1. Information that
should be on record for a security survey.
A. Date survey initiated and completed.
B. Name of each facility and/or site.
C. Surveyed company's name.
D. Surveyed company's address.
E. Surveyed company's CEO/Director/Manager.
F. Surveyed company's officers.
G. Facility contacts and their phone numbers.
H. Main facility telephone numbers.
I. Emergency telephone numbers for all
facilities.
J. General purpose of each site.
K. Range of hours of use for each site.
L. Facility ownership records.
M. Number of people who have access.
N. Who performs facility maintenance?
O. Maintenance schedule.
P. Estimated
dollar value of equipment and property in department, office, and facility.
Q. Location of areas with highest dollar value.
R. Location of areas containing sensitive
material.
S. Historical security problems with site going
back 5 years.
1. Abductions?
2. Alarms?
3. Batteries?
4. Bomb threats?
5. Burglaries?
6. Disorderly situations?
7. Domestic violence involving employees (both on company property
and off)?
8. Employee "down" reports?
9. Fights?
10. Fires?
11. Homicides involving employees?
12. Intoxicated employees?
13. Missing or runaway juveniles found on your
property?
14. Open doors or windows?
15. Police requesting to execute an arrest warrant on your property?
16. Reports of employee involved child abuse?
17. Robbery
involving employees?
18. Sexual assaults on company property or
involving employees off property?
19. Shootings?
20. The death of an employee on company property?
21. Traffic accidents?
22. Vehicle and vessel thefts (both employee and
company owned vehicles)?
23. Theft
(internal and/or external?)
24. Shoplifting?
25. Vandalism?
26. Armed Robbery?
27. Checks?
28.
Fire safety?
29.
Other offenses
T. Site Description.
U. Obvious security problems (if applicable).
V. What are the physical boundaries of the
facility grounds? (Include drawing)
W. Attach the following drawings, sketches,
plans, or schematics.
1. Facility perimeter.
2. Topography.
3. Perimeter barriers.
4. Neighboring facilities.
5. Ingress/egress points.
6. Facility and exterior roadways.
7. Facility locations.
8. Storage locations.
9. Locations of doors, windows, and similar
openings.
10. Alarm placement and diagrams (schematics).
X.
Review all corporate security materials including: (1) chain
command by individual and job description; (2)corporate
security plan; (3)security training
manuals; etc.
Access
Control Systems/Functions Access Control Systems/Functions
2. Is the facility
staffed 24-hours per day?
3. What type of
access system provides entrance into the facility?
4. Who is
responsible for authorizing facility entry?
5. Are there
effective procedures for authorizing facility entry?
6. Does the facility
have an enforced limited-access policy?
7. Are there effective procedures for
authorizing facility entry for abnormal situations (emergencies,
outside of normal hours, etc.)?
8. Is there a physical access control system
limiting access to the facility?
9. Are all doors
kept closed and locked?
10. Is there an independent verification of a
request for facility entry authorization?
11. Is positive identification required for a
person to receive facility entry authorization?
12. Are all entrances to the facility, including
emergency, equipment, and maintenance portals,
controlled?
13. Are there
multiple entrances to the facility?
14. How many facility
entrances are there?
15. How many facility
entrances are available for personnel access:
A. At all times?
B. Only during normal working hours?
C. Only during normal arrival or departure
hours?
16. Is facility entry
controlled during normal working hours?
17. Is facility entry
controlled after normal working hours?
18. Does the company utilize access control
procedures to limit access into the facility?
19. What areas are
these systems located in?
20. Are card access
reading systems utilized?
21. If so, what type of card is issued (Such as optical scan, Wiegand,
magnetic-stripe, or proximity)?
22. Is the access
control card also used as an employee badge?
23. Are biometric
technologies used in access control?
24. If so, which one (Such as retinal scan, hand geometry, finger prints, key stroke,
signature, and
voice)?
25. Is the system
controller on an independent PC-based system?
26. Are the access control door locks electric or
magnetic strike locks?
27. Is facility entry
controlled by a guard(s)?
28. Does the guard
permit facility entry by:
A. Visual recognition?
B. Verifying ID from a list?
C. Badge with no photo?
D. Badge with photo?
E. Other (specify)?
29. Are employee identification
badges worn in the facility area?
30. Are vendors and visitors required to wear
identification badges in the facility area?
31. Are visitors and vendors required to sign-in
before entering the facility?
32. Is it policy to provide a staff escort for
visitors, vendors, and service personnel:
A. In the perimeter zone?
B. In the perimeter zone during normal business
hours?
C. In the perimeter zone outside of normal
business hours?
D. In the facility housing the computer
equipment?
E. In the facility housing the computer
equipment during normal business hours?
F. In the facility housing the computer
equipment outside of normal business
hours?
G. In the facility?
H. In the facility during normal business
hours?
I. In the facility outside of normal business
hours?
J. In the computer room?
K. In the computer room during normal business
hours?
L. In the computer room outside of normal
business hours?
33. Are there procedures permitting facility
access to emergency personnel in case of fire, major
power outage, or other emergency or
disaster?
34. Does the area entry/exit record provide
notation for time in, time out, identification of entrant,
and authorization mechanism?
35. Are there monitors (eg. CCTV, guards, etc.)
and alarms for all facility entrances?
36. Who disseminates
badges (Security or a receptionist)?
37. Are Security personnel notified of employees
who are permitted to enter the facility outside of
normal working hours?
38. Is facility entry controlled by a key? (Is there a key over-ride to other perimeter
access control
system)?
39. How many persons
have keys to the facility?
40. Is it difficult to duplicate facility keys
(eg. do keys have engraved instructions to prohibit their
duplication, are they made on special blanks
not available to others, etc.)?
41. Is facility entry
controlled by a cipher lock(s)?
42. How many persons have the combination to the
facility cipher lock(s)?
43. Is the combination to the facility cipher
lock(s) changed on a regular basis?
44. Is facility entry controlled by magnetic
badge/card/key-card readers?
45. How many persons have magnetic cards, badges,
or key cards permitting entry to the facility?
46. Are authorization lists and control
mechanisms allowing facility entry updated when a person's
entry authority is revoked?
47. When a person no
longer is authorized for facility entry, are:
A. Authorization lists updated?
B. Locks/combinations changed?
C. Keys/badges/cards surrendered?
D. Other (specify)?
48. Is access to the facility and to resources
denied quickly enough to prevent damage to resources by
a person who no longer has authorized
access to the facility?
49. Do employees challenge persons in the
facility if they are not properly badged?
50. Is there a control on badges, keys,
combinations, and/or cards used for facility entry?
51. Are entries to or exits from the facility by
employees recorded at any time?
52. How are employee
facility entries/exits recorded?
A. Magnetic key card?
B. Sign-in register?
C. Microprocessor?
D. Other (describe)?
53. Are facility
entries/exits by employees recorded during:
A. Normal working hours?
B. Outside of normal working hours?
C. During emergency situations?
54. How are
non-employee facility entries/exits recorded?
A. Magnetic key card?
B. Sign-in register?
C. Microprocessor?
D. Other (describe)?
55. Are facility
entries and exits by non-employees recorded:
A. At any time?
B. During normal working hours?
C. Outside of normal working hours?
D. During emergency situations?
56. Do all regularly-used facility entrances have
monitors and/or alarms?
57. Do facility emergency exits and other
not-regularly-used operating entrances have monitors
and/or alarms?
58. Do facility entrance/exit monitors transmit
to a location where timely action will be taken?
59. Do facility
entrance/exit monitors and/or alarms transmit to:
A. A main guard station off-site?
B. A guard station in another facility?
C. A guard station in the same facility?
D. Other (specify)?
60. Is a record from the facility entrance/exit
monitors and/or alarms kept in some form available for
audit?
61. Are there documented guidelines for
evaluating appropriate responses to notifications from
facility entrance monitors and/or
alarms?
62. Are appropriate procedures for responding to
a notification from facility monitors and alarms
defined and documented?
63. Are personnel trained or drilled in how to
respond to facility monitors and alarms?
64. Are the facility's ground-level doors kept
locked or guarded at all times?
65. Does the facility have exterior doors
anywhere other than at ground level?
66. Are the facility's other-than-ground-level
doors kept locked or otherwise controlled at all times?
67. Does the facility
have windows?
68. Are the facility's windows kept locked or
else barred or screened with a material that would
prevent intrusion?
69. Are facility windows made of material that
resists breaking and shattering?
70. Has the fire department been alerted that
facility windows are made of material that resists
breaking or shattering?
71. Are emergency
exits from the facility operable only from within?
72. Is there one power source for the control
unit, readers, and the locks?
73. Are the systems
equipped with battery back-up?
74. Do the access controlled doors employ
contacts which indicate whether the door is open or
closed?
75. Are these doors
equipped with "hold open" alarms?
76. Does each reader
have an alarm shunt relay?
77. Does each door
have a tamper or forced entry relay?
78. Does each door have an exit button or sensor
located on the inside to facilitate egress from the
controlled area?
79. Does the system
provide an audit trail which records:
A. The user's identification number?
B. The user's access control location?
C. The time and date of access attempt?
D. Whether access was allowed or denied?
80. Is this
information relayed to logging transaction printer?
81. Is this audit trail transferred to a computer
storage and printing system?
82. Is the
information concerning user identification kept updated?
83. How often is this
done and by whom?
84. Are there special procedures for the
immediate removal of a user from this system?
85. Are there operating plans designed for the
system during an emergency?
86. Are these systems installed in accordance
with fire and facility codes?
87. Does the security level of the system match
the security threat of the area where access is being
limited?
88. Is the system designed to accommodate the
amount and type of user traffic?
89. Is the system designed and located in an area
that limits environmental exposure?
90. Is preventive
maintenance and cleaning regularly scheduled?
91. What are the
optimal intervals for these services?
92. Is this service
provided by a vendor or in-house personnel?
93. Is the access
control system alarmed to preclude tampering?
94. Who responds to
the alarms?
95. What is required
response time to an alarm?
96. Do operations or other employees monitor the
activities of emergency personnel when they are
servicing the computer rooms, employee
areas, facility, or equipment?
97. Do operations or other employees monitor the
activities of service personnel (a large part of the
"invisible people") when they
are servicing the computer rooms, employee
areas, facility, or equipment?
98. Do operations or other employees monitor the
activities of other "invisible" personnel (eg.
vending machine suppliers, protective
force, janitors, health and safety
personnel, etc.)?
99. Is the facility
alarmed?
100. What type of
alarm system is used?
101. Which of the following perimeter alarm sensors
are used in your facility (Where are they
placed?, What are they protecting?...)
A. Tape?
B. Mechanical switches (door, windows)?
C. Break wire (in walls, floors, ceilings)?
D. Magnetic switches - unbalanced?
E. Audio?
F. Vibration?
G. Ultrasonic?
H. Microwave?
I. Infrared Passive?
J. Infrared break beams?
K. Capacitance?
L. CCTV?
M. Biometric?
N. Other?
102. Which of the following window alarm sensors
are used in your facility (Where are they placed,
What are they protecting...)?
A. Mechanical?
B. Magnetic?
C. Break wire?
D. Alarm tape?
E. Capacitance?
F. CCTV system?
G. Vibration detectors?
H. Acoustic detectors (microphones)?
I. Infrared/Photoelectric break beams?
103. Which of the following interior protection
alarm sensors are used in your facility (Where are
they placed, What are they
protecting...)?
A. CCTV System?
B. Volumetric?
C. Infrared/Photoelectric break beams?
D. Infrared motion detection system?
E. Ultrasonic motion detection system?
F. Microwave motion detection system?
G. Vibration detectors?
H. Acoustic detectors?
I. Thermal detectors?
J. Other?
104. Which of the following ventilation and duct
protection are used in your facility (Where are they placed, What are they
protecting...)?
