Information Security Audit

This self-audit is the first step in information security planning. It will help you to identify potential information security risks for your organization. Score 5 points for each “Yes” answer and check the shaded box below to rate your information security program.

Yes No

Employee Requirements

I-9s on file for employees hired after 11/86
All employees have signed a confidentiality agreement
Employment history verification for all employees covering the last seven years
Pre-employment criminal records search for all employees
Pre-employment drug screening tests on file for all employees (if applicable)
Yes No Operational Requirements
Organization has written policies and procedures concerning information security
Organization complies with federal information destruction laws by shredding confidential customer information including any document that contains customer addresses, phone numbers or social security numbers
All employees know which documents to recycle and which documents to shred
Records retention program in place so that no files are kept longer than necessary
Alarm system is in place when the building is unoccupied
Receptionist or a security person at all entrances to admit employees and guests
Guest log system in place to register guest and record the nature of their visit
Guest logs kept for a minimum of 90 days
Guests wear a visitor’s nametag with a corresponding number
Company personnel escorts guests from entrance to the designated meeting area
Yes No Computer Requirements
All computers are password protected
File backup for all critical company information
Firewall and virus protection systems in place for all computers
Intruder detection implemented on all servers and workstations containing data classified as high risk
All connections to the Internet go through a properly secured connection point to ensure the network is protected when the data is classified high risk
Total Points


Points: Excellent Information Security- Just a couple of issues to be corrected
80- 90
Points: Good Information Security- Some issues need to be corrected
70 – 80
Points: Fair Information Security- Many issues need to be corrected
Points: Poor Information Security- Seek professional information security assistance