critical systems N/A yes no If No, List Details

Are backups taken at least once per week N/A yes no If No, List Details

Are backups kept for at least two weeks N/A yes no If No, List Details

Are backups stored off-site in a secure location N/A yes no If No, List Details

Are recovery procedures tested at least quarterly N/A yes no If No, List Details

Is removable media containing sensitive information properly labeled and protected against unauthorized access at all times N/A yes no If No, List Details

Are computer emergency response team and vendor advisories related to security problems monitored and applied as soon as possible to all affected systems N/A yes no If No, List Details

System Access Controls

Is there a documented access control policy for all mission critical systems N/A yes no If No, List Details

If you have an externally accessible web server, are access controls implemented for the files and directories that are stored on the web server N/A yes no If No, List Details

Are all access controls monitored for compliance N/A yes no If No, List Details

Are documented procedures in place for user and password management N/A yes no If No, List Details

Are general user passwords required to be changed at least every six months N/A yes no If No, List Details

Are privileged user passwords required to be changed at least every six months N/A yes no If No, List Details

Are all passwords required to be non-trivial and at least six characters N/A yes no If No, List Details

Are password rules monitored for compliance N/A yes no If No, List Details

Are special privileges restricted to primary and backup systems administration personnel and individuals with approved need to have these privileges N/A yes no If No, List Details

Do authorized individuals use their privileged accounts only for the tasks for which they are needed and use their unprivileged accounts for all other normal business activities N/A yes no If No, List Details

Are special privileges limited to the scope required by an individual's roles and responsibilities N/A yes no If No, List Details

System Developement and Maintainance

Are there security requirements for systems, applications, and files N/A yes no If No, List Details

Are there security controls in development, test, and service procedures N/A yes no If No, List Details

Business Continuity Planning

Are continuity plans in place for all mission critical business processes N/A yes no If No, List Details

Do continuity plans include provisions for return to normal operations N/A yes no If No, List Details

Are business continuity plans tested at least annually N/A yes no If No, List Details

Are there fault tolerant or redundant components that control access to the company's trusted systems to and from all external networks (e.g. firewalls, routers, web servers, application servers, etc.) N/A yes no If No, List Details

Are there fault tolerant or redundant network connections to your critical business partners N/A yes no If No, List Details

Are there fault tolerant or redundant connections to your critical network service providers N/A yes no If No, List Details

Security Compliance

Are all security relevant actions on all systems logged N/A yes no If No, List Details

Are security logs reviewed at least daily for suspicious activities N/A yes no If No, List Details

Are security logs kept off-site in a secure location for at least a year N/A yes no If No, List Details

Are official company records safeguarded and controlled N/A yes no If No, List Details

Are there regular security reviews of IT systems by internal audit personnel or a trusted third party N/A yes no If No, List Details

Are there documented incident management processes to respond to suspected intrusions detected on any components that control access to the company's trusted systems to and from all external networks (e.g. firewalls, routers, web servers, application servers, etc.) N/A yes no If No, List Details

Are there comprehensive penetration tests conducted at least once a month to verify the security of the company's perimeter network controls (e.g. firewalls, routers, web servers, application servers, etc.) N/A yes no If No, List Details

Are there specific processes that protect audit tools and other sensitive programs N/A yes no If No, List Details

Are all accesses to sensitive programs reviewed regularly for potential abuses and abnormalities N/A yes no If No, List Details

Completed by

Title

Date

GKS Home - E-Risk Home
This Website Built and Maintained
by the
Cyber Internet Agency

