![Show Menu](styles/mobile-menu.png)
![Page Background](./../common/page-substrates/page0354.jpg)
Tips to Evaluate Your Firm’s IT
and Cybersecurity Management
by Brenda Piazza, Director of Management and IT Security, FS San Diego
Security breaches are increasingly being
reported in the news, with these events
causing damage to a company’s reputation,
incurring significant costs and creating
tremendous potential legal consequences.
This leads business owners, executives
and key personnel to ask how they
should be evaluating their security and
cybersecurity management to better protect
themselves against those risks.
Two primary considerations are: (1)
whether management has defined its IT
security requirements through policies, and
then communicated those policies to all
employees; and (2) whether management
regularly monitors and receives IT security
reports, or if management (other than IT) is
only made aware of catastrophic failures
when they occur.
How Do Your IT Practices Stand Up?
1. Are there written IT policies in place
around security, change management,
hiring and training? How are those policies
communicated to all employees, new
hires and contractors? Are there signed
acknowledgements of those policies?
2. Is there employee and contractor
training on IT security, including their
responsibilities for changing passwords,
securing laptops while off-site and
management’s expectations of securing
removable media?
3. Is a formal IT risk assessment
performed at least annually to understand
where the risks are in IT security?
4. Are there logical access controls
for granting, changing and revoking
permissions to applications, networks,
remote access, wireless access, etc.? Is
there an internal/external penetration test
performed by a third-party firm to identify
possible vulnerabilities in your network and
“back doors” in the vendor code?
5. Do you know when there is a potential IT
security incident or hack into your firewall?
Do you have a written business continuity
or disaster recovery plan in place that is
tested annually?
6. Do you perform daily backups of
production and test data and store the
encrypted backups off-site? Do you perform
restores of data from backup media to
verify the backups can be recovered?
7. Do you have formal change management
procedures in place for the approval,
developer assignment, testing of the
change in a test environment and
movement into production by someone
other than the developer?
8. Is there physical security into the
building such as visitor logs, badge access
cards and limited access into the server
room? Is access restricted to an off-site
hosted data center?
9. Have you read your customer
contracts and renewals to consider their
requirements regarding data classifications,
what constitutes a breach and what your
contractual obligations are for reporting to
them, should a breach occur? Do you know
your legal requirements and timing of those
requirements (by state) should a security
breach occur?
Only through monitoring of IT security
practices can you truly reduce the likelihood
of becoming the next big IT security breach
“headline.”
the adv | February 2016
Congratulations to
Emily Noll
who
has been promoted to CBIZ National
Director of Wellness Solutions.
Polly Thomas
has been named among
the Top 40 under 40 by
Business
Insurance
magazine.
Cindy Mull
was named as a finalist for
Business Woman of the Year by
Tampa
Bay Business Journal.
Moira House
was named HR
Practitioner of the Year by Memphis
Chapter of the Society for Human
Resource Management.
The National Academy of Public
Accounting Professionals has named
Michelle Spriggs
a Top 10 Accountant.
Congratulations to
Megan Murdock
who was named to the “Top 40 Under
40” list by the
Memphis Business
Journal.
CWA Snaps
5
97