Are You at Risk Survey

Information Technology

1. My organization audits network user accounts for shared, dormant, or expired accounts:

Never

During regular audits

We have procedures in place that disables them

When our alerts automatically identify and notify managers

2. My organization has the following IT Asset Tracking procedures in place:

Nothing

We have an inventory of all hardware and software

“B” and we ensure all employee equipment is returned prior to their last day

“B” & “C” and we conduct inventories/audits of all equipment at least annually

Human Resources

3. My organization conducts background checks on candidates and:

Well, we don’t do backgrounds checks on candidates

We have a policy to keep the information confidential during the hiring process

“B” and we have a standardized process for performing criminal history reviews

“B” & “C” and our staff is fully-trained on how to perform these functions

4. My organization has policy and practices that describe acceptable and unacceptable workplace behaviors, including interpersonal activities:

No, we just expect them to act how normal employees should

We have a policy and communicate it to our employees

“B” and we make the materials easily accessible to employees (Hard/Soft Copy)

“B” & “C” and our employees sign the policy; and leadership updates the policy, as needed

Legal

5. My organization has policy regarding ownership of our intellectual property (IP) to reduce the likelihood of disputes and:

Nope, we trust our employees so there is no need for these policies

All our employees sign relevant NDAs, non-competes, and IP agreements upon hiring

C. “B” and we have a detailed Controlled Info Management (CIM) policy, which IDs proprietary and sensitive information and how it must be handled

“B” & “C” and we verify employee compliance with CIM policies

6. My organization has policy and procedures that allow us to monitor employee actions on our systems and networks:

No, we are not concerned with our employees’ activity on our computers or networks

We have a policy that requires employees to consent to logging, monitoring, and auditing

“B” and the policy indicates that communications will be monitored for content

“B” & “C” and we have a web banner appearing every time an employee logs on to our network, informing them that their activity is being monitored

Physical Security

7. My organization notifies appropriate internal parties of employee terminations or separations and:

No, we primarily let HR handle it, unless something else is needed

We have a policy detailing who must be notified of a termination or separation, which includes: HR, Security, Legal and IT

“B” and we have a detailed process and designated employees who communicate these actions to appropriate internal parties

“B” & “C” and we have a detailed process for notifying our trusted business partners about relevant terminations

8. My organization prevents, detects, and responds to the physical theft of organizational property and:

Not responding and simply “writes it off”

We have an asset inventory system and a process for reporting lost/stolen property

“B” and we have a process for recovering lost/stolen property

“B” & “C” and our employees are trained on appropriate use and ownership of property

Trusted Business Partners

9. My organization ensures that all trusted business partners (TBP) (contractors/cleaning staff/etc.) have successfully completed background screenings before they start work and:

Well, we don’t as we expect them to only send us their best employees

We require their screenings to be commensurate with the ones we do on our employees

“B” and we have a designated employee who makes sure the screenings are being done

“B” & “C” and our legal counsel works to allow us to view completed screenings for employee working for our organization. Also, all violations are addressed.

10. My organization has a policy that defines its ownership rights to intellectual property (IP) created by trusted business partners and:

No, we trust them and if there are any problems, we can work it out

We require TBPs to sign the same NDAs, non-competes, and IP agreements our employees sign

“B” and we ensure TBPs understand and adhere to our Controlled-Information Management (CIM) policy

“B” & “C” and we have an IP dispute resolution process available to our TBPs.

Are You at Risk Survey

Information Technology

Human Resources

Legal

Physical Security

Trusted Business Partners

Recent Posts

Archives

Categories

Meta