Information Security Governance Programme Checklist

Download Free Information Security Governance Programme Checklist

- There is awareness that a good information security programme takes time to evolve.
- The corporate information security function reports to senior management and is responsible for executing the information security programme.
- Management and staff have a common understanding of information security importance, requirements, vulnerabilities and threats, and understand and accept their own security responsibilities.
- Third-party evaluation of information security policy and architecture is conducted periodically.
- The information security function has the means and ability to administer security, especially to detect, record and analyse significance, and report and act on security incidents when they do occur, while minimising the probability of occurrence by applying intrusion testing and active monitoring.
- Clearly defined roles and responsibilities for risk management ownership and management accountability are in place.
- A policy is established to define risk limits and risk tolerance.
- Responsibilities and procedures for defining, agreeing on and funding risk management improvements exist.
- A reality check of the information security strategy is conducted by a third party to increase objectivity and is repeated at appropriate times.
- Critical infrastructure components are identified and continuously monitored.
- Service level agreements (SLAs) are used to raise awareness of and increase co-operation with suppliers relative to security and continuity needs.
- Policy enforcement is considered and decided on at the time of policy development.
- A confirmation process is in place to measure awareness, understanding and compliance with policies.
- Applications are secured well before they are deployed.
- Information control policies are aligned with the overall strategic plans.
- Management endorses and is committed to the information security and control policies, stressing the need for communication, understanding and compliance.
- There is a consistently applied policy development framework that guides formulation, roll-out, understanding and compliance.
- There is awareness that, although insiders continue to be the primary source of most security risks, attacks by organised crime and other outsiders are increasing.
- Proper attention is paid to data privacy, copyright and other data-related legislation.
- There is senior management support to ensure employees perform their duties in an ethical and secure manner.
- Management is leading by example.