Do you track employee devices and ensure their return upon employee termination?
Are hardware, software, application, or operating system configurations documented?
Has an asset inventory system been implemented that includes asset criticality and/or classification ratings?
Has the flow of data into and out of various systems been mapped and is there a policy that governs the flow of data?
Please upload a copy of these data mappings so I can take a look at them.
Is there a policy that governs the flow of data into and out of business partner and vendors systems?
Has a data and/or asset classification scheme been developed and implemented and does it map handling requirements to the classification levels?