A CIO’s Simple IT Security Checklist

March 26th, 2019 by Ashlee Colliver

There was a time when those who refused to utilize technology could still thrive in business. That time is certainly over. Small businesses of all shapes and sizes must now embrace technology to maintain operational efficiency and compete in today’s market. But with new technology comes new risk and where there is new technology there must also be the security infrastructure to support and protect it.

As we accelerate headlong into the 2020s, digital security grows ever more ubiquitous, sophisticated, and necessary. With an increased reliance on “The Internet of Things,” a proliferation of hardware and software attacks on businesses and the ripple effect of GDPR are still a concern for those who do business in or with Europe we all face a challenging road ahead.

With this in mind, we have compiled a checklist of concerns for the mindful CIO. This list will give you peace of mind in the aspects where you are doing well while also helping to expose areas for development.


Effective IT security starts with a top-down audit of your entire IT infrastructure. Take a look at these elements of your infrastructure and ask yourself some searching questions about whether they’re fit to handle the demands of business in 2019.

  1. Virtual and Physical Servers

    • Do you know who has access onsite and remotely to your servers?
    • Are you using the right encryption method?
  2. Firewall

    • Do you have commercial grade firewall?
    • Do you have a methodology for blocking malicious websites?
  3. Wireless Network (Internal vs. Guest)

    • Do you know your encryption method for your internal WiFi? Do you allow guests to use your internal WiFi?
    • Do you have a guest network? Do you require a password for guests to get on your guest WiFi?
    • Do you manage your vendors connection to WiFi?
  4. Remote Access (Employee vs. Vendor)

    • Do you offer the right methods for employees to connect to the network remotely?
    • Do you allow vendors or partners to connect remotely and if so how do they connect?
  5. Storage (On-site, Off-site, Data Recovery)

    • Do you have offsite backup and storage?


In the mobile age telecommuting has grown increasingly widespread while employees are empowered to carry out various duties at home or on the road. But with mobility comes a fresh set of risks, ask yourself.

  1. Wireless vs. Wired Voice and Data Communications

    • Do you have a company issued cell phone?
    • For personal cell phones to you enforce a pin code to get into the phone?
    • Do you have an MDM? Can you remote wipe a device?
    • Is your phone system VoIP?
    • Is your VoIP system cloud based?
    • Do you require employees to use a secure messaging solution regarding work related items instead of SMS?
  2. Switches/Routing of Voice and Data

    • Is your switching PoE? Is it connected to a firewall?


Your business’ operations are powered by a range of software. Some of it may be generic office software, some of it may be more esoteric, but whatever you use you need to consider these important questions.

  1. Authentication

    • Do you have a protocol regarding who gets access to what?
  2. Data Recovery, Protection and Security

    • Do you backup your software data?
  3. Data Transmission

    • Do you transmit data to outside vendors and/or partners? How is the data transmitted encrypted?


It’s not enough to have technical security safeguarding your data, you also need to have strict procedures in place to determine how it is used and access. Even the most sophisticated encryption is rendered ineffective without a strong system of governance. Think about.

  1. Corporate Security Plan (User Access Control, Passwords)

    • Do you require users to change passwords? For software applications and network?
  2. Business Continuity Plan

    • Do you have a business continuity and disaster recovery plan? Is it reviewed / updated regularly?
  3. QA/QI and Auditing

    • Are random security audits and stress testing performed?
  4. Technology Steering Committee / PMO

    • Do you have a technology steering committee?
    • Do you have a PMO office and approval process for projects?
  5. Maintenance and Downtime Policies

    • Do you appropriately schedule downtimes for updates and patches?
    • Do you have a process for managing critical security updates?
  6. Security Training

    • Do you require staff to complete the following type of training as part of their onboarding or annual competencies? HIPAA? Cybersecurity?


Even when you have a robust digital security infrastructure there are still physical considerations for businesses. A CIO worth their salt must consider.

  1. Access Control

    • How do you control physical access to the following and do you log who accesses these areas? (Server Room, MDF, IDF, etc.)
  2. Physical Device Locations

    Even if you’re completely reliant on the cloud for your IT needs, your security can still be compromised through access to your physical devices. With that in mind it’s important to consider.

  3. Public vs. Private

    • Do public devices have a logout / timeout period?
    • Do private devices that may be visible to the public have privacy screens on them? Do they auto logout after 5-10 minutes?
    • Do devices in private locations require a login?

So, having considered all the factors that make up your enterprise’s IT security, how confident do you feel? Are you firing on all cylinders? Or is there still room for improvement. A chain is only as strong as its weakest link which is why even confident CIOs can benefit from completing a Technology Strength Assessment.

This is a extremely useful tool in highlighting weak links in the chain of your business technology security. It can inform your ongoing security strategy and protect your enterprise from malicious digital and physical attacks.

Posted in: Insights from VAF Blog, Data Security & Compliance Solutions