A. Physical barriers?
B. Acoustic baffles?
C. Break wire?
D. Infrared/photoelectric break beams?
E. Magnetic?
F. CCTV System?
G. Heat detection?
H. Capacitance?
I. Other?
105. Which of the following overhead and false
ceiling alarm sensors are used in your facility (Where are they placed, What
are they protecting...)?
A. Break wire?
B. Vibration detection?
C. Volumetric detection system?
106. Which of the following perimeter fencing alarm sensors are used in your facility
(Where are they placed, What are they protecting...)
A. CCTV System?
B. Capacitance?
C. Vibration?
D. Other (specify)?
107. List the
following information for all alarm system components:
A. Location (building, area, floor, room ..)
B. Number,
C. Type,
F. Manufacturer,
G. Last tested,
H. Test results,
I. Test methods.
108. Is the alarm
system locally audible when activated?
109. How old is the alarm system and/or major
components of the alarm system?
110. Who manufactured the alarm system and/or major
components (if a large integrated system)?
111. Is the alarm
system Underwriters Laboratories, Inc. (UL) approved?
112. Is the alarm systems' presence intended to be
covert or overt to public?
113. Is the alarm
system facility owned?
114. Is the alarm
system leased?
115. If leased, who is
the leasing company?
116. Is output from the intrusion sensors and/or
detection devices transmitted outside the facility?
117. Indicate the location(s) to which the
intrusion sensors and/or detection devices transmit output:
A. Main security station (where guards are
located)?
B. Security station same building?
C. Security station in different building?
C. Municipal
police station?
D. Other?
118. Are records from the facility entrance
surveillance monitors, intrusion sensors, and/or alarms kept
in some form available for audit?
119. Are procedures for responding to notification
from area monitors and alarms defined and documented?
120. Are there documented guidelines for evaluating
appropriate responses to notifications from area
entrance monitors and/or alarms?
121. Are adequate spare alarm components located at
the facility? (batteries, sensors, fuses, etc.)
122. Can the alarm
system be deactivated from outside the secured area?
123. Are external
alarm system components tamper-proof and/or alarmed?
124. Is there a backup
power source for the alarm system?
125. What is the
backup power source for the alarm system?
126. Is the entire alarm system frequently tested
to insure reliability?
127. How often is the
alarm system tested?
128. Who conducts
alarm tests?
129. When was the last
test conducted?
130. Who is
responsible for conducting maintenance on the alarm system?
131. Have emergency repair provisions been
established for the alarm system? (eg. with outside vendors, the manufacturer)
132. Is a failure and
false alarm register maintained?
133. Are alarm system
transmission lines supervised?
134. Is all alarm and
CCTV wiring enclosed in conduit?
135. Are there surveillance monitors (eg. CCTV),
intrusion sensors, or alarms for the facility entrances?
136. Do surveillance monitors, intrusion sensors,
or alarms operate for:
A. Normal operating facility entrances?
B. Emergency exits and emergency situations in
the facility?
C. Non-normal facility entrances, such as
delivery portals?
Key/Critical
Areas
137. Are there
critical or restricted areas?
138. How many critical and/or restricted areas are
there and where are they located? (attach drawings or plans)
139. List all controls, barriers, and restrictions
placed on these areas (guards, locks, alarms ...).
140. How are these
areas identified?
141. How are these
areas administratively controlled?
142. List the methods of access for each of these
areas. (skylights, ventilation shafts, doors, windows...)
143. Do these areas have perimeter fencing? (If so,
see PERIMETER FENCING)
144. Are these areas
alarmed? (see ALARMS)
145. What type of alarm systems or components are
used in restricted area controls?
146. Construction of storage areas: List
characteristics or special construction attributes pertaining to the following
areas:
A. Walls?
B. Ceilings?
C. Floors?
147. Does lighting properly
illuminate all facility roads?
148. Is perimeter illumination adequate for the
exterior "clear zone" area
(if applicable)?
149. Is perimeter illumination adequate for the
interior "clear zone" area?
150. Does the perimeter illumination scheme consist
of overlapping cones of light?
151. Does the facility have a separate emergency
lighting system that activates when the main lighting fails?
152. Is there adequate exterior and interior
lighting to provide a safe and secure environment for facility operations?
153. Are all exits equipped with emergency lights
and illuminated exit signs?
154. Who is responsible for maintaining exit and
emergency lighting systems?
155. Is protective
lighting tested periodically?
156. Who is
responsible for this task?
157. Are all switch box(es), photoelectric cells,
and/or automatic timers secure (how)?
158. Who is responsible for immediate replacement
of burned out luminaries?
159. Is the current
security lighting system cost effective?
160. Is there an emergency back-up power system for
the protective lighting system? (How is it initiated?)
161. What is the emergency power back up system for
protective lighting?
162. Is there emergency lighting available for the
data center if a power failure should occur?
163. Is the facility's power supply monitored to
detect the occurrence of electrical transients?
164. Is there emergency lighting in all facility
areas to illuminate fire extinguishers even if there is a power outage?
165. Does this facility have a "clear
zone" on the outside of the perimeter fence?
166. Does this facility have a "clear
zone" on the inside of the perimeter fence?
167. Is the exterior "clear zone" at
least 50 feet wide? (If not, list distance)
168. Is the interior "clear zone" at
least 20 feet wide? (If not, list distance)
169. Is there a clear path for vehicular access
around the exterior of the perimeter fence? (such as guard patrols)
170. Is the "clear zone" kept clear of
all visual obstructions including tall grass?
171. Are "clear
zone" areas adequately illuminated?
172. Are there any scaling hazards around the
perimeter fence line? (construction material, buildings, trees, lattice
work...)
173. Is any part of the fence overgrown with
vegetation, obstructing a clear view of the "clear zone"?
174. Have shrubbery near doors, windows, fence
lines, gates, and access roads been kept to a minimum?
175. Are all blind
alleys located near buildings protected?
176. Are warning signs positioned at intervals of
approximately 100 feet apart?
177. Are warning signs properly displayed and
legible from a moderate distance?
178. Is there an
executive protection program currently in place?
179. Who is protected under the executive
protection program? (list names and position)
180. Who performs executive protection functions?
(list names and duties)
181. What is the size
of the executive protection staff?
182. What criteria is established for hiring
executive protection personnel?
183. Is an extensive background investigation
conducted before hiring executive protection personnel?
184. What type of background investigation is
conducted and who is responsible for conducting it?
185. What other functions and duties are executive
protection personnel responsible for?
186. Who conducted the
last vulnerability assessment?
187. Is the executive
protection program extended to family members?
188. Is there an established chain of command for
emergency situations? (eg., The CEO has been kidnapped.)
189. Are individual profiles compiled on all
executive personnel and family members included?
190. Is there a special insurance plan covering
kidnapping, extortion, and terrorism?
191. Is there a bomb
threat policy in place? (What is it?)
192. Will law enforcement be notified if a
kidnapping or a extortion situation comes to fruition?
193. How is employee
security education and awareness conducted?
194. Are personnel given continuing or periodic
refresher education about security practices?
195. Has senior facility management shown an
awareness of the special security educational needs of the facility?
196. Is management involved in establishing
facility security education training and educational policy?
197. Are both initial and periodic security
educational briefings conducted to educate employees in general and
employee-specific security responsibilities?
198. Are employees actively involved in developing
risk analyses and contingency planning?
199. Are line-personnel as well as management
educated about security practices and encouraged to be alert at all times?
200. Are the following individuals educated about
security practices and encouraged to be alert at all
times:
A. Facility staff?
B. Facility users?
C. Custodial personnel?
D. Maintenance
personnel?
201. When issuing passwords, combinations, access
codes, calling card numbers and credit card numbers is there an education
program to teach holders the proper use of these items?
202. Does the security education program address
individuals portraying company personnel call "on behalf of a company
official" to place long distance calls (How are these situations handled)?
203. Does the security education program address
the need for limiting discussions of sensitive topics in public?
204. Does the security education program ensure
users are educated not to use poorly secured
methods of accessing their voice mailboxes (speed dialers,
auto-dial modem programs...)?
205. Have facility personnel been educated in how
the badging systems work so they are able to recognize any irregularities?
206. Are employee education and/or training records
maintained (Do employees have access to these records)?
207. Does the company have an Emergency
Preparedness and a Disaster Recovery Plan?
208. Are designated objectives clearly outlined in
both the Emergency Preparedness and a Disaster Recovery Plans?
209. Are these plans
current?
210. Are they both
considered adequate?
211. Has a plan been developed addressing each of
the company's facilities?
212. Have these plans been reviewed by Federal
Emergency Management Agency (FEMA) ?
213. Have these plans
been reviewed by the company's insurance carrier?
214. Has the company's
legal consul reviewed both plans?
215. Are there specific plans to cover specific
disasters? (such as earthquakes, floods, hazardous materials)
216. Has a
"Facility Emergency Response Plan" (FERP) been prepared?
217. Does the FERP include a procedure for
reporting incidents and notifying all personnel necessary to deal with an
emergency situation?
218. Does the FERP describe emergency and backup
voice and data communications requirements?
219. Does the FERP
establish a plan for:
A. Facility evacuation?
B. Fire emergencies?
C. Water/flood emergencies?
D. Power failures?
E. Heating, Ventilation and Air Conditioning
(HVAC) failures?
220. Does the FERP
include a strategy to deal with structural instability or damage, such as that
caused by:
A. Earthquakes?
B. Weather or other natural phenomena?
221. Are all emergency response procedures for the
facility reviewed at least annually with facility personnel?
222. Are facility personnel periodically drilled on
all emergency response procedures?
223. Are drills for
bomb threats practiced periodically?
224. Are drills for
terrorist attacks practiced periodically?
225. How often is the
Disaster Recovery Plan tested?
226. Who is
responsible for testing the Disaster Recovery Plan?
227. Where is this
information stored? (off-site, fire proof area...)
228. Could this facility withstand a major disaster
if one occurred today, could the overall organization survive?
229. Are smaller emergencies addressed?
(brown-outs, data erasures, computer viruses...)
230. Has a Risk Analysis Assessment of the facility
been conducted recently?
231. What is the total
dollar value of your company assets?
232. Are current programs prioritized as to their
importance and impact to this business?
233. What is the maximum downtime your operation
could withstand before irreparable damage is incurred?
234. Has a Disaster Recovery Manager (DRM) been
designated to coordinate Disaster Recovery Plans?
235. Among the facility's personnel, are there
persons with training for providing emergency medical assistance,
cardiopulmonary resuscitation (CPR), and/or first aid?
236. Is there always at least one individual per
shift who is trained in first aid and/or CPR?
237. Are first-aid supplies located to facilitate
quick response in a medical emergency?
238. Is there a generalized, established procedure for
coordinating the movement of information and personnel in an emergency
situation?
239. Does the plan allow for the orderly transition
from normal to emergency operations?
240. Are there partial and full implementation
phases in the plan corresponding to different levels of emergencies?
241. Is there an organizational structure
specifically designed for operations during disasters?
242. Has a hierarchy of command been established
for each designated emergency?
243. List the chain of command in the event that
designated individuals are unable to fulfill their responsibilities.
244. Are emergency plans clearly communicated and
accessible to each employee?
245. How are employees
notified of an emergency situation?
246. Do employees receive continuous and accurate
status reports during emergency situations (How)?
247. Are communications systems and procedures
equipped to allow employee's to reach families and to handle their relative's
inquiries?
248. Are emergency
funds and supplies available to assist employees?
249. Are all personnel files and information
protected as critical documents?
250. Are special procedures developed for
handicapped employees during an emergency situation?
251. Are all emergency procedures clearly posted in
the employee's work area?
252. If an employee's union is present, have
provisions been made to include union officials into the plan?
253. Is there a designated individual, or group,
assigned to handle media relations during disaster management?
254. Are there reliable secondary means of
communications, such as two-way radios, available to the emergency teams?
