Computer Security Checklist

Do you have specific knowledge that computer security is lacking or inadequate?

How did you receive this information?

 a written report

 a security survey or risk assessment

 security penetration tests

 a threat or warning

 other form of notice (describe:_____)

Are new employees given adequate orientation and training on the computer protection and loss prevention matters, including company policies regarding sanctions for violations?

Do you have a specific fire-suppression system for the computer room?

 Is this system tested regularly?

 Is the computer room constructed with fire retardant walls?

Do you have an uninterruptible power supply and surge protection equipment for your computer?

Do you have in place policies and procedures to secure sensitive information?

Do you have in place policies and procedures to secure vital software and documentation?

Do you retain backup records off site using tapes, CDs, or other media?

 If yes, do you have controls in place to protect those materials?

Have you established restrictions on who has access to specific data?

Are computer users required to log in with a password?

Are they required to change their passwords on a regular schedule?

Are any other measures used to control access (e.g.; personal information, biometric data)?

Is access authorization monitored?

Do you allow sharing and disclosure of passwords?

Is each individual access logged?

Does the log record include the date and time of access?

Is access authorization established by levels of authority?

 by levels of security?

Does the log record identify the functions performed?

Does the log record identify the specific computer that is accessed?

Do you maintain a log record of security violations?

Do you have a policy that requires employee passwords and/or access code privileges to be cancelled immediately when their employment is terminated?

Are there specific procedures to ensure that this policy is carried out?

Does your system provide protection for confidential information and other sensitive data from unauthorized access?

Does it provide for protection from unauthorized update?

Do you have in place process and/or operating controls to detect fraudulent data manipulation?

Are firewalls or other similar technologies used to protect your computer network and control access to computer data?

Are you required to transfer data between locations using dial-up telephone lines?

 Do you monitor dial-up lines?

 Do you maintain records of repeated failures of attempts at access?

 Does the system use encryption to protect data being transferred?

Further detailed information on computer security can be found in the IREM publication Spolight on Security for Real Estate Managers by Lawrence J. Fennelly, CPO®