Security Policy
Is there a current, documented corporate security policy	N/A	yes	no	If No, List Details
Does the policy explicitly define "acceptable use" of all company resources	N/A	yes	no	If No, List Details
Does the security policy specify the security responsibilities of managers	N/A	yes	no	If No, List Details
Does the security policy specify the security responsibilities of employees	N/A	yes	no	If No, List Details
Is there a specific policy defining "acceptable use" of the internet	N/A	yes	no	If No, List Details
Security Organization
Is there a position or organization responsible for overseeing the company's overall security program	N/A	yes	no	If No, List Details
Is there a position or organization responsible for overseeing the company's security with respect to your company's external electronic business activities	N/A	yes	no	If No, List Details
Is there a position or organization responsible for overseeing the company's security with respect to your company's third party relationships	N/A	yes	no	If No, List Details
Asset Classification and Control
Is there an inventory of all business critical information and IT assets	N/A	yes	no	If No, List Details
Is there an information classification program that specifies different levels of security required based on the classification	N/A	yes	no	If No, List Details
Has your company published a formal privacy policy to all employees	N/A	yes	no	If No, List Details
Has your company's formal privacy policy been approved by legal counsel	N/A	yes	no	If No, List Details
Has your company made its formal privacy policy available to the public	N/A	yes	no	If No, List Details
Personnel Security
Are employees, consultants, and contract personnel educated about their IT security responsibilities when hired	N/A	yes	no	If No, List Details
Are employees, consultants, and contract personnel reminded about their IT security responsibility at least annually	N/A	yes	no	If No, List Details
Are employees, consultants, and contract personnel informed about the proper process for reporting suspected security incidents	N/A	yes	no	If No, List Details
As part of the hiring/contracting process, are applicants for system administration, security administration, sensitive programming and other positions requiring high level access to mission critical systems subject to background checks with law enforcement authorities (and government agencies if warranted)	N/A	yes	no	If No, List Details
Are there specific processes to control physical, logical on-site, and remote access of all third party contractors	N/A	yes	no	If No, List Details
Physical and Environment Security
Are all IT equipment and terminals in areas protected from unauthorized access	N/A	yes	no	If No, List Details
Are mission critical IT components protected from unauthorized access	N/A	yes	no	If No, List Details
Are the components that control access to the company's trusted systems to and from all external neetworks (e.g. firewalls, routers, web servers, application servers, etc.) physically isolated from other IT components	N/A	yes	no	If No, List Details
Computer and Network Management
Are firewalls used to prevent unauthorized access on all connections from internal networks and systems to external networks	N/A	yes	no	If No, List Details
If you have an externally accessible web server, does the web server run in non-priveleged mode	N/A	yes	no	If No, List Details
Are remote users authenticated before being allowed to connect to internal networks and systems	N/A	yes	no	If No, List Details
Are there documented operating procedures for security requirements of internal networks	N/A	yes	no	If No, List Details
Are there documented operating procedures for security requirements of all mission critical systems	N/A	yes	no	If No, List Details
Are there documented operating procedures for security requirements of the components that control access to the company's trusted systems to and from all external networks (e.g. firewalls, routers, web servers, application servers, etc.)	N/A	yes	no	If No, List Details
Is there enforced separation of duties in all critical process steps for all sensitive operations	N/A	yes	no	If No, List Details
Is all sensitive information encrypted when it is transmitted over all external networks	N/A	yes	no	If No, List Details
Are digital signatures required for non-repudiation of three party electronic commerce transactions	N/A	yes	no	If No, List Details
Are security requirements specified in change management procedures	N/A	yes	no	If No, List Details
Are security requirements specified in problem management procedures	N/A	yes	no	If No, List Details
Are anti-virus procedures used on desktops and mission critical servers	N/A	yes	no	If No, List Details
Are backup and recovery procedures documented for all mission critical systems	N/A	yes	no	If No, List Details
Are backups taken at least once per week	N/A	yes	no	If No, List Details
Are backups kept for at least two weeks	N/A	yes	no	If No, List Details
Are backups stored off-site in a secure location	N/A	yes	no	If No, List Details
Are recovery procedures tested at least quarterly	N/A	yes	no	If No, List Details
Is removable media containing sensitive information properly labeled and protected against unauthorized access at all times	N/A	yes	no	If No, List Details
Are computer emergency response team and vendor advisories related to security problems monitored and applied as soon as possible to all affected systems	N/A	yes	no	If No, List Details
System Access Controls
Is there a documented access control policy for all mission critical systems	N/A	yes	no	If No, List Details
If you have an externally accessible web server, are access controls implemented for the files and directories that are stored on the web server	N/A	yes	no	If No, List Details
Are all access controls monitored for compliance	N/A	yes	no	If No, List Details
Are documented procedures in place for user and password management	N/A	yes	no	If No, List Details
Are general user passwords required to be changed at least every six months	N/A	yes	no	If No, List Details
Are privileged user passwords required to be changed at least every six months	N/A	yes	no	If No, List Details
Are all passwords required to be non-trivial and at least six characters	N/A	yes	no	If No, List Details
Are password rules monitored for compliance	N/A	yes	no	If No, List Details
Are special privileges restricted to primary and backup systems administration personnel and individuals with approved need to have these privileges	N/A	yes	no	If No, List Details
Do authorized individuals use their privileged accounts only for the tasks for which they are needed and use their unprivileged accounts for all other normal business activities	N/A	yes	no	If No, List Details
Are special privileges limited to the scope required by an individual's roles and responsibilities	N/A	yes	no	If No, List Details
System Developement and Maintainance
Are there security requirements for systems, applications, and files	N/A	yes	no	If No, List Details
Are there security controls in development, test, and service procedures	N/A	yes	no	If No, List Details
Business Continuity Planning
Are continuity plans in place for all mission critical business processes	N/A	yes	no	If No, List Details
Do continuity plans include provisions for return to normal operations	N/A	yes	no	If No, List Details
Are business continuity plans tested at least annually	N/A	yes	no	If No, List Details
Are there fault tolerant or redundant components that control access to the company's trusted systems to and from all external networks (e.g. firewalls, routers, web servers, application servers, etc.)	N/A	yes	no	If No, List Details
Are there fault tolerant or redundant network connections to your critical business partners	N/A	yes	no	If No, List Details
Are there fault tolerant or redundant connections to your critical network service providers	N/A	yes	no	If No, List Details
Security Compliance
Are all security relevant actions on all systems logged	N/A	yes	no	If No, List Details
Are security logs reviewed at least daily for suspicious activities	N/A	yes	no	If No, List Details
Are security logs kept off-site in a secure location for at least a year	N/A	yes	no	If No, List Details
Are official company records safeguarded and controlled	N/A	yes	no	If No, List Details
Are there regular security reviews of IT systems by internal audit personnel or a trusted third party	N/A	yes	no	If No, List Details
Are there documented incident management processes to respond to suspected intrusions detected on any components that control access to the company's trusted systems to and from all external networks (e.g. firewalls, routers, web servers, application servers, etc.)	N/A	yes	no	If No, List Details
Are there comprehensive penetration tests conducted at least once a month to verify the security of the company's perimeter network controls (e.g. firewalls, routers, web servers, application servers, etc.)	N/A	yes	no	If No, List Details
Are there specific processes that protect audit tools and other sensitive programs	N/A	yes	no	If No, List Details
Are all accesses to sensitive programs reviewed regularly for potential abuses and abnormalities	N/A	yes	no	If No, List Details
Completed by
Title
Date