255. Is there a policy addressing medical
emergencies and how they should be handled disseminated to employees?
256. Is a policy addressing fires and fire
protection emergencies and how they should be handled disseminated to
employees?
257. Is there an emergency evacuation plan
currently in place (Is it disseminated to employees)?
258. Is a procedure
addressing bomb threats disseminated to employees?
259. Is there a policy addressing remedial action
for security violations disseminated to employees?
260. Are evacuation plan drawings and procedures
posted in accessible areas?
261. Are all on-site
personnel acquainted with these procedures?
262. Is there an alternative operational site, or
communications center, to coordinate and implement emergency plans and to
continue business activities?
263. Is the site selection still valid if the main
facility is damaged or destroyed?
264. Does this site provide a secure environment
which would require minimal personnel to operate and secure?
265. Has the plan been designed in accordance with
capabilities of local, federal, state, and municipal agencies?
266. Are adjacent businesses operations, hazards,
and contributions to an emergency preparedness plan considered?
267. Have mutual aid agreements been established
with these and other local businesses?
268. Does your company have a formal reciprocal
agreement with another facility or corporation to aid you in emergency
situations?
269. Does this agreement extend to your computing
resources? (What is the agreement?)
270. Do you share your computer time with other
organizations, under the reciprocal agreement, in emergency situations?
271. Do both computer systems have the capability
to process applications at the same time?
272. Has this been
tested (when, by whom, what were the results)?
273. Do both facilities have enough storage
capacity (tape, disk drives...) to properly fulfill their obligations under the
reciprocal agreement?
274. Have you tested your critical functions
(management, security...) at the other facility?
275. Is there proper temporary storage of your
company's sensitive information at the other facility?
276. Has temporary office space for system support
personnel been addressed in the reciprocal agreement?
277. Are all files which are critical to the
continued operation of your business retained in either back-up form,
hard-copy, or original form?
Including the
following:
A. Accounting Statement and Working Papers?
B. Accounts Payable Records?
C. Accounts Receivable Records?
D. Annual Reports?
E. Audit
Information?
F. Balance Sheets?
G. Bills For Materials and Supplies?
H. Bonds?
I. Budgets?
J. Canceled Checks?
K. Cash Books?
L. Cash Slips?
M. Changes In Production Activity?
N. Check Records?
O. Claims?
P. Contingency Plan Information?
Q. Corporate Reports?
R. Cost Summaries?
S. Customer Lists?
T. Dealer Correspondence Records?
U. Debentures?
V. Design Processes?
W. Design Specifications?
X. Disposal Records?
Y. Dividend Formulas and Resolutions?
Z Dividend Payments Records?
AA. Economic Forecasts?
AB. Electronic Fund Transfer Records?
AC. Employee Accident Reports?
AD. Employee Applications?
AE. Employee Attendance Records?
AF. Employee Benefit Records?
AG. Employee Compensation Records?
AH. Employee Contracts?
AI. Employee Disability Records?
AJ. Employee Education Records?
AK. Employee Garnishment Records?
AL. Employee Health Records?
AM. Employee Income Protection Plan Information?
AN. Employee Injury Claims?
AO. Employee Insurance Records?
AP. Employee Pension Plans?
AQ. Employee Recruiting Records?
AR. Employee Safety Records?
AS. Employee Stock Purchase Program Records?
AT. Employee Training Records?
AU. Engineering Notebooks?
AV. Equipment Operation and Ownership
Information?
AW. Expense Ledgers/Reports?
AX. Financial Correspondence?
AY. Financial Statements?
AZ Fixed Assets?
BA. Formulas?
BB. General Ledgers?
BC. Health Care Records?
BD. Insurance Policies and Schedules?
BE. Inventories?
BF. Invoices?
BG. IRS and Other Compliance Information?
BH. Journal
Vouchers?
BI. Labor Agreements?
BJ. Laboratory Documents?
BK. Legal Affidavits?
BL. Legal Correspondence?
BM. Loan and Trust Agreements?
BN. Manufacturing Processes?
BO. Market Research and Analysis?
BP. Master Part Number Inventory Numbers?
BQ. Master Price Books?
BR. Material Management Information?
BS. Media Releases?
BT. Mortgage Information?
BU. Notes On Technical Meetings Attended By
Company Personnel?
BV. Notes Receivable/Payable?
BW. Operation Reports?
BX. Ownership Information?
BY. Patent Documentation?
BZ. Payroll Records?
CA. Petty Cash Records?
CB. Petty Cash Records and Receipts?
CC. Plant and Facility Blueprints?
CD. Plant Engineering Information and Reports?
CE. Policy Directives (rules, regulations...)?
CF. Procedure Manuals?
CG. Product Advertising Information?
CH. Product Liability Claims?
CI. Product Pricing Records?
CJ. Product Release Information?
CK. Product Tracking Records?
CL. Production Drawing and Specifications?
CM. Profit and Loss Statements?
CN. Promissory Notes Receivable Property Records
Purchase?
CO. Orders/Requisitions?
CP. Public Relation Releases?
CQ. Research and Development Records?
CR. Royalty Ledgers?
CS. Safety Records?
CT. SEC Reports?
CU. Securities?
CV. Settlements?
CW. Standard Operating Procedures?
CX. Stock Books and Certificates?
CY. Stock
Purchase Plans?
CZ. Stock Transfers?
DA. Stockholder Information?
DB. Strategic Planning Records?
DC. Subsidiary Ledgers?
DD. Supplier/Vendor Agreements?
DE. Tax Returns?
DF. Technical Drawings?
DG. Technical Releases?
DH. Technical Reports?
DI. Termination Reports?
DJ. Test Procedure Information?
DK. Trademark Registrations and Information?
DL. Transfer Requests?
DM. Unemployment Benefit Plan Information?
DN. Warranty Claims and Records?
DO. Work Orders?
DP. Workman's Compensation Records?
278. Is there a disaster management plan for all of
the data processing and storage systems?
279. Has a copy of the disaster plan been secured
off-site to ensure it's preservation?
280. Is a complete set of vendor-recommended spare
parts (to service: equipment, alarm
systems,
access control systems, computers...)
available near enough to the facility to be able to effect emergency repairs
within the time period determined by facility management?
281. Does the plan include provisions for shutting
down equipment and machinery prior to an anticipated disaster? (such as
tropical storms or extreme temperatures)
282. Does the plan include provisions for shutting
down equipment and machinery once unforeseen disasters have occurred? (such as
earthquakes or explosions)
283. Are the availability of public utility
services such as electricity, natural gas, and water included in
the plans?
284. Are the hazards of these services (to
employees and vendors) also considered in the event of a disaster?
285. Are uninterruptible back-up power systems
available at the site of the emergency?
286. Are there additional fire prevention and
fighting procedures designed for each emergency procedures?
287. Are all combustible materials stored in
special areas which provides additional safety for the materials and the
surrounding structures?
288. What is the average response time of local
fire departments after an alarm report?
(Estimate what the response time would be in each of the major emergency
situations)
289. Are the emergency response plans reflective of
these response times?
290. What type of
on-site fire protection is available?
291. Are groups of employees trained in fire
fighting techniques and rescue operations?
292. Are fire drill exercises performed regularly
and updated as needed?
293. Has a fire protection insurance professional
reviewed and approved these procedures?
294. Are special handling procedures for hazardous
materials in the plan?
295. Are there local hazardous materials handling and
clean-up specialists available?
296. Are there evacuation plans and routes to cover
all types of emergencies?
297. Are these evacuation plans posted in
conspicuous areas and given to each employee?
298. Have physical security plans been developed to
insure property and employee protection during emergency operations?
299. Are resources available to provide additional
perimeter barriers and access control points?
300. What method of identifying and allowing access
to employees will be used during an emergency?
301. Is there a source for additional security
officers during a disaster?
302. Is this source
internal or external?
303. Are emergency supplies , such as food, water,
first aid, and shelter available on-site?
304. Are additional office supplies and equipment
available for emergencies?
305. Are emergency
equipment and repair tools located on-site?
306. Is transportation available to assist
evacuation or employee transportation?
307. Are there procedures to account for all
employees after emergency evacuation has been completed?
308. What are the criteria used to determine
operational levels during an emergency (full, reduced or closed down)?
309. Have all personnel been trained in the correct
procedures to handle the various levels of operations?
310. Has a study been conducted to determine the
probability of an emergency or disaster affecting company operations?
311. Does the facility's geographical area have
known and recurring natural disaster phenomena?
312. What other non-nature related or man-made
emergencies and disasters can occur at your site?
313. Have procedures been developed for employees
who will remain to perform or shut down critical plant operations before they
evacuate?
314. Have teams of employees been developed to
perform rescue and medical duties?
315. Who is the
Emergency Response Team Coordinator (ERTC)?
316. Have physically capable employees been
assigned to an Emergency Response Team (ERT)?
317. Has the ERTC been given the following duties
to ensure a quick and efficient response to an emergency?:
A. Assessment of the situation and
determination whether an emergency exists
which
requires activating emergency procedures?
B. Directing all efforts in the area including
evacuating personnel and minimizing
property
loss?
C. Ensuring that outside emergency services
such as, medical aid and fire departments are called in when necessary?
D. Directing the shut down of plant operations
when necessary?
318. Have all
employees been trained in the following areas:
A. Evacuation plans?
B. Alarm systems?
C. Reporting procedures for personnel?
D. Shut
down procedures?
E. Types of potential emergencies?
319. Is training in
these programs provided:
A. Initially when the plan is developed?
B. For all new employees?
C. When new equipment, materials or processes
are introduced?
D. When procedures have been updated or
revised?
E. When exercises show that employee
performance must be improved?
F. At least annually?
320. Is there adequate personal protection
equipment available to employees for a wide variety of hazardous circumstances
such as the following:
A. Chemical splashes or contact with toxic
materials?
B. Falling objects and flying particles?
C. Unknown atmospheres that may contain
inadequate oxygen to sustain life or
toxic
gases, vapors or mists?
D. Fires and electrical hazards?
321. As a minimum, is
the following safety equipment available on site:
A. Safety glasses, goggles, or face shields for
eye protection.
B. Hard hats and safety shoes for head and foot
protection?
C. Proper respirators for breathing protection?
D. Whole body coverings, gloves, hoods, and
boots for body protection from chemicals?
E. Body protection for abnormal environmental
conditions such as extreme temperatures?
322. Are location
identifiers and emergency phone numbers posted throughout the facility for
fire, flood, police, on-site security, and medical assistance?
323. Has an earthquake
preparedness plan been developed?
324. Has the business location been surveyed for
possible earthquake hazards?
325. Have these
deficiencies been corrected?
326. When was the last
employee training on earthquake evacuation plan?
327. When was the last
evacuation plan practice drill conducted?
328. Have more than
one evacuation route been integrated into the plan?
329. Does the plan take into consideration
physically challenged individuals?
330. Who has been designated as the primary
coordinators for the plans implementation?
331. Have these designated individuals received
training in all major areas of the earthquake evacuation plan?
332. Does the company have an adequate supply of
flashlights and battery powered radios for all individuals involved in the
plan?
333. Are there enough first aid supplies available
for a large number of injuries?
334. Have other businesses in the area been
integrated into your companies' evacuation plan?
335. Have all earthquake evacuation planners and
coordinators from area businesses shared
information and coordinated resources?
336. Have specialized teams been established for
handling hazardous materials and utilities?
337. Does your
facility have emergency power generators?
338. Who is responsible for regularly maintaining
and testing this equipment?
339. Does the facility have adequate equipment and
trained personnel to handle any potential fires?
340. Has a list of emergency agencies and phone
numbers been established?
341. Does your company have an adequate stock of
the following supplies:
A. Flashlights and portable radios with
batteries stored separately?
B. First aid kits?
C. ABC rated fire extinguishers?
D. Power generators and fire pump with full
fuel tanks?
E. All tools necessary for turning off
utilities?
