Please answer YES or NO to each of the following questions:

1. Do you have a documented policy for information retention, including responsibilities and scheduling?

2. Do you know the impact of downtime of every software application and system?

3. Do you have a classification structure for defining information sensitivity?

4. Is MAC address filtering enabled for access to your wireless network?

5. Does your business continuity plan include staged recovery in accordance with your business priorities?

6. Are all IT investments supported by a solid business case?

7. Is there an audit trail of access to secure areas, such as computer rooms or secure office areas?

8. Do your incident response procedures classify problems and help determine root causes for problems?

9. Does a record exist of who has access to applications and systems containing sensitive information?

10. Do you regularly test your backup & recovery procedures?

11. When working with 3rd parties, do you document information security matters, such as intellectual property and privacy?