A corporate policy defines acceptable employee use for computing assets?
The requirement for periodic compliance assessments is clearly defined in the Information Security policy?
Are all users trained to comply with specific policies, practices, and procedures for detecting, reporting, investigating, and responding to information security incidents?
Are the Information Security policies issued and controlled from a central corporate source working in conjunction with the business units?
A corporate anti-virus policy exists, with associated procedures for signature updates, virus incident handling and reporting?
A corporate policy for sensitive information handling exists with guidelines on the protection of client data?
Are there clearly defined rules and standards about prohibited activities?
Has Human Resources identified proper and proportional consequences for security policy violations?
Are the penalties for violating security policies and procedures clearly specified and enforced?
Are there procedures to produce, coordinate, and regularly review and update all security documents?