F. Manual and power tools including cordless
units?
G. Protective clothing?
H. Portable pumps and rubber hose?
I. Rope and cable?
J. Shovels, axes, pry bars, brooms, rakes,
squeegees and mops?
K. Tarps - canvas and plastic?
L. Lumber and nails?
M. 72 hours of non-perishable food and stored
drinking water?
N. Sandbags?
O. Large trash bags?
P. Large plastic trash cans?
Q. Powdered chlorinated lime or other
acceptable disinfectant?
R. Portable
toilet?
S. Provisions for emergency lighting?
T. Flashlights, commercial grade or personal
use?
U. Light sticks and candles?
V. Lanterns - butane, propane or kerosene?
342. Has all insulation in buildings and on pipes
been inspected and upgraded to prevent exposure to temperature extremes?
343. Is there a
sufficient supply of heating system fuel?
344. Has additional heating been arranged for areas
normally subject to the outside temperature gradient?
345. Are all heating systems fully functional and
in good operating condition?
346. Have all combustible and flammable materials
been removed from the immediate area of heating systems?
347. Have all exterior building openings been
properly weather-stripped to make them air-tight?
348. Are heating systems capable of maintaining a
minimum of 40F at all times to prevent various water systems from freezing?
349. Are all
unnecessary wet pipe systems drained, closed and tagged?
350. Who is responsible for the removal of
excessive snow from flat roofs and similar structures?
351. Has a plan been developed for the removal of
excessive snow from entrances, smoke and heat vents, control valves and panels,
hydrants and hose cabinets, and any other necessary equipment used during an
emergency?
352. Have all operations been closed down in a
systematic and safe manner? (What?, When?)
353. Is there a plan to shut off electrical service
to all structures if necessary during the flood?
354. Has all fire protection equipment been checked
over to ensure it is at full operational capacity?
355. Has all critical reports, merchandise or
stock, and equipment been re-located to an area out of the flood zone?
356. Have all tanks and other structures been
anchored down to reduce the possibility of them being swept away by flood
waters?
357. Have all moveable containers of hazardous
materials and liquids been properly secured or removed?
358. Have sandbags been set up to channel water
away from building foundations, windows, and entrances?
359. Have
all distribution lines from hazardous and flammable tanks been properly drained
and closed off to prevent leaks during flooding?
360. Is each entrance
and window properly protected by a flood cover?
361. Have all operations been closed down in a
systematic and safe manner? (What?, When?)
362. Have all flood
procedure plans been examined and implemented?
363. Is there a plan to shut off electrical service
to all structures if necessary during the hurricane?
364. Have all structures and equipment which are
susceptible to high wind damage been properly secured?
365. Have all exposed tanks been filled to capacity
in order to reduce the possibility of wind damage?
366. Have all gate, doorway, and window latching
and locking hardware been inspected and fortified?
367. Have plans been made to cover up all exterior
openings which are susceptible to flying debris and flooding?
368. Are all roof
gutters and other drain systems free of obstructions?
369. Has an inspection been conducted on all
building roofs to secure any loose or weak materials?
370. Have all trees located next to buildings or
structures been properly anchored or removed?
371. Are stack and sign stabilizing reinforcements,
such as anchors and support wires, capable of handling high winds?
372. Are there other occupants or activities in the
building housing the facility that might be a potential
threat or hazard to the facility,
personnel, facility, or the organization's environment?
373. What other occupants or activities in the
building may be a potential hazard:
A. Offices?
B. Laboratory(s)?
C. Machine shops?
D. Warehouses?
E. Chemical storerooms?
F. Other (specify)?
374. Is the facility in a place capable of having
severe weather (For example, has a hurricane, flood, tornado, snowstorm, or
severe cold caused the facility to be inoperative for a total of ANY 5 or more
days in the past 3 years)?
375. Is the facility located within 50 miles of an
active earthquake fault, an active volcano, or a high erosion area?
376. Is the facility located within 1000 feet of
and below the level of a lake, river, dam, or ocean?
377. Do volatile chemicals, liquefied natural gas,
or explosives pass within 2000 feet of the facility by sea, rail, or overland
transport?
378. Is the facility on a landing or take-off path
or otherwise situated within one mile of a major international, commercial, or
military airfield?
379. Is the facility located within five miles of a
defense installation, major defense contractor, government laboratory, nuclear
processing plant, or nuclear power plant?
380. Is the facility
located below a nearby dam?
381. Is the facility located in or near a forest,
in heavy brush, or in a grassland area?
382. Is the facility
located in a landslide or mudslide area?
383. Is the facility near a place where hazardous
processes or materials are in use (such as a chemical plant, refinery, etc.)?
384. Are the facility and facility located along a
route used for transporting hazardous or explosive materials?
385. Do aircraft
regularly fly over the facility?
386. Is the facility
near any other potential source of hazard?
387. Specify other potential sources of hazard near
the facility in general and the facility in particular.
388. Does this
facility have tours or visitors from the general public?
389. Is the facility
in a low-crime-rate area?
390. Is the facility a potential target because of
its mission or the nature of the work done there?
391. Could a disruption in facility services result
in an adverse change in trade or defense relations with another nation?
392. Have terrorist acts, civil disturbance, and
labor unrest contingency plans been included in the emergency plan profile?
393. Indicate how
frequently the facility is cleaned:
A. Daily?
B. Weekly?
C. Monthly?
D. Quarterly?
E. Yearly?
F. Other (specify)?
394. Who is
responsible for cleaning the facility:
A. Employees?
B. Proprietary cleaning staff?
C. Vendor cleaning staff?
395. Are beverages or
food permitted in the facility?
396. Are potted plants or vases of fresh flowers
permitted in the facility?
397. Is the facility
inspected regularly for neatness and cleanliness?
398. Is the facility
kept free of dust and clutter?
399. Are equipment
covers and work surfaces cleaned frequently?
400. Is facility
equipment kept free of dust and dirt inside and out?
401. Are facility floors cleaned regularly with a
non-residual cleaning agent?
402. Is an industrial wet/dry vacuum cleaner
available for use in the building?
403. Are loose rugs
and mats kept free of dirt and dust?
404. Does the facility have either installed
carpeting (as opposed to loose rugs) or carpeted floor tiles?
405. Is the carpeting made of anti-static material
or treated regularly to prevent damage to equipment from static discharge?
406. Is the carpeting:
A. Cleaned on a regular basis?
B. Vacuumed frequently?
C. Shampooed at least yearly?
407. When was the last
insurance policy review?
408. Who conducted the
review?
409. Do these policy reviews accurately reflect any
changes in the company's operating conditions?
410. Does your company require commercial insurance
(Is it otherwise unable financially to survive catastrophic damage to property,
equipment, information, or personnel)?
411. Are all buildings
and all related equipment insured?
412. Have all equipment and buildings been insured
at their replacement value if they are critical to business operations?
413. What losses,
disasters, and hazards are covered?
414. Is all computer hardware, storage media,
storage devices, and other peripheral and support equipment, insured?
415. Are all operations manuals, applications
programs manuals and listings, data and output copy, reports, memos, and
letters, insured?
416. Is there
liability insurance for personal injury?
417. Do policies cover employees and non-employees
while on company property?
418. What limitations
and exclusionary clauses exist in each policy?
419. What has the company done to ensure that these
clauses are not violated?
420. Is the level of Comprehensive General
Liability (CGL) insurance policy coverage commensurate with the potential
damages which could be brought against the company?
421. Are the proper endorsements included in the
CGL policy to cover special or unique operations?
422. Are corporate
officers and managers covered under the CGL policy?
423. Are product liability and personal injury
endorsements provisions contained in the CGL?
424. What situations,
or "perils", are covered?
425. Are "proactive" security measures
taken into account when insurance premiums are determined?
426. Does the system
process any information that is classified:
A. "TOP SECRET"?
B. "SECRET"?
C. "CONFIDENTIAL"?
427. Could unauthorized use of the data or
programs, or destruction of this facility, have an adverse effect on national
security?
428. Does the facility maintain compartmented or
special company sensitive information?
(If so, list restrictions on the use of this information.)
429. How and where is sensitive information stored?
(Indicate on facility map.)
430. Is there an accountability system established
for proprietary or competitive sensitive information?
431. Are employees briefed to proprietary or
competitor sensitive information safeguarding protocols?
432. Are all secured,
restricted, closed, and limited access areas properly marked?
433. Can access to trade secrets or highly
sensitive private-sector corporate information be gained by using the
facility's computing resources?
434. What are the visitor admission and
registration procedures for these areas?
435. Are entrance
rosters and logs maintained?
436. What type of
alarm systems are used in these areas? (see ALARMS)
437. Are any unusual security vulnerabilities
evident in regards to company sensitive information?
438. Are all personnel required to sign a statement
of understanding of their information security responsibilities before access
to sensitive information is granted?
439. Is there a two-person requirement when company
sensitive or key financial material is being processed?
440. Is there an inspection system to check
briefcases, lunch pails, and other containers leaving key sensitive material
areas?
441. Is there a written "pass" procedure
implemented identifying proper removal of material or equipment from such
areas?
442. Who conducts repair, cleaning and maintenance
of the computer system components or equipment in sensitive material areas?
443. Are there
enforced procedures for controlling:
A. Equipment removal from sensitive material
areas?
B. Storage-media and storage-device removal
from s sensitive material areas?
C. Equipment parts removal from sensitive
material areas?
D. Documents removal from sensitive material
areas?
444. How is proprietary or competitive sensitive
information moved outside the facility?
445. Is there a
courier system established for information transmittal?
446. Describe the courier systems used for
compartmented or special company sensitive information.
447. Are caveats utilized in marking company
sensitive information? (proprietary, limited, company sensitive, secret ...)
448. List the caveats
used to indicate sensitive material.
449. Are the proper caveats automatically affixed
(or printed) on the top and bottom of each page?
450. Is all company sensitive material access
limited to a "need to know" basis?
451. Do the name and address of the facility
responsible for sensitive material preparation and the date of generation
appear on a cover sheet?
452. How is unattended, automatically generated
sensitive material protected from compromise? (Such as faxes, off-hour
generated reports...)
453. Are there controls for distributing reports
and output containing sensitive, proprietary, or classified information?
454. Where is
sensitive information waste stored (trash)?
455. Is there a documented standard operating
procedure (SOP) for the physical destruction of sensitive and/or classified
waste?
456. Are waste magnetic media that contain
sensitive or classified information disposed of as sensitive waste in a manner
commensurate with their sensitivity?
457. Are all forms of sensitive or classified waste
protected at a level commensurate with its sensitivity until it can be
destroyed?
458. Are sensitive or classified waste printouts
and forms shredded, burned, or otherwise destroyed?
459. Are printer ribbons used for sensitive or
classified output destroyed?
460. Are the carbons used to print multiple forms
for sensitive or classified applications destroyed?
461. Are all disks with company sensitive
information disposed of by either degaussing, shredding, or by properly
following company security procedures?
462. Are output devices, monitors, and displays
positioned to prevent unauthorized personnel from seeing or otherwise acquiring
the information from computer output?
463. How is sensitive information waste stored to
preclude unauthorized access?
464. How often is
sensitive information waste collected?
465. Who is
responsible for sensitive information waste destruction?
466. How is sensitive
information waste destroyed?
467. Is sensitive
information waste shredded?
468. Is a log maintained to record sensitive
information waste destruction?
469. Are procedures in place to destroy sensitive
information waste in emergency situations?
470. Where are
emergency destruction sites located within the facility?
471. Is there a formal system for securely
disseminating sensitive information?
472. What is the written policy limiting media
releases of company sensitive information?
473. Is there a written policy addressing the
release of company sensitive information to outside sources other than the
media? (What is it?)
474. Is there a policy addressing releases of
drawings or other technical company sensitive information at outside meetings
or trade conferences? (What is it?)
475. Is there a policy and procedure for the
disposal of sensitive information?
