A growing number of businesses and Federal agencies under government regulation or seeking to follow best practices are taking positive steps to secure their networks from intruders as well as protect their stakeholder’s personal information. While some have made great progress, others are falling dangerously behind in their information security (INFOSEC) efforts.

INFOSEC Services practice has recognized that what was needed was a simple, plain language tool to help IT administrators not only determine what their security stance is, but also what steps to take to identify and address what might be missing.

To fill the void, INFOSEC Services practice has developed the Security Assessment Tool to help enterprises assess their preparedness and to what extent their information technology practices may be considered safe and secure.

The Security Assessment Tool is a self-administered assessment of your enterprise information management practices and systems.  Working through 10 questions, the Security Assessment Tool will help identify areas that need attention to meet both regulations and to ensure a better understanding of how to protect data throughout your organization, whether at rest or in transit. Remember, use of this tool should only be viewed as an initial indicator of the security readiness of your enterprise.

For a more comprehensive look at the readiness of your information security efforts INFOSEC Services stands ready to help you assess your IT system and practices and assist you in meeting compliance and best practices requirements.  For a confidential review call 1-800-825-6680 and ask for an INFOSEC analyst.

How were system risks determined in support of the risk analysis process?

What is your timeline for implementing information security projects?

Do you differentiate between protection of data-at-rest, data-in-transit and how digital authority is protected throughout the system?

If you work for a commercial enterprise have the existing processes and results of a Security Test and Evaluation (ST&E) been documented and used to let systems move into an operational status?

If you work for a Federal agency are there current Authorizations to Operate (ATOs) or Interim ATOs (IATOs) that have been properly prepared and signed off under the CIO’s authority to obtain Certification and Accreditation (C&A) and is the information used to authorize systems to operate?

Do you maintain a current view into the network and its parts so that at any moment the network can be described down to individual nodes, including licensing, configuration, and operational functions?

What planning is in place for incident response and disaster recovery?

What is the current state of documented polices and procedures regarding network security operations (e.g. actions taken by personnel, rules and polices in automated systems, types of data that need additional protection [i.e., sensitive, classified, or propriety data], and levels of designated authority that can be used on the digital system)?

Are your personnel trained in comprehending security implications of their administrative functions of the IT hardware and software that falls into their area of responsibility and how are users trained with regard to Information Security (INFOSEC) in accordance with Federal requirements and mandates?

Is your IT architecture and lifecycle management reviewed for security implications?

(Be sure to answer all the questions.)