General Technology Assessment

1. Do you have robust IT controls and disciplines in your business?

Yes, absolutely. We have made security and in particular IT security and cyber-crime a core strategic focus of our business and an integral part of our risk management process.

Yes, we have an IT governance framework with robust IT policies and data controls, a data security manual and comprehensive system protocols in place.

Yes, while we follow tried-and-tested IT best practice policies and procedures, and these are aligned to the overall governance policy of our business, we still seem to be behind the curve.

To a limited extent. While we have some controls (e.g. physical, firewall and password controls) to protect our IT systems, we lack an integrated policy to ensure overall IT security.

No, we have almost no real IT security policy or IT controls/discipline, OR find that policies (e.g. password changes) are not followed by staff.

No, not at all. We have no documented IT controls in place and rely merely on password protection for the control of access to our systems and data.

2. Is there a culture that endorses security, password control, data management and cybercrime awareness in your business?

Yes, absolutely. We have been proactive and have put preventative measures 24/7 in place around a variety of potential attacks to our business coming across multiple channels not just e-mail, including theft of computers (laptops/tablets/desktops), encryption of sensitive mails/records, cyber fraud and have issued best practice guidelines to customers and staff.

Yes, to a large extent. As part of our HR employee induction programme and on-going staff education and training, a specific focus is placed on security, IT security, IT disciplines, data back-up, password controls, cybercrime awareness, social media and internet usage and the threat of data theft, hacking, phishing, impersonation, sabotage, ransomware and malware.

Yes, we ensure that the confidentiality of all passwords and password disciplines are tightly maintained, that strong passwords are used and that these are regularly changed by users. We ensure that all departing or suspended employees are immediately removed from access to all systems.

Yes, to a degree. Levels of accessibility to all our vital hardware systems, programs, drives, servers and files and banking systems are controlled by passwords or other similar security measures.

No, not really. Other than for the use of basic anti-virus software and firewall controls, we have not taken any specific security measures.

No, not at all. We have no specific focus on IT security in the business, but face major challenges around password controls, basic system access disciplines and the opening of unsolicited e-mails.

3. Do you have back-up power (UPS) in place to ensure continuity of operations and integrity of data records in the event of power outages or other disruptions?

Yes, absolutely. It is imperative that our business has sufficient back-up power supply from generators/UPS or inverter devices as our systems need to be available and accessible 24/7 as any outages and down-time would have a material impact on business processes and controls, service levels, enquiries and sales.

Yes, we are making use of an outsourced data centre which has enabled us to mitigate some of the risks of power outages and a lack of system back-up capacity as well as lowering the risk of loss of data.

Yes, to a degree. We make use of basic UPS back-up power devices to ensure continuity of our business operations and systems availability, but remain vulnerable to extended outages.

No, we have not taken any specific steps around back-up power and rely almost entirely on the efforts and actions of our landlord in this area.

No, not at all. We have no back-up power in place and merely try and keep laptops, tablets and phones fully charged at all times.

4. Do you ensure that you update your virus protection or anti-virus software, mail management and operating software, personal firewall software and other associated security controls on a regular basis?

Yes, absolutely. We ensure that our operating system, anti-virus software, firewall software and other associated security controls are updated on a regular basis and that we are running the latest version/release and updates of the respective software.

Yes, to a large extent. We run security software and are receiving threat alerts. We try to ensure that we have no weak configurations in place.

Yes, we try and ensure that our operating system and security software is updated on a regular basis and that our licences are current.

Yes, to a degree. We rely almost entirely on updating our anti-virus, malware software and firewall protection from free versions available online.

No, not really. We are careful around opening unsolicited mails and have outdated anti-virus and malware software loaded and rely purely on the bank’s security to protect our online banking.

No, not at all. We get minimal e-mail, run mainly stand alone off-line applications, use smartphones for much of our communication and have removed the security software from most PC’s as this was slowing them down and impacting other programs we run.

5. Is all your data secure and regularly backed-up off-site or in the cloud?

Yes, absolutely. As our business has high value data, we have the required tested redundancies, physical controls of hardware, encryption of information, back-ups and a secondary peripheral computer system in place that takes over if our primary unit or other essential systems fail.

Yes, to a large extent. We have daily automated routines which are monitored to ensure that all our data and records are backed-up off-site or to cloud storage.

Yes, we require all staff to do daily back-ups of their data stored on our server to the cloud, including data files stored on laptops or tablets.

Yes, to a degree. We currently back-up our data on a weekly basis to a removable hard drive device which is then taken to the business owner’s home. We have never tested our back up or attempted a full restore.

No, not really. While we endeavor to do weekly back-ups to an external hard drive, these are not always done for a variety of reasons. We have never done a restore.

No, not at all. We have no formalised disciplines around back-ups and rely on each staff member to secure their data and keep hard copies of records and mails.

6. Have you suffered theft of computer equipment, data loss, systems failure or a systems security incident such as hacking, phishing, malware or ransomware?

No, not at all. We have a very secure IT environment, appropriate locks on all our desktop and laptops and due to our IT and e-mail disciplines and data back-up routines, we have not suffered a data loss or security incident.

No, our website and servers are externally hosted by reputable organisations, our internet service provider is blocking spam, unsolicited mails and viruses, we have anti-virus software on all machines, have run the latest operating software patches and our data is backed-up daily off-site.

No, but there have been numerous viruses detected by our anti-virus software and blocked by our firewall.

No, not to date - but we have received a number of bogus e-mails, fabricated letterheads and calls from syndicates attempting to get data details changed in order to solicit our banking details and passwords, solicit unauthorised payments or get payments deviated to third party bank accounts.