476. Who is responsible for collecting, reviewing,
and disposing of sensitive waste?
477. Are photographic negatives, slides,
photographs, and other company sensitive material properly marked (top/bottom
caveats) and secured at all times?
478. Is there a formal system to log and disseminate
small, easily lost sensitive information items?
479. How is the loss, compromise, or disclosure of
company sensitive information handled?
480. Could potentially embarrassing or legally
damaging information be mishandled if the computer center were out of service
or if data were lost?
481. Have successful or partially successful
attempts to damage, penetrate or destroy the data center, sensitive material
areas, or the facility been carried out within the past two
years?
482. Can access to sensitive information result in
competitive advantage to other companies?
483. What would a
company be willing to pay or do for this information?
484. Have persons in the area (community, county,
state) been questioned within the past two years by law-enforcement agencies
about, or arrested on suspicion of, charges related
to data fraud, security violations, or
other "white-collar" crime?
485. Are activities or products generated by your
company perceived by the public as dealing unfavorably with volatile civil
issues (eg. nuclear waste, nuclear power, chemicals, defense or military
weapons procurement or development)?
486. Is the facility located in an area where
political activism is high or hostile foreign nationals are common?
487. Does the facility frequently have tours or
visitors from the general public?
488. Are all visiting personnel (vendors,
consultants, contractors, service personnel, visitors, etc.)
identified by some visible means such
as a badge when visiting the facility (especially near sensitive material
areas)?
489. Is photographic identification (such as a
driver's license) and prior management approval required from non-employees for
entry into sensitive material areas?
490. Is photographic identification and prior
management approval required from:
A. Vendors for entry to the sensitive material
areas?
B. Service personnel for entry to the sensitive
material areas?
C. Contractors for entry to the sensitive
material areas?
491. Is it likely that unauthorized access to or
unavailability of sensitive information could result in legal action by groups,
individuals, or governments?
492. Is it likely that unauthorized access (or
modification) to the sensitive information would result in:
A. Perceived or actual benefit in terms of
employment or promotion?
B. Loss of management control within the
organization?
C. Key individuals not being able to perform
their duties, thus preventing the site's mission from being accomplished?
D. Other financial gains (perceived or actual)
convertible to financial advantage ?
493. Is the company involved with other
organizations in "friendly" competition over projects, personnel, or
recognition?
494. Could
unauthorized use or misuse of sensitive information result in a negative
organizational image that is neither justified nor deserved?
495. Is it likely that successful access to the
facility's computers by an unauthorized person would be perceived as an
intellectual accomplishment by that individual's peer group or
the public in general?
496. Are the facility
areas located in or near a college community?
497. If the sensitive material were successfully
accessed by unauthorized persons and knowledge of the access were made public,
would the organization be publicly embarrassed in a damaging way?
498. If a breach of security occurred, do employees
know where trained assistance is available?
499. Are personnel instructed about how to deal
with a penetration in progress?
500. Is there a policy governing how personnel
should interact with outside organizations and outside personnel with respect
to security breaches and other emergencies?
501. Is there a policy governing how personnel
should interact with representatives of the news media with respect to security
breaches and other emergencies?
502. Is there a policy governing how personnel
should interact with other outside organizations with respect to security
breaches and other emergencies?
503. Is there a policy governing how personnel
should interact with outside personnel (such as the public with respect to
security breaches and other emergencies)?
504. Is the staff instructed to protect prioritized
hardware, software, and documents from damage and/or disclosure if a disaster,
major emergency, or an attack upon the facility occurs?
505. During facility maintenance or area cleaning,
is sensitive data protected (how?)
506. Is a commercially encrypted facsimile unit
used when sensitive material is faxed out of the facility?
507. Is senior management aware of the costs (both
tangible and intangible) associated with lost or compromised information?
508. Does a lobby directory, site map, facility
description, or other publicly-available or posted document clearly pinpoint
the location of the sensitive material areas?
509. Is there documentation pinpointing the
location of these areas that has widespread public dissemination (eg. company phone books, maps...)?
510. Is there documentation clearly pinpointing the
location of these areas that is well-known and distributed widely throughout
the facility?
Building
Exteriors
511. Is the building
constructed on a solid foundation?
512. Is the principal
material of the exterior walls of the building constructed from one of the
following
materials:
A. Reinforced concrete?
B. Concrete block?
C. Brick?
D. Stone?
513. What is the construction
of the exterior building doors:
A. Solid wood?
B. Hollow-core wood?
C. Glass?
D. Other material?
514. The facility's walls and penetrations have a
fire rating of at least how many hours?
515. What is the fire
rating of the facility's walls and penetrations?
516. Has the building
housing the facility more than one story?
517. How many floors
of the building are above grade?
518. How many floors
of the building are below grade?
519. Does either (or both) grading around the
exterior of the building or storm drains remove water accumulation during
sudden or seasonal heavy rainfall?
520. Have roof, upper floor, and foundation
drainage devices been installed for the facility?
521. Is the facility
roof watertight?
522. Is the building roof constructed to prevent
opening (and subsequent water leakage caused by high winds)?
523. Is there protection against accumulated
air-conditioning water, leaks in rooftop cooling towers, or other water
sources?
524. Are all roof penetrations (such as those for pipes,
vents, antennae, etc.) sealed to prevent water leakage?
525. Is critical equipment located so that they
will not be damaged by any water leakage from the roof?
526. Does the facility
have exterior windows?
527. Do exterior facility windows provide a view of
operations from outside the building?
528. Are exterior facility windows barred or
screened with heavy metal mesh?
529. Are exterior
facility windows large plate-glass windows?
530. Do exterior facility windows contain embedded
wire support to mitigate shattering?
531. Is the principal material of the doors and/or
gates entering into the building either metal or metal clad?
532. Do facility doors
or gates fit flush into the framework?
533. Do facility doors or gates have a large open
space above them, as in a "Dutch" door?
534. Are facility
doors and gates kept locked or otherwise controlled:
A. At all times?
B. During normal working hours?
C. Outside of normal working hours?
D. During emergency situations?
535. Are facility
doors and gates checked periodically to see that they are locked?
536. How often is it
verified that facility doors or gates are locked?
537. Is someone responsible for verifying that
facility doors or gates are locked?
538. Who is
responsible for verifying locked facility doors?
A. Computer operations?
B. Building security?
C. Site security?
D. Municipal
police?
E. Hired off-site security?
F. Other?
539. Is corrective action taken if a facility door
or gate is found unsecured?
540. What happens if a
facility door or gate is found unlocked?
A. Security notified?
B. Police notified?
C. Building security notified?
D. Locked by finder?
E. Documented in written report?
F. Other?
541. Does the facility have doors/portals
designated solely for emergency use (eg. emergency exits)?
542. Is external hardware removed from perimeter
doors (where practical)?
543. If hinge pins are external to the facility,
are they welded in place or pinned to prohibit removal?
544. Can facility emergency exits be operated from
outside the facility?
545. Is the status of
ALL emergency exits from the facility monitored (eg. by CCTV, guards,
operations staff ?
546. Do security personnel control all perimeter
openings to the facility?
547. Is there a designated individual responsible
for authorizing building entry?
548. Would access to the facility still be
controlled in case of fire or other emergency or disaster?
549. Are custodial personnel permitted entry to the
facility when it is unattended?
550. Are physical-security personnel permitted
entry to the facility when it is unattended?
551. Is there a procedure to control badges, keys,
combinations, and/or cards used for entry to the facility?
552. What is the procedure for controlling badges,
keys, combinations, and/or cards used for entry to the facility?
553. Are authorization lists and control mechanisms
allowing entry into the facility updated when a person's authorization for
entry has been revoked?
554. When an
individual's facility entry authority is revoked, are:
A. Authorization lists revised?
B. Locks/combinations changed?
C. Badges, keys, cards surrendered?
D. Other?
555. Is access to facility resources denied quickly
enough to prevent damage to the resources by a person whose facility entry
authorization has been revoked?
556. Is there a record of entries to and exits from
the facility by employees (excluding the assigned operations staff during
normal working hours)?
557. The means used to record employee entries to
and exits from the facility are:
A. Magnetic key card?
B. Sign-in register?
C. Other?
558. Is ingress and
egress by non-employees to the facility:
A. Recorded?
B. Recorded during normal working hours?
C. Recorded during emergencies and non-normal
working hours?
559. The means used to record non-employee
entries/exits to the facility are:
A. Magnetic key card?
B. Sign-in register?
C. Other (specify)?
560. Does the area
non-employee entry/exit record provide notation for time in, time out,
identification of entrant, and authorization mechanism?
561. Is the principal material of the exterior
walls of the building one of the following materials:
A. Reinforced concrete?
B. Concrete block?
C. Brick?
D. Metal?
E. Other (specify)?
562. What is the material located on the interior
side of the exterior facility walls constructed of:
A. Sheetrock?
B. Plaster?
C. Veneer on plywood?
D Ceramic tile?
E. Other material?
563. Is the principal material of the building's
ceilings/floors reinforced concrete or metal?
564. What best describes the building's interior
surface ceiling material:
A. Gypsum?
B. Wood?
C. Wallboard?
D. Acoustical tile?
E. Exposed structure?
F. Other material?
565. Does the facility
have a suspended ceiling?
566. Is there a space large enough to hold a person
between the suspended ceiling and the structural ceiling of the facility?
567. Is entry to the space between the suspended
ceiling and the structural ceiling in the facility obvious to the casual
observer?
568. Is entry to the space between the suspended
ceiling and the structural ceiling in the facility controlled in some way?
569. How is entry to the space between the
suspended ceiling and the structural ceiling in the facility controlled?
570. Are the facility walls extended above the
suspended ceiling either to the structural ceiling or to the roof?
571. Have overhead steam or water pipes (except
sprinklers) been eliminated from facility critical areas (where practical)?
572. Are pipe and wire
penetrations into the facility water-tight?
573. Are all facility electrical cables and wiring
located away from normal traffic paths or protected from being disturbed by
traffic?
574. Are all cables entering and exiting the
facility clearly marked and uniquely identified?
575. Is the ducting large enough and sturdy enough
to permit the passage of a person?
576. Are openings to all ducting blocked securely
to restrict entry to the facility by means of the ducting?
577. Does the facility
have areas which contain raised flooring?
578. Has the raised flooring adequate strength to
support both the total and the local loads that will be imposed by the various
items of equipment?
579. Is there space
for a person to crawl under the raised flooring?
580. Is the area under this flooring blocked to
restrict entry from outside the facility?
581. Are raised floor tile removers available and
within easy access of employees?
582. Are the locations of floor tile removers
clearly marked and visible above equipment?
583. Are hardware protective and security features
(eg. locks, surge protectors, port protectiondevices, etc.) checked regularly
to see that they are functioning as intended?
584. Is the integrity of the hardware protective
features tested at a frequency determined by facility management?
585. Does the facility's physical environment
include a perimeter zone of grounds and/or property surrounding the facility?
586. Does the perimeter zone surrounding the
facility's property have a fence or other barrier restricting entry?
587. Is the perimeter barrier either a reinforced
concrete wall or a chain-link fence?
588. How many
entrances to the perimeter zone are there?
589. Are there redundant barriers (eg. double
fences) or additional deterrents (eg. barbed wire, electrified wire, sensors)
attached to the perimeter barrier?
590. What is the
additional perimeter barrier or deterrent?
A. Barbed wire above?
B. Barbed wire and razor ribbon?
C. Broken glass atop masonry?
D. Electrified wire?
E. Double fence?
F. Other?
591. Is the minimum
height of the perimeter barrier at least 7 feet?
592. Is someone responsible for periodically
verifying the structural integrity of the perimeter barrier (who, when)?
593. Does the entire perimeter zone have
functioning alarms or monitors (eg. CCTV, guards, etc.) at all times?
594. Are there alarms, stationed guards or CCTV
monitors for all perimeter zone entrances?
