1/14

Is your management team aware of the need to protect information?

Is there awareness of exposure to risks? Is there awareness that IT security and information security overlap, but are not simply the same thing?

2/14

Do you have a list of all the information you are protecting?

Examples include information stored in cloud services (Office, G-Suite), or inside tools like Salesforce, Pipedrive, Workday, Cognos and Slack. It also includes prototyping tools like Figma and Miro, or any other cloud-based tool or platform that your team uses. It should also include information on servers, information that resides with subcontractors/suppliers, information received from customers, etc.

3/14

For each piece of information you are protecting, do you know where it is stored or located?

4/14

Are you aware of the risks the information is exposed to?

This includes natural/physical risks, technical risks, legal risks, contractual risks, compliance risks, and financial risks.

5/14

Are you aware of the impact that an information incident, breach, or attack might have on your business?

This could be a tangible financial risk. For example, if confidentiality is breached, if information stops being available (server crash, cloud service unavailable), or if information cannot be trusted (somebody might have forged it). In such cases, what’s the potential damage to your business?

6/14

Do you know how to mitigate the risks?

For example, awareness of measures to protect data while they’re in a cloud system? Awareness of insurance possibilities? Awareness of how to continue to run the business if services become unavailable?

7/14

Are you training your team to be aware of the need to protect information?

Can you confidently say that your team members know what to do if information is breached, lost, or stops being available?

8/14

Do you know everyone who is entering and exiting your office or workplace?

Examples: Can anybody walk into the office without being challenged? Is it accepted practice that the smokers among your team leave the door permanently open? For those working from home, is your hardware protected from visitors and children?

9/14

Do you know everyone who has access to the information you are protecting?

Do you manage access to computers, service, and physical facilities? Do you know how suppliers and/or vendors handle your data?

10/14

How sure are you that your partners, vendors and suppliers protect your information adequately?

Have you ever visited a key supplier? Do you have contracts or agreements in place with them?

11/14

Will you recognise an incident, breach, or attack?

When Yahoo! reported its large password breach in September 2016, the actual incident had in fact occurred sometime in late 2014 and affected over 500 million Yahoo! user accounts. Would you be faster?

12/14

Are you using the right preventative measures, tools or platforms to protect your information against incidents, breaches, or attacks?

The basics include firewalls and anti-virus tools. If you run a web platform, have you run a penetration test? Have you done so recently? How do you make your developers aware of security advisories affecting the open-source libraries they use?

13/14

Have you tested your playbook for recovery from an incident, breach, or attack that does happen?

14/14

Do you know which compliance requirements you may need to fulfil?

Data protection laws are a clear example, but you should also consider other applicable laws. For example intellectual property or licenses that you use, security-related laws that apply in one country but are different in another, and many more.