Do You Have Proper IT Control Documentation?:  

1.  Do you have a report that summaries IT controls (data security and business continuity planning policies and procedures) — to provide a link between the server room and the board room? 

2.  Have you documented employee IT policies regarding hiring, performance reviews, and termination — to protect the organization and provide clear communication and feedback?

3.  Have you documented an discussed the the company's Internet use policy so that employees know what type of activity is not allowed — for example, because it might compromise the company's computer system and data?  

4.  Have you documented the critical network information stored in your IT professionals' head — so that you are not vulnerable to loss of key personnel?

5.  Do you have a way to monitor daily backups (like a calendar with sign-off) — so you can be sure that backups continue to take place even when an employee is on vacation or sick?  

6.  Do you test your backup systems and record the results — so that you can prove they work, learn from any problems, and allow proper monitoring by management?  

7.  Do you have a list of employee phone numbers (and their emergency out-of-area contact information) stored offsite — in case of a major disaster?

8.  Have you documented critical customer and vendor contact information and stored it offsite — so that it is accessible after a major disaster?

9.  Have you documented and discussed disaster recovery procedures — so that employees know when, where, and what to do after a major disaster?

10. Do you have a published disaster recovery plan with copies stored offsite - to help you recover quicker after a major disaster?