595. Are there alarms, roving guards, or CCTV
monitors for the perimeter zone in general?
596. Do perimeter zone and perimeter entrance
monitors and/or alarms transmit to a location where timely appropriate action
will be taken?
597. Do perimeter zone and perimeter entrance
monitors and/or alarms transmit to:
A. A main guard station off-site?
B. A local guard station on-site?
C. Other?
598. Are there documented guidelines for evaluating
appropriate responses to notifications from perimeter zone entrance monitors
and/or alarms?
599. Are appropriate procedures for responding to a
notification from perimeter zone monitors and alarms defined and documented?
600. Are personnel trained or drilled in how to
respond to perimeter-zone monitors and alarms?
601. Is a record from the perimeter zone and
perimeter entrance monitors and alarms kept in some form available for audit?
602. Do employees challenge persons within the
perimeter zone if they are not properly identifiable?
603. Is there a control on mechanisms (eg., badges,
keys, combinations, and/or cards) used for entry to the perimeter zone?
604. Is the control on the mechanisms used for
entry to the perimeter zone commensurate with the sensitivity of the assets
being protected?
605. Is the perimeter zone kept free of trash,
discards, and any material that has the potential to be a
weapon or a projectile?
606. Does the perimeter fencing have ingress/egress
waist-high turnstiles? (List number and
location on the facility drawing)
607. Are facility
gates kept to a minimum?
608. Have all
unnecessary gates been eliminated?
609. Are all gates
kept locked when not in use?
610. Are all gate
areas illuminated?
611. Are gates equal
in height to surrounding fencing?
612. Is fabric used
for gates the same type used for the fencing?
613. Is the gate fabric attached in a similar
fashion to perimeter fencing?
614. Is the space
under each gate less than two inches?
615. Are gates trussed
to limit sagging?
616. What type of
locking hardware are present on gates?
617. Are locks
attached to the interior of gate?
618. On double gates,
is there a lock securing the bar stop?
619. Are exact lengths of chain used in securing
gates to prohibit excessive travel?
620. Do all gates have
top guards? (see FENCING)
621. Do top guards for gates meet same criteria as
perimeter fence top guards?
622. Are gate bolts
and nuts spot welded for security?
623. Are vehicles
permitted within the perimeter zone?
624. Are vehicles
permitted to park within the perimeter zone?
625. Are employees and contractors permitted to
park their personal vehicles within the perimeter one?
626. Are service
personnel permitted to park within the perimeter zone?
627. Are visitors who are not service personnel
permitted to park within the perimeter zone?
628. Are there procedures for inspecting all
vehicles permitted within the perimeter zone?
629. Are vehicles
searched when entering the perimeter zone?
630. Are vehicles
searched when leaving the perimeter zone?
631. Are all individual members of a group entering
or leaving the perimeter zone in the same vehicle checked for authorization and
identification?
632. State who is
responsible for authorizing perimeter zone entry.
633. Are there effective procedures in place for
authorizing perimeter zone entry?
634. Is there an independent verification of the requests
for perimeter entry authorization?
635. Is positive identification required for a
person to receive authorization for perimeter entry?
636. Are entrances or
gates to the perimeter zone controlled?
637. Are all entrances to the perimeter zone controlled
during normal working hours?
638. Are all entrances to the perimeter zone
controlled after normal working hours?
639. Are all entrances to the perimeter zone
controlled during emergencies?
640. Is entry to the
perimeter zone controlled by a guard(s)?
641. How does the
guard permit entry to the perimeter zone:
A. By verifying ID from a list?
B. By visual recognition?
C. Check badge with no photo?
D. Check badge with photo?
E. Other?
642. Is entry to
perimeter zone locks controlled by a key?
643. How many persons
have keys to perimeter zone locks?
644. Is it difficult to duplicate keys to perimeter
zone locks (eg. do keys carry engraved instructions
prohibiting their duplication, are they
made from non-standardblanks, etc.)?
645. Is entry to the
perimeter zone controlled by cipher locks?
646. How many persons have the combination to
cipher locks controlling entry to the perimeter zone?
647. Is the combination to the perimeter zone's
cipher lock changed periodically?
648. Is entry to the perimeter zone controlled by
magnetic card/badge readers?
649. Are authorization lists and control mechanisms
permitting entry to the perimeter zone updated when a person is no longer
authorized for perimeter-zone entry?
650. Does security require all personnel, regardless
of their status, to sign in or be properly identifiable to enter the facility's
property or perimeter zone?
651. Are perimeter zone entries or exits by
non-employees recorded at all times?
652. Does the
perimeter zone entry/exit record include notation for:
A. Time in?
B. Time out?
C. Identification of person entering/leaving?
D. Notation of authorization mechanism?
653. When are perimeter entrances available for
general use (Exclude special-purpose entrances or those requiring special authority
or having special controls)?
654. Do employees challenge persons in the facility
if these persons are not properly identifiable?
655. Is there a safety
program implemented in your company?
656. Who is ultimately
responsible for the safety program?
657. Are area safety monitors/coordinators
established to: maintain safety material/documentation, conduct inspections,
and act as area focal points?
658. Are areas requiring individuals to wear safety
equipment properly marked (safety glasses, ear plugs, gloves...)?
659. How is the
wearing of safety equipment enforced?
660. How is this
equipment distributed?
661. Is there a Safety
Training Program?
662. Does the Safety Training Program address
accident prevention and new employee orientation with the appropriate reference
documentation?
663. Are job related
accidents tracked to calculate trends?
664. Are these accident trends reported to
employees (especially reoccurring accidents)?
665. Are safety
bulletin boards located within work areas?
666. Do safety
bulletin boards contain:
A. First aid supplies?
B. Phone numbers (and proper notification
procedures)?
C. A listing of first aid and CPR trained
employees?
D. The location of the nearest fire
extinguisher?
667. Has your company implemented the Hazard
Communication Program (Normally, this is state law)?
668. Under the Hazard Communication Program, are
explicit instructions for promptly and properly reporting industrial injuries
and occupational illness clearly written and disseminated to all employees?
669. Is there a clearly written company smoking
policy laying out where and when smoking may take place on company property?
670. Is there a policy dictating disciplinary
action for violating a safety or hazard related procedure?
671. Is there an
accident prevention plan within your company?
672. Is a safety/accident prevention orientation
program describing applicable policies and procedures given to new employees?
673. Does this
orientation process address (in writing):
A. Reporting unsafe conditions and practices?
B. Reporting injuries?
C. The proper actions in emergency situations?
D. Emergency ingress/egress procedures?
E. The proper operation and wearing of
protective equipment?
F. Identification of hazardous materials?
674. Does the safety/accident prevention program
receive management support at all levels?
675. Is supervision held accountable for proper
management of safety complaints/issues?
676. Overall, does the safety/accident prevention
program properly document, track and resolve safety issues?
677. Is there an effective process for auditing the
safety/accident prevention program?
678. Is the
safety/accident prevention program well received by the employees?
679. Does the safety/accident prevention program
motivate employees to "get involved" (stressed through positive
reinforcement, education, and training)?
680. Are there methods to monitor employee
participation in the safety/accident prevention program?
681. Does the safety/accident prevention program
have clearly defined written goals and objectives?
682. Does the safety/accident prevention program
comply with OSHA and state health regulations?
683. Is there a safety/accident prevention
suggestion system within your company?"
684. Are employees warned
against:
A. Opening more than one file cabinet drawer at
a time?
B. Leaving electrical and telephone cords lying
on the floor in an unsafe manner?
C. Leaving coffee pots and fans on during
off-hours...?
685. Is there an active program educating employees
of the proper manner in which to lift heavy objects (Since this is one of the
most frequent causes of industrial injury)?
686. Are periodic
Safety Monitor/Coordinator meetings held?
687. Who approves and institutes policies and
procedures for the safety/accident prevention program?
(Do these same people monitor safety
performance)?
688. Is there an safety/accident prevention program
recognition system for those individuals who positively support the program?
689. Who serves as a coordinator between government
regulatory agents and your company?
690. Who reviews, revises and develops the
safety/accident prevention program documentation disseminated to employees?
691. Who is responsible for investigating major
safety/accident prevention program accidents?
692. Who trains management in safety/accident
prevention program issues?
693. Who monitors safety reports, identifies trends
and implements corrective methods?
694. Are employees properly instructed in the
performance of their jobs and how it relates to the safety/accident prevention
program?
695. Are employees educated in good housekeeping
techniques (clean desks/work areas, chemical hygiene...)?
696. Does the company participate in training CPR
and First Aid to the employees/management?
697. Who is
responsible for stocking first aid kits?
698. Are all first aid
kits currently stocked?
699. Who provides emergency services in the event
an employee is injured (local ambulance, on-site doctor...)?
700. What is their
response time?
701. Does each work area have a safety/accident
prevention program checklist to aid in identifying potentially dangerous
situations?
702. Do you have a
Communicable Disease and Infection Control Policy?
703. Who is in charge of documenting the
Communicable Disease and Infection Control Policy?
704. Are there clearly written procedures for
employees who are exposed to communicable diseases in the work place?
705. How do they
document this exposure?
706. Will your company pay for immunization shots
for employees that are in high risk jobs for exposure to communicable diseases?
707. Are employees required to complete either an
annual or biannual physical checkup?
708. Are high risk employees issued proper barrier
protection equipment and apparel (including: gloves, protective eye wear or
face shields, disposable masks...)?
709. Do all employees wash hands with a
disinfectant soap and running water before handling food?
710. Are employees operating hazardous equipment
properly trained and is this training documented before they actually operate
the equipment?
711. Who conducts the training and where are the
training records stored?
712. Who investigates
accidents for your company?
713. Who is responsible for safely maintaining
processing and manufacturing equipment located in your company?
714. Is flammable and
combustible material properly handled and stored?
715. Who is
responsible for this function?
716. Who is responsible for industrial fire risk
management compliance oversight?
717. Is this same department or individual responsible
for hazard analysis/risk assessment functions?
718. Are fire fighting personnel resident on your
facility (If not, what is there response time)?
719. Who are your risk insurers (Is there a way to
reduce the amount or deductible for this insurance)?
720. What type of fire protection equipment do you
have access to (If it is not resident on your facility, do you inspect outside
fire department equipment to ensure they have proper
responding provisions - eg. HazMat,
pump/ladder...)?
721. Who conducts industrial fire hazard
analysis/risk assessment surveys?
722. Do you have a fire safety program? (If so,
does it cover: fundamentals and chemistry of combustion, fundamental ignition
sources, including: arcs, sparks,
lightning, static, hot surface, frictional, hot gas and other flame propagation
process)?
723. Are machinists and other applicable employees
educated in combustion characteristics of: fuels, hydraulic fluids and oils,
and solid materials?
724. Was your facility built with fire safety
design in mind? (proper fire detection equipment and extinguishing systems in
place...)
725. Are those individuals involved in high
accident and fire risk: welding, cutting, dipping, coating, heat exchange, oil
quenching, salt baths, filling of aerosol products, spray
finishing, powder coating, chemicals,
solvent extraction, grinding and milling adequately trained in accident/fire
reduction techniques?
726. Is special attention to fire system hazards
and operations focused on the following high risk areas:
A. Computer centers?
B. Laboratories?
C. Fluid power systems?
D. Refrigeration and electrical equipment?
E. Flammable material handling/storage?
F. Liquefied petroleum gases?
G. Boiler/furnaces?
H. Material handling and storage areas?
I. Waste control?
J. Record storage and housekeeping areas?
727. Do you have a Injury and Safety Program
established, implemented and maintained at your facility?
728. Does it meet
state codes and federal guidelines?
729. Is the Injury and Safety Program in writing and
posted at conspicuous locations at each job site or office?
730. Is it provided to each supervisory employee
(who has it readily available upon request by other employees)?
