15 October 2024
Information security checklist report
Your overall rating was amber.
- 1: Not yet implemented or planned
- 18: Partially implemented or planned
- 3: Successfully implemented
- 0: Not applicable
RED: not implemented or planned
Your business has a process to securely dispose of records and equipment when no longer required.
Suggested actions
You should:
- use locked waste bins for any paper records that contain personal data and require confidential and secure disposal;
- store equipment or hardware that contains personal data in a secure location whilst awaiting destruction/disposal;
- securely dispose of paper records by shredding - ideally using a cross cut shredder;
- if you use a third party provider to shred paper records, erase data or dispose of/recycle your equipment or hardware, make sure they do it adequately and you have appropriate assurances in place to confirm compliance; and
- keep a log of all equipment and confidential waste that you sent for disposal or destruction and, where possible, retain certificates of destruction.
Guidance
AMBER: partially implemented or planned
Your business identifies, assesses and manages information security risks.
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
Suggested actions
You should:
- consider all processes involved as you collect, store, use, share and dispose of personal data; and
- consider how sensitive or confidential the data is and what damage or distress could be caused to individuals, as well as the reputational damage to your business, if there was a security breach.
With this clearer view of the risks you can then implement the following:
- document your information risk management process in an information risk policy;
- ensure that you create either a stand-alone information risk register or incorporate information risks in a central risk register; and
- regularly assess and update, treat, tolerate, or mitigate risks, as appropriate.
Guidance
- Information risk management regime, in 10 steps to cyber security, National Cyber Security Centre
Your business has an approved and published information security policy which provides direction and support for information security (in accordance with business needs and relevant laws and regulations) and is regularly reviewed.
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
Suggested actions
You should:
- implement an information security policy that covers all aspects of information security within your organisation;
- ensure the policy clearly sets out your approach to security together with responsibilities for implementing the policy and monitoring compliance; and
- set review dates and ensure policies and procedures are reviewed and updated in line with agreed timescales or when required.
Guidance
- Documentation, Guide to the UK GDPR
Your business has defined and allocated information security responsibilities and has established a framework to coordinate and review the implementation of information security.
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
Suggested actions
You should:
- identify a person or department in your business and assign day-to-day responsibility for information security;
- ensure they have the necessary authority and resources to fulfil this responsibility effectively; and
- for larger organisations, appoint 'owners' with day-to-day responsibility for the security and use of business systems.
Guidance
- The National Cyber Security Centre (NCSC) guidance for small businesses: https://www.ncsc.gov.uk/smallbusiness
Your business has established written agreements with all third party service providers and processors that ensure the personal data that they access and process on your behalf is protected and secure.
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
Suggested actions
You should:
- ensure processors treat your information securely - establish written data processing contracts and ensure they contain compulsory data protection-related clauses;
- establish protocols to allow periodic security reviews of the security arrangements in place to provide assurances of compliance to contract/agreement; and
- if you use a provider to erase data and dispose of or recycle your ICT equipment, make sure they do it adequately. You may be held responsible if personal data collected by you is extracted from your old equipment when it is resold.
Guidance
- Guide to the UK GDPR – Contracts, ICO website
Your business has regular information security awareness training for all staff, including temporary, locum or contracted employees, to ensure they are all aware of and fulfil their responsibilities.
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
Suggested actions
You should:
- brief all staff on their security responsibilities, including the appropriate use of business systems and ICT equipment;
- train your staff to recognise common threats such as phishing emails and malware infection, and how to recognise and report personal data breaches;
- ensure staff are trained on or shortly after appointment with updates at regular intervals thereafter or when required; and
- reinforce training using other methods including intranet articles, circulars, team briefings and posters.
Guidance
- User education and awareness, in 10 steps to cyber security, National Cyber Security Centre
Your business has identified, documented and classified its hardware and software assets and assigned ownership of protection responsibilities.