Yes, to a limited degree. Despite controls we have suffered theft of computers and/or we have suffered a deliberate and malicious disruption of service due to the installation of malware on our server.

Yes, we have suffered multiple thefts of computers/laptops and/or have had our website hacked and rendered unusable.

Yes, definitely. We have had sensitive information go missing on stolen computers and/or we have lost data as a result of an unexpected power failures with no recent back-ups being held on more than one occasion and/or a disgruntled employee has threatened us with the theft of sensitive data/information.

7. Do you have appropriate and suitably qualified IT resources supporting your systems and network and is your business/organisation vulnerable to IT services provided by a particular individual or outsourced third party?

Yes, absolutely. We have satisfied ourselves that the outsourced IT support service provider we use has ensured continuity of service provision, has robust disciplines around the staff employed by them, rigid controls around access to our live data, maintenance of the confidentiality of information, data back-ups, controls around any changes made to our system or programs and version control.

Yes, we obtained references from a number of customers before appointing our outsourced IT support service provider and have a comprehensive Service Level Agreement (SLA) in place with them.

Yes, although we are reliant on a single resource for our IT maintenance and support, we have ensured that we have the necessary access to source code and system access details, as well as the necessary alternative back-up and support to ensure continuity in the event of the resources absence due to illness or other eventuality.

Yes, to a degree. Our IT service provider with whom we have a formal maintenance/support contract, only makes use of appropriately certified IT resources that are vetted and selected by them.

No, we are not in control of all our IT or data services, are very reliant on a single service provider and don’t fully understand the powers and capabilities which the parties carrying out these roles have.

No, not at all. We rely on an in-house person who has this responsibility in addition to other duties. We are aware of their limitations and any problems are solved by ad-hoc external service providers.

8. Do you have a social media policy and are you managing bandwidth, data usage costs and internet usage?

Yes, absolutely. We have an effective mail management system, robust internet and e-mail usage policies and site blocking/firewall shaping in place to ensure that security and system integrity is not compromised, that bandwidth availability and productivity are optimised and that potential staff abuse of the internet and social networking sites is managed.

Yes, HR and IT policies around the use of social media are enforced and abuse of the internet and social networking sites is proactively managed.

Yes, to a degree. We have been forced to restrict internet access to a limited number of people in the business as it was being abused for personal use and the incidence of viruses escalated to unacceptable levels.

No, we have encouraged all staff to make use of the internet and social media in order to promote our business and to add value to their job role wherever possible.

No, not at all. We do not have a social media policy in place, nor do we pro-actively manage internet usage and rely on staff not to use the name of the business in unofficial/private communication, or abuse/misuse our internet connection and our bandwidth.

9. Do you use only licensed software?

Yes, absolutely. We ensure that the business only makes use of the latest versions of reputable, widely used, secure, tried and tested, easy to use, compatible and licensed software that enjoys wide spread back up, continuity and support.

Yes, we have ensured that we only make use of licensed software, have cancelled the licences of software no longer being used and destroyed any unlicensed copies of software.

Yes, to a degree. We rely on our IT support services to update our software and to attend to any licensing requirements of software being used in our business.

No, we have not complied with the requirements of a number of our software licences and are using outdated versions as well.

No, not at all. We have a number of unlicensed and pirated software applications running in our business.

10. Is your website effective and secure?

Yes, absolutely. Our website is an integral part of our business as online business forms a large and key portion of our turnover. While our site is externally hosted by a leading global player, we are continually checking on the ongoing effectiveness of the site from a content, security and functionality perspective. We are making use of displays, flash features, mobile displays and are optimising search engine criteria by using key and ad words.

Yes, the growth in our online business has forced us to focus on the functionality and security of our website and employ professional service providers and experts in this area.

Yes, to a degree. We have been forced by our competition and new competitors entering our market to improve the effectiveness and online capability and capacity of our website.

No, we are struggling to keep up with the latest technology and the costs of maintaining our website at the cutting edge from a content, functionality and security perspective.

No, not at all. Our website is locally hosted, very static and outdated, not interactive and is used merely to give out the address, contact numbers of our business and a very basic overview of what we do and/or the products and services we offer.

Score

Score 0 to 29

Your score indicates that your IT controls and IT disciplines are totally inadequate, and that this exposes your business/organisation to massive risk. While the full extent of your vulnerability will be determined on the relative importance of technology to your business (e.g. how important eCommerce is to you), we urge you to address this as a matter of great urgency (a top priority) as the digital revolution will make this even more critical in the future. We suggest that you start with a well-crafted IT risk policy (see resources for a sample).

Score between 30 and 44

Your score indicates that technology (specifically your lack of IT controls and discipline) represents a very significant risk to your business/organisation. While the relative importance of this risk depends greatly on the extent to which you rely on technology (e.g. eCommerce for sales), we urge you to treat this as a matter of urgency and to start by adopting an IT risk policy and identifying (and managing) your specific technology risks. This is especially important as technology is sure to become an even bigger driver/risk in the future.

Score between 45 and 54

Score between 55 and 64

Your score suggests you could and should improve your IT controls, but that this area probably doesn't represent a massive risk (generally). There may however be some vulnerability in a couple of areas that should be addressed in the reasonably near future.

Score between 65 and 79

Your score suggests that you probably have strong IT controls and are therefore probably not hugely at risk. We would however recommend that you identify possible areas of weakness and address these in due course.

Score 80 and above

Your score suggests that you have strong IT controls and discipline and have therefore greatly reduced your risk in this area. We would however still advise you to identify possible areas of weakness and address these in due course.

Resources

We strongly suggest that you go and download our Establishing an IT Policy document under Member Downloads/Other Downloads. We also suggest you download our Technology Risks and Checklists document under Member Downloads/Checklists.

reCAPTCHA