731. Are periodic meetings of supervisory employees
held under the direction of management for the discussion of safety problems
and accidents that have occurred?
732. Do supervisory employees conduct
"toolbox" or "tailgate" safety meetings, or equivalent,
with their crews at least every 10 working days to emphasize safety (or as often
as state code defines)?
733. Does your safety program clearly identify the
person or persons with authority and responsibility
for implementing the program?
734. Does it include a system for ensuring that
employees comply with safe and healthy work
practices? (How, who identifies
compliance)?
735. Do you recognize employees who follow safe and
healthful work practices?
736. What disciplinary actions are available for
individuals who do not comply with the Safety
Program? (Are these clearly communicated
with the employees on date of hire)?
737. Are occupational safety and health issues
communicated with employees in a form readily
understandable by all affected? (How? -
This may include meetings, training programs, posting written communications, a
system of anonymous notification by employees about hazards, labor/management
safety and health committees, or any other means that ensures communication
with employees).
738. How do employees suggest changes or identify
and evaluate work place hazards (suggestion system, written safety forms...)?
739. How are new substances, processes, procedures,
or equipment introduced to the work place representing a new occupational
safety and health hazard communicated to employees?
740. When you made aware of a new or previously
unrecognized hazard, how is it communicated to employees/repaired?
741. How are occupational injuries or occupational
illness investigated (By whom?, How are the results cataloged and who are they
reported to)?
742. Does your safety program, once imminent
hazards which cannot be immediately abated without endangering employee(s)
and/or property are identified, adequately outline evacuation procedures?
743. Are all safety suggestions given prompt
consideration by the employer?
744. How does your facility act upon, record and
secure against the following common crimes:
A. Abductions?
B. Alarms?
C. Batteries?
D. Bomb threats?
E. Burglaries?
F. Disorderly situations?
G. Domestic violence involving employees?
H. Employee "down" reports?
I. Fights?
J. Fires?
K. Homicides involving employees?
L. Intoxicated employees?
M. Missing or runaway juveniles found on your
property?
N. Open doors or windows?
O. Police requesting to execute an arrest
warrant on your property?
P. Reports of employee involved child abuse?
Q. Robbery involving employees?
R. Sexual assaults on company property or
involving employees off property?
S. Shootings?
T. The death of an employee on company
property?
U. Traffic accidents?
V. Vehicle and vessel thefts (both employee and
company owned vehicles)?
745. Do supervisory employees conduct on-hours
safety meetings, or equivalent, with their crews at least every 30 working days
to emphasize safety (or as often as state code defines)?
746. Do you currently
have a hazardous materials program implemented?
747. Are employees instructed (as per law) on how
to file complaints with the Occupational Safety and Health Administration
(OSHA)?
748. Are employees instructed (as per law) that
they are responsible to cooperate fully with OSHA or the local State Department
of Health officials during inspections or investigations?
749. Is it clearly communicated that it is illegal
for any employer to discriminate or retaliate against an employee for raising
health and safety issues?
750. Review the Hazardous Materials Listing in
Appendix 1. Indicate which
chemicals/materials are stored, used or transported at your facility. For each listing your hazardous materials
program should address the following:
A. Handling procedures,
B. Storing procedures,
C. Labeling procedures,
D. Ensuring employees have access to MSDS
(Material Storage Description Sheets) listing for each material,
E. Deactivants, absorbents, neutralizers,
F. Storage and usage locations,
G. Spill and evacuation procedures.
Fire
Prevention and Storage of Flammable and Combustible Liquids
751. Are fuels such as solvents, acetone, alcohols and toluene, gasses (like acetylene and propane), and solids (such as wood, paper and ordinary trash) stored properly (How)?
752. Are common oxidizers including acids,
especially nitric and perchloric acids; chlorine dioxide; and other agents such
as potassium permanganate and potassium chlorate stored away from all flammable
materials?
753. Are possible
sources of ignition segregated from these materials?
754. Are flammable gases, solids or solvents stored
in well ventilated areas?
755. Is smoking
prohibited in and around all storage areas?
756. In laboratory or manufacturing areas, is all
electrical equipment in ventilated hoods and spray booths explosion-proof?
757. Is this equipment
well maintained?
758. Are intense sources of light, such as
projectors and lasers, kept away from flammable materials?
759. Does your Hazardous Material program account
for selecting the least hazardous/flammable material possible?
760. Are storage areas inventoried to reduce the
amounts of hazardous/flammable material to an acceptable minimum?
761. Are all storage areas designed to use safe
storage procedures and containers to hold hazardous/flammable materials?
Labeling
of Hazardous and Flammable Materials
762. Are all hazardous/flammable material adequately labeled as to their contents, fire hazards, and safe handling procedures?
763. Do all flammable liquids carry at least one of
the following labels (DANGER - FLAMMABLE - Keep Away From Heat, Sparks and Open
Flames, Keep Closed When Not In Use...)?
764. Are Material Safety Data Sheet (MSDS)
maintained by all hazardous/flammable materials?
765. Are all materials transported with the
"NFPA diamond" symbolizing their degree of hazard for health hazards,
flammability, and reactivity?
Industrial
Accident Prevention/Safety
766. Do all stairways
have railing?
767. Are stairways too
steep?
768. Are stairs
covered with slip-resistant material?
769. Are all perimeter
ladderways locked when not in use?
770. Are floors,
walls, and stairs free of projections and debris?
771. Are work areas
maintained in a clean, orderly fashion?
772. Do aisleways have adequate clearance for intended purposes? (vehicle travel, warehouse, pedestrian...)
773. Are permanent
aisles and passageways clearly marked?
774. Are blind corners
clearly marked?
775. Are floor openings, trapdoors, open pits, and
platforms protected by guard rails or covers?
776. Are the following parts properly guarded? (if
located within 7 feet from the ground)
A. Couplings?
B. Fly wheels?
C. Sprockets?
D. Gears?
E. Chains?
F. Spinning blades?
G. Drive belts?
777. Are all spinning
parts guarded?
778. Has all machinery that is "hard
wired" been checked for possible safety and fire hazards?
779. Are portable hand
tools double insulated and properly grounded?
780. Have heavy duty machinery and extension cords
been checked to assure the ground prong is intact?
781. Are there any exposed electrical wires posing
an electrical hazard visible in the facility?
782. Are all outlets, cables, temporary wiring,
breakers, and switches in proper working order?
783. Are waterproof
extension cords used in wet work areas?
784. Have hearing and eye protection, hard hats,
safety shoes, gloves, and clothing been issued and properly maintained?
785. Are warning and signaling devices used to
indicate hazardous areas? (Crossing lights, warning signs, gas/vapor detectors,
sirens, bells ...)
786. Are all such
devices maintained in proper working order?
787. Are flammable
chemicals stored properly?
788. Is eye-protective
gear worn when necessary?
789. Are eye wash and
chemical rinse showers strategically located?
790. How is the
facility cooled/heated?
791. Is there a redundancy cooling system in place
(should the primary system fail)?
792. Are there effective and properly placed
monitoring devices that generate a recorded history of temperature and humidity
trends within the facility?
793. Is there an
air-conditioning system in use for the facility?
794. Is the cooling capacity of the
air-conditioning equipment sufficient for the requirements of the facility?
795. Is the
air-conditioning system used exclusively for the facility?
796. Is
there an independent backup for the facility air-conditioning system?
797. Are
air-conditioning filters fire resistant?
798. Is the air-conditioning equipment covered by a
preventive maintenance program?
799. Is the compressor and related air-conditioning
equipment serviced on a regular schedule?
800. Does the
air-conditioning system include humidity control?
801. Is external air-conditioning equipment (eg,
cooling towers, chillers, compressors) appropriately protected from both
natural and human threats?
802. Can the facility air-conditioning system be
shut off manually from within the facility?
803. Is there an automatic monitoring system (with
alarms) for the heating/ventilating/air-conditioning (HVAC system used for the
facility)?
804. Is airflow
restriction or failure monitored with an alarm?
805. Are
temperature-rise limits/rate monitored with an alarm?
806. Is humidity
monitored with an alarm?
807. Do alarms from the automatic monitoring system
for the heating/ventilating/air-conditioning (HVAC) system used for the
facility transmit to locations outside the facility?
808. Does an alarm for air-conditioning failure or
shutdown transmit to a location outside the facility?
809. Is immediate action taken by appropriate
personnel when the automatic HVAC monitoring system alarm transmission is received?
810. Is there an automatic HVAC monitoring system
with a computer-shutdown capability for the
facility?
811. Will exceeding temperature-rise limits and/or
rate automatically trigger a computer shutdown?
812. Will a computer shutdown result from exceeding
humidity range limits?
Human
Resources/Pre-employment Screening
813. Does the company have established pre-employment screening policies and procedures?
814. Are background
verifications done internally or externally?
815. Are background checks made on all new
employees working in the facility?
816. Are periodic follow-up background checks made
on employees after employment?
817. Are background
checks required for:
A. Vendors (including vending machine
attendants) who visit the facility?
B. Non-employee
service personnel?
C. Contractors?
D. Long-term visitors to the facility?
818. Are periodic follow-up background checks made
on non-employees after a period of time determined by site management?
819. Are all employees given regular performance
appraisals and the opportunity to discuss with management their thoughts about
their jobs, their co-workers and their supervisors?
820. Is it policy to train managers and supervisors
to recognize and report changes in personal behavior and habits to senior
management or a facility department/group delegated to deal with such problems?
821. Are managers and supervisors trained to
recognize signs of job performance being affected by drug or alcohol abuse?
822. Are supervisors trained/instructed to bring to
management's attention personnel exhibiting signs of poor job performance
attributable to suspected drug or alcohol abuse?
823. Are managers aware that sudden or unusually
large accumulations of vacation and/or sick leave are potential indicators of
privilege abuse?
824. Are supervisors trained/instructed to bring to
management's attention personnel who have accumulated unusually large amounts
of leave?
825. Are
supervisors and management close enough to personnel to detect changes in
working, living, and personal habits?
826. Is line management aware of the potential
effect of low morale or disgruntled employees?
827. Has management established a policy for
personal conduct of employees?
828. Does management
keep personnel informed about rules of personal conduct?
829. Does policy permit the immediate removal or
relocation for cause of an employee from areas in which the employee may
potentially do harm?
830. When an employee terminates employment is
there a written list of items to be returned (badges, keys, access cards...)
and accounts to be deleted (computer accounts, change of combinations...) to be
completed by a manager?
831. Where is personal information about employees
maintained (physical location, computer facility, specific computer...)?
832. Are there control mechanisms restricting
access to personal information about employees either stored in and processed
by the computer system or existing in documentation
form?
833. Are there control mechanisms restricting
modification of personal information about employees either stored in and
processed by the computer or existing in documentation form?
834. Is the amount of personal information
collected, stored and processed by the company kept to the minimum necessary
for the achievement of a specific purpose?
835. Is there provision for separating identities
from personal data used for statistical purposes?
836. Can employees see and challenge any personal
information of which he/she is the subject?
837. Is an audit trail
available for all forms of personal information?
838. Is there a time limit beyond which personal
information is not retained as an active file in any form?
839. Are there mechanisms for updating and
correcting inaccuracies in personal information?
840. Is it standard practice to encode value
judgments (such as performance appraisals) made about personal information?
841. Have hiring and termination policies and
procedures been evaluated by legal counsel to insure compliance with the fair
labor and equal employment opportunity regulations?
842. Are all employment references verified as to
the actual employment dates, position and duties, and the listed
supervisor/manager, company name, before being hired?
843. Is there a check of the state's corporate and
assumed name records for a candidate's self-owned businesses?
844. Are these
businesses checked with the Better Business Bureau?
845. Is the candidate's credit history run through
a state licensed credit reporting agency?
846. Is there a check
for civil litigation records?
847. Is there a check
for criminal convictions?
848. Are worker's
compensation claims records checked?