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
Suggested actions
You should:
- identify and document all the hardware assets you use within a central hardware inventory or register;
- identify and document all the software assets you use within a central software inventory or register;
- assign ownership and security classifications to all identified hardware and software assets;
- define rules for the acceptable use of your hardware and software by staff and communicate these rules; and
- undertake periodic risk assessments of hardware and software asset inventories / registers and physical checks to ensure the accuracy of the hardware asset inventory.
Your business ensures the security of mobile working and the use of mobile computing devices.
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
Suggested actions
You should:
- assess the risks of mobile working (including remote working where mobile devices can connect to the corporate network);
- establish a mobile working policy (based on the outcomes of the risk assessment) to assist in ensuring the security of mobile working and the use of mobile computing devices;
- implement a process that sets out procedures to follow for authorising and managing mobile working; and
- keep a log of all mobile devices used in your business and who they are allocated to.
Guidance
- Home and mobile working, in 10 steps to cyber security, National Cyber Security Centre
- The National Cyber Security Centre (NCSC) guidance for small businesses: https://www.ncsc.gov.uk/smallbusiness
Your business configures new and existing hardware to reduce vulnerabilities and provide only the functionality and services required.
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
Suggested actions
You should:
- establish a process to configure new and existing hardware to reduce vulnerabilities and provide only the functionality and services required; and
- maintain an up-to-date inventory of ICT equipment.
Guidance
- Secure configuration, in 10 steps to cyber security, National Cyber Security Centre
- Cyber Essentials
- The National Cyber Security Centre (NCSC) guidance for small businesses: https://www.ncsc.gov.uk/smallbusiness
Your business has established controls to manage the use of removable media in order to prevent unauthorised disclosure, modification, removal or destruction of personal data stored on it.
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
Suggested actions
You should:
- minimise and encrypt personal data stored on mobile devices; and
- implement access controls or software solutions to mobile devices such as pin controlled access, data/disc encryption and limited systems access.
Guidance
- Removable media controls, in 10 steps to cyber security, National Cyber Security Centre
- The National Cyber Security Centre (NCSC) guidance for small businesses: https://www.ncsc.gov.uk/smallbusiness
- Cyber Essentials
Your business assigns user accounts to authorised individuals, and manages user accounts effectively to provide the minimum access to information.
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
Suggested actions
You should:
- implement a process to ensure that access to systems holding personal data is authorised by management;
- restrict user permissions to the absolute minimum (or 'least privilege');
- assign each user with their own username and password to ensure accountability;
- implement role based user profiles and access levels to ensure that access to systems is only given to those roles that require it in order to complete their work;
- review all network and application user access lists at least annually; and
- ensure you have robust starter, mover and leaver processes in place to avoid the risk of unauthorised access or the accrual of unnecessary access levels.
Guidance
- User access control, in Cyber essentials, GOV.UK website
- Managing user privileges, in 10 steps to cyber security, National Cyber Security Centre
- Cyber Essentials
Your business has appropriate password security procedures and 'rules' for information systems and has a process in place to detect any unauthorised access or anomalous use.
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
Suggested actions
You should:
- limit the number of failed login attempts;
- enable and actively encourage your staff to choose a strong password;
- monitor user activity to detect any anomalous use (see Monitoring);
- reinforce that passwords are not written down or recorded in accessible locations/systems logs; and
- promptly disable passwords when staff change duties or leave the business.
Guidance
- Managing user privileges, in 10 steps to cyber security, National Cyber Security Centre
- The National Cyber Security Centre (NCSC) guidance for small businesses
- Cyber Essentials
- Encryption, in Guide to the UK GDPR, ICO website
- Passwords in online services, in Guide to the UK GDPR, ICO website
Your business routinely backs-up electronic information to help restore information in the event of disaster.
