Information Technology Governance: Security Self-Assessment Questions

A fillable form is available for download and completion online at https://www.osc.ny.gov/files/local-government/publications/pdf/IT-Governance-Self-Assessment-Form.pdf

Written IT Contingency Plan

Because no computer system can be expected to operate perfectly at all times, unplanned service disruptions are inevitable. A disruptive event could include a power outage, software failure caused by a virus or malicious software, equipment destruction, inadvertent employee action or a natural disaster, such as a flood or fire. The plans, policies, procedures and technical measures that help enable the recovery of operations after an unexpected IT disruption are collectively referred to as IT contingency planning.

Physical security controls restrict physical access to computer resources and protect those resources from intentional or unintentional harm, loss or impairment. Such controls include guards, gates and locks, and also environmental controls such as smoke detectors, fire alarms and extinguishers, protection from water damage and uninterruptible power supplies.

Networks that are connected to the Internet are physically connected to unknown networks and their users all over the world. While such connections are often useful, they also increase the vulnerability of IT systems and electronic data to access and attacks from unauthorized individuals.

Wireless networks are exposed to many of the same types of threats and vulnerabilities as wired networks, including viruses, malware, unauthorized access and data loss. However, they are considered inherently less secure than wired networks because data are transmitted into the air and can potentially be intercepted and misused by individuals with malicious intent. Also, because wireless networks are often used as extensions of wired networks, even minor IT security weaknesses on wireless networks can expose internal network resources to additional threats.