849. Are Department of
Motor Vehicles (DMV) driving records checked?
850. Are all records and information obtained
legally, and can they be verified?
851. Does the company's employment application
authorize the verification of references and credentials?
852. Does the company's employment application
notify the candidate that falsification of any information on the application
or resume will result in termination?
853. Are reliable
pre-employment screening drug tests used?
854. Are all applicants informed of the company's
policies and procedures concerning pre-employment screening and actual
employment?
855. Are the following
intrusions or thefts reported to security:
A. Unauthorized use of company facilities?
B. Unauthorized use or attempts to access
sensitive information?
C. Misappropriation of company funds?
D. Misappropriation of computer resources?
E. Misappropriation of company resources?
F. Misuse of company time?
G. Destruction of information or company
property?
H. Entering the facility without authorization?
856. Are these areas addressed in the Employee
Security Briefing, so that they are easily recognizable by employees?
857. Are the building's transformers, motor
generators, breaker panels, cooling towers, etc., protected from unauthorized
access?
858. Does the facility have an isolated and
regulated power service (Should it have one)?
859. Does the kind of work done at the facility
require an uninterruptible power supply?
860. Does the facility
have an uninterruptible power supply?
861. Does the facility have any protection against
power abnormalities (eg. line filters, either isolation or constant-voltage
transformers, motor generators)?
862. Does the facility
have power-line filters?
863. Does the facility
have isolation transformers?
864. Does the facility
have constant-voltage transformers?
865. Does the facility
have motor-driven generators?
866. Are emergency power-offs at the facility
protected from accidental activation?
867. Has the local power supply been determined to
be adequate, consistent, and reliable?
868. Does the facility have standby power for
electrically-controlled doors in case of power outages?
869. Does the facility have standby power for
electrically-controlled security systems in case of power outages?
870. Does the facility have standby power for
electrically-controlled alarms in case of power outages?
871. Is the standby power for
electrically-controlled doors, security systems, and alarms tested at regular
intervals determined by site management?
872. Is manual intervention required to restore
power to the facility following a power interruption?
873. Is there emergency lighting available for the
facility if a power failure should occur?
874. Does the facility have a separate emergency
lighting system that activates when the main lighting fails?
875. Is the facility's emergency lighting system tested
on a regularly-scheduled basis?
876. Is the facility's power supply monitored to
detect the occurrence of electrical transients?
877. Is there an immediate or automatic response
when electrical abnormalities are detected by the facility's power-supply
monitor?
878. Are building transformers, motor generators,
breaker panels, cipher-lock door overrides, etc., protected from unauthorized
access?
879. Is facility entry
controlled by cipher lock(s)?
880. How many persons know the combination to the
facility cipher locks?
881. Are combinations for the facility cipher locks
changed on a regular basis?
882. Is facility entry controlled by magnetic
badge/card/key-card readers?
883. How many persons have magnetic cards, badges,
or key cards permitting entry to the facility?
884. Is there a procedure to control badges, keys,
combinations, and/or cards used for entry to the facility?
885. Are anchor pads
and locking devices used on personal computers?
886. Who has the keys
to these devices?
887. Is there a procedure to control badges, keys,
combinations, and/or cards used for entry to the facility?
888. What is the procedure for controlling badges,
keys, combinations, and/or cards used for entry to the facility?
889. Who has access and disseminates these access
devices (Who replaces them when they are lost)?
890. When an
individual's facility entry authority is revoked, are:
A. Authorization lists revised?
B. Locks/combinations changed?
C. Badges, keys, cards surrendered?
D. Other?
891. Is access to facility resources denied quickly
enough to prevent damage to resources by a person whose facility entry
authorization has been revoked?
892. Are offices, desk drawers and file cabinets
locked when not in use (Who has the master keys for these locks)?
893. Are dumpsters holding printout and phone
related "trash" locked to prohibit unauthorized entry?
894. Are all manhole covers leading to telephone
and computer cabling locked?
895. Are employees assigned individual
"lockable" lockers (Who has master keys to these lockers)?
896. Have procedures
been developed for lock and key control?
897. Who is
responsible for lock and key control oversight?
898. Total number of
keys issued?
899. Total number of
master keys issued?
900. Total number of
grand master keys issued? (To whom?)
901. Criteria of key
issuance?
902. How often are key
inventories conducted? (By whom?)
903. Are key holders
allowed to duplicate keys?
904. Where are keys
duplicated?
905. Are all keys
marked "Do not Duplicate"?
906. Are key blanks and keys not in use stored in a
lockable, fire-proof, key security control box? (If
not, where are they secured?)
907. Are all keys to
the key security control box accounted for?
908. Who has
possession of key security control box keys?
909. Is there a
facility key access/issuance log?
910. Is the key
access/issuance log located in a secured area?
911. Who reviews key
access/issuance logs?
912. Are keys left
unattended at any time?
913. Is a key return system established for
terminated, suspended, or resigning employees?
914. Who is
responsible for locksmith duties?
915. Does the facility have a locksmith on duty?
(On the facility payroll?)
916. If not, does the facility have an agreement
with a locksmith service to provide services on a contingency basis?
917. Who inspects
facility locks for functionality?
918. Were all locks found to be operating correctly
at the time of survey?
919. Are combinations or keys accessible only to
those individuals whose duties require access to them?
920. What procedures determine if an individual
currently requires access to combinations or keys?
921. What procedures
insure combination integrity?
922. Are locks changed once a year regardless of
transfers or known violations of security?
923. If combination compromise is suspected, is
combination changed immediately?
924. Are cypher lock viewing-shields used to deny
unauthorized observation of combinations?
925. Are doors locked
when not in active use?
926. Are employees discouraged from holding secured
doors open for others or allowing follow-ins?
927. Are padlocks
locked to hasp when not in use?
928. Are all bolts
protected or constructed so that they cannot be cut?
929. Are locks and frames designed to prohibit the
forced spreading of door frames? (eg. metal jimmy guards)
930. Do employees have
direct view of entrances, stairs, and elevators?
931. Are all doors
secured when employees are working after hours?
932. Is the facility checked by the last person who
leaves to insure no unauthorized personnel remain behind?
933. Is there someone responsible for "double
checking" doors and windows to make sure they are properly locked at the
end of daily business?
934. Are file cabinets, desks, and other securable
containers locked when the office is unattended?
935. Is it standard procedure to place valuable
information inadvertently left on desks into fire-proof locked cabinets or
safes?
936. Are daily deposits made to prevent large
amounts cash and checks from being left at the facility overnight?
937. When filing cabinets are opened for daily
business, are the keys returned to secure storage?
938. In addition to the cabinet lock itself, is
there a locking bar (located on the cabinet exterior) to provide the necessary
security for business or trade secrets?
939. Are heavy-duty locks used to secure office
machines? (Calculators, photocopiers, typewriters, computers, etc.)
940. Can personal items be secured in a lockable
drawer in each individual's desk?
941. If not, is a
secure area maintained for storage of these items?
942. Does the telephone system lock, either
manually or electronically, to secure against unauthorized calls?
Private
Branch Exchange (PBX) and Telephone Security
943. Does your
facility operate or lease a PBX system?
944. Has the remote access function to the PBX system been enabled or deactivated? (Most fraudulent
activity is accomplished through the
Direct Inward System Access"DISA" feature)
945. Are hard to "anticipate or guess"
Authorization Codes selected? (not social security numbers, employee
identification numbers, phone extensions...)
946. Does the PBX system deny access when three
unsuccessful log-on attempts on the same account are encountered?
947. When performing maintenance on the PBX system,
is vendor access limited to only authorized maintenance requests?
948. Were all initial
test and maintenance passwords deleted?
949. Is there a list of all individuals with
authorized access to the PBX?
950. Are all company phone records reviewed for
unauthorized long-distance calls?
951. How are company issued calling cards
distributed (Who authorizes their
distribution, is there more than one signature required)?
952. What procedures are in place to deal with lost
or stolen long distance calling cards?
953. Who pays and
correlates telephone bills?
954. Does the security education program address
obscene, crank and wrong-number calls, identifying that these may be attempts
by "hackers" to enter your system?
955. Is the entire PBX system periodically tested
as to functionality and security integrity?
956. Are all security
deficiencies identified, assessed and recorded?
957. Does your company
have a voice mail system?
958. Is there a verbal warning on the voice mail
system warning that illegal activity will be prosecuted?
959. Is the outcalling function disabled on your
voice mail system? (Can callers transfer to an outside line from inside the
voice mail system)?
960. Is the system manager (or system operator
-SysOp) password changed every 90 days or when a SysOp terminates employment?
961. Is the system manager's password comprised of
at least 14-15 digits?
962. How do you ensure voice mail users change
their passwords at least every six months?
963. Is there an
"inactive mailbox" report generated periodically?
964. Who reviews and
acts on this report?
965. Who investigates
repeated unsuccessful log-on attempts?
966. When the system was installed, were all
uninitialized mailboxes deleted?
967. Before merchandise is shipped, is a copy of
the sales order required to be attached before it leaves the warehouse?
968. Is there a two-person, double-checking system
to ensure the accuracy of merchandise being shipped and where it is being sent?
969. Who is
responsible for preparing sales orders?
970. When reviewing the "Bills of Lading"
file, are all records retained for at least two months?
971. Are bills of
lading complete?
972. When reviewing
the UPS (shipping) log, are there unusual entries?
973. Are there any shipments addressed to an
employee or an individual (Is this
normal for your business)?
974. Are the following
files maintained in the shipping area:
A. Outside vendor orders?
B. Special orders and rain checks?
C. Defective merchandise pending authorization?
D. Defective merchandise claims forms?
E. Freight claims - pending inspection?
F. Freight claims - copies?
G. Bills of lading?
975. Are freight
shortage forms filled out completely?
976. Is freight damaged merchandise reported
properly (What is the reporting
procedure, To whom is it reported)?
977. Is a partial freight log entry made
immediately when receiving merchandise?
978. Are all freight
bills or delivery receipts signed and dated?
979. Have all open
freight log entries been accounted for?
980. Are all pedestrian and roll-up doors secured when
a shipment in not being unloaded?
981. Are all freight
containers and vehicles locked when not in use?
982. Are there any
objects obstructing fire exits and lanes?
983. Is there any unusual, hidden, or loose stock
in the receiving area?
984. Are recycle and garbage bins regularly checked
by management for hidden merchandise?
985. Is there evidence
of tampering with trash receptacles?
986. Are all external
garbage receptacles locked when not in use?
987. Have unauthorized individuals been using the
store's garbage dumpsters or recycling bins?
988. Is currency storage kept to a minimum amount
(change fund) by a responsible
individual?
989. Is the shipping/receiving area or building
surrounded by a fence with a controlled access gate?
990. Is access to all loading and unloading areas
and platforms strictly controlled?
991. Are these areas designed so vehicle operators
do not have direct access to merchandise storage areas without passing through
a monitored area such as a shipping or receiving processing office?
992. Are all freight
doors secured when not in immediate use?
993. Are high value items stored in a special area
with additional physical security considerations?
994. Do security officers regularly patrol the
shipping/receiving areas?
995. Does the security department randomly audit
shipping and receiving procedures to determine accuracy?
996. Are the receiving
and shipping areas physically separated?
997. Are there
separate areas for employee and visitor parking?
998. Are all of these
parking and building areas are well lit?
999. Are all areas
covered by CCTV?
1000. Are there
surveillance cameras located in the inventory area?
1001. Are all areas
covered by a monitored intrusion alarm?
1002. Are employee's entrances monitored by electronic
access controlled keypads which record all employee pass code transactions?
1003. Are these records regularly reviewed by
security for irregularities?
1004. Are company vehicles kept in a fenced area and
locked when not in use?
1005. Are delivery, pick-up, and vendor personnel
prevented from having unsupervised access to merchandise areas?
1006. Does your store keep multiple copies of the
Bank Identification Number (BