construction risk serv  health, safety & envir risk serv  property risk serv  about us    contact us  search  site map  home  
career center

e-tools portal

global services

training and seminars

useful links

  home > E-Risk Questionnaire >

E-Risk Management Assessment

Contact Information:
Last Name
First Name

Please provide details or comments
Security Policy
1. Is there a current, documented corporate IT security policy, including all systems, internal, external, web sites, PBX, etc.?

2. Does the policy explicitly define "acceptable use" of all company resources and of the internet and are employees and contractors required to sign acknowledgements of the policy?

3. Does the security policy specify the security responsibilities of managers and employees?

Asset Classification and Control
4. Is there an inventory of all business critical information and IT assets?

5. Does your company have a formal privacy policy that has been approved by legal counsel?

6. Does your IT infrastructure support proper compliance of your privacy policy?

7. Has the privacy policy been made available to all employees and to the general public?

Personnel Security
8. Are employees, consultants and contract personnel informed about the proper process for reporting suspected security incidents?

9. As part of the hiring/contracting process, are applicants for system administration, security administration, sensitive programming, and other positions requiring high level access to mission critical systems subject to background checks with law enforcement authorities (and government agencies if warranted)?

10. Are contractors with access to production systems required to be bonded and insured?

11. Are there specific processes to control physical, logical on-site, and remote access by all third party contractors?

Computer and Network Management
12. Are firewalls used to prevent unauthorized access on all connections from internal networks and systems to external networks, such as vendor’s systems or the internet?

13. Are the firewalls configured to explicitly allow authorized traffic and deny all other traffic in both directions by default?

14. Are remote users authenticated before being allowed to connect to internal networks and systems?

15. Are there documented operating procedures for security requirements and access control of all networks, mission critical systems and their components that control access (e.g. firewalls, routers, web servers, application servers, etc.)?

16. Is there enforced separation of duties in all critical process steps for all sensitive operations?

17. Is all sensitive information encrypted when it is transmitted over all external networks?

18. Are anti-virus procedures used on desktops and mission critical servers?

19. Are backup and recovery procedures documented for all mission critical systems?

20. Are backups taken at least once per week and secured off site?

21. Are recovery procedures tested at least quarterly?

22. Is removable media containing sensitive information properly labeled and protected against unauthorized access at all times?

23. Are Computer Emergency Response Team (C.E.R.T.) and vendor advisories related to security problems monitored and applied as soon as possible to all affected systems? (i.e. software vulnerability patches, antivirus updates, etc.)

24. Is there a system management program in place that monitors networks for intrusions and other irregularities that immediately notifies management (via pager, etc.)?

System Access Controls
25. Are customers and other external users authenticated through the use of PINS, passwords or digital certificates?

26. If you have an externally accessible Web Server, are access controls implemented for the files and directories that are stored on the Web server?

27. Are all access controls monitored for compliance?

28. Are passwords required to be changed at least every 2 months?

29. Are special privileges restricted to primary and backup systems administration personnel and individuals with approved need to have these privileges?

30. Do authorized individuals use their privileged accounts only for the tasks for which they are needed and use their unprivileged accounts for all other normal business activities?

31. Are procedures in place to ensure that the passwords and privileges of terminated employees and contractors are immediately revoked?

32. Are all IT equipment and terminals in areas protected from unauthorized access?

System Development and Maintenance
33. Are there security controls in development, test and service processes?

Business Continuity Planning
34. Are continuity plans in place for all mission critical business processes including those provided by third parties?

35. Are business continuity plans tested at least annually?

36. Are there fault tolerant or redundant components that control access to the company's trusted systems to and from all external networks (e.g. firewalls, routers, web servers, application servers, etc.)?

37. Are software audit tools in place to detect unauthorized access and unauthorized changes to or removal of data, which will assist in post mortem analysis and system corrections?

Security Compliance
38. Are all security relevant actins on all systems logged?

39. Are security logs reviewed at least daily for suspicious activities?

40. Are the employees, designated to respond to suspected intrusions, trained in the handling of forensic evidence, law enforcement involvement and press relations?

41. Are there regular security reviews of IT systems by internal audit personnel or a trusted third party?

42. Are there documented incident management processes to respond to suspected intrusions detected on any components that control access to the company's trusted systems to and from all external networks (e.g. firewalls, routers, web servers, application servers, etc.)?

43. Are there comprehensive penetration tests conducted at least once a month to verify the security of the company's perimeter network controls (e.g. firewalls, external routers, remote access servers, etc.)?

Wireless Applications
44. Does your organization follow IEEE Standards 802 for your wireless networks?

45. Does your organization use only IP Security VPN's (Virtual Private Networks)?

46. Are wireless transmissions encrypted with at least 128 bit WEP?

47. Are your WLAN's (wireless LANs) installed outside the firewall?

48. Has the default security features of the products that are used to facilitate your wireless network been activated?

49. Have you changed the default key on your WLANS?

50. Do you restrict the knowledge of the new key to an "absolute need to know" basis?

51. Are keys changed immediately upon the knowledge of a lost or stolen laptop?

52. Are there regular WLAN audits to detect rogue WLAN connections?

53. Do you define and distribute security policies on WLAN and educate your employees on the risks associated with wireless networking?

Intellectual Property/Content Injury Exposures
54. Has legal counsel checked that your domain name does not infringe upon another’s trademark?

55. Is material of others (i.e. content, videos, graphics, music, metatags, etc.) used in the web site? If “yes,” has the applicant obtained the written right to use this material in each case?

56. Is there a review process in place to screen content of the web site?

57. Does the web site review process include review by a qualified attorney for possible libel, slander, trademark infringement, invasion of privacy, copyright infringement, inaccurate information or trade secrets?

58. Do new engineering, research or development employees and “work -for-hire” contractors sign a statement to the effect that they will not distribute or use previous employers’ or clients' trade secrets?

59. Do agreements with outside consultants providing content or material for your web site, include a provision regarding the use of your intellectual property?

60. Does the applicant offer a bulletin board or chatroom at its web site? If yes, please answer the following questions:
a) Who manages the bulletin board/chatroom?
b) If subcontractor, are “hold harmless” agreements for liabilities arising out of it's use required?
c) Can the applicant remove any posting at its sole discretion and does the ISP agreement allow the applicant to do so?

61. If the applicant’s web sites contain links to the web sites of others, is written permission obtained from the owners of those web sites?

62. Does the applicant have written policies and procedures addressing actions to be taken in the event of an extortion demand? If no, please provide a proposed implementation date of such policies and procedures.

Copyright 2002-2021 by Zurich Services Corporation. All rights reserved.
Access to this web site is governed by the Terms of Use. | Privacy Notice.
 (Version 4.0/uszica01)