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
Suggested actions
You should:
- routinely back-up electronic information to help restore information in the event of disaster;
- keep back-ups in a secure location away from your business premises; and
- test the restoration of personal data regularly to check its effectiveness
Guidance
- Backups, Get safe online website
- The National Cyber Security Centre (NCSC) guidance for small businesses
- Cyber Essentials
Your business logs and monitors user and system activity to identify and help prevent data breaches.
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
Suggested actions
You should:
- log and monitor user and system activity to identify and help prevent data breaches;
- continuously monitor inbound and outbound network traffic to identify unusual activity or trends that could indicate an attack;
- implement a mechanism to log user access to systems holding personal data in support of an access control policy;
- ensure all monitoring and logging complies with any legal or regulatory constraints; and
- make staff aware of any monitoring you undertake.
Guidance
- Monitoring, 10 steps to cyber security, National Cyber Security Centre
Your business keeps software up-to-date and applies the latest security patches in order to prevent the exploitation of technical vulnerabilities.
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
Suggested actions
You should:
- use the latest versions of operating systems, web browsers and applications; and
- update these regularly to help prevent the exploitation of unpatched vulnerabilities.
Guidance
- Patch management, in Cyber security essentials, GOV.UK website
- Cyber Essentials
Your business has boundary firewalls to protect computers from external attack and exploitation and help prevent data breaches.
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
Suggested actions
You should:
- install a firewall to monitor and restrict network traffic based on an agreed set of rules; and
- minimise the impact of data breaches by segmenting and limiting access to network components that contain personal data. For example, you should separate your web server from your main file server. If your website is compromised then the attacker will not have direct access to your central data store.
Guidance
- Network security, in 10 steps to cyber security, National Cyber Security Centre
- Cyber Essentials
Your business has effective processes to identify, report, manage and resolve any personal data breaches. You have appropriate training in place to ensure staff know how to recognise and what to do if they detect a personal data breach.
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
Suggested actions
You should:
- have a process to enable staff to report breaches to management as soon as they become aware of them, and to investigate and implement recovery plans;
- ensure your data protection and security training includes what constitutes a personal data breach and what to do should one occur; and
- deliver this training to staff on a regular basis and use awareness materials to raise staff awareness eg posters, emails, newsletters etc.
Guidance
- Guide to the UK GDPR – Personal Data Breaches, ICO website
- Incident management, in 10 steps to cyber security, National Cyber Security Centre
Your business has a procedure in place to report a breach to the ICO and to affected individuals, where necessary.
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
Suggested actions
You should:
- put mechanisms in place to assess the likely risk to individuals and then, if necessary, notify the breach to the ICO and inform affected individuals;
- monitor the type, volume and cost of incidents to identify trends and help prevent recurrences; and
- document all breaches, even if you don’t need to report them.
Guidance
- Incident management, in 10 steps to cyber security, National Cyber Security Centre
- Guide to the UK GDPR – Personal Data Breaches, ICO website
Your business has procedures in place to effectively investigate the cause(s) of a breach and implement measures to mitigate future risks.
Where measures have only been partially implemented, please select the appropriate actions from the detail below:
Suggested actions
You should:
- ensure management are made aware of all personal data breaches;
- establish processes to ensure all personal data breaches are fully investigated to determine the root cause and decide on any remedial actions that you may need to take; and
- log, monitor and analyse all incidents to identify trends and help prevent recurrences.
Guidance
- Guide to the UK GDPR – Personal Data Breaches, ICO website
- Incident management, in 10 steps to cyber security, National Cyber Security Centre
GREEN: successfully implemented
Your business has entry controls to restrict access to premises and equipment in order to prevent unauthorised physical access, damage and interference to personal data.
Your business has secure storage arrangements to protect records and equipment in order to prevent loss, damage, theft or compromise of personal data.
Your business has established effective anti-malware defences to protect computers from malware infection.
You can download this report as a Word document using the button on the top right corner of the page. If you have a problem downloading the report into a Word document please let us know.
Thank you for completing this checklist. Please complete our short feedback survey to help improve our toolkit.
The survey should take around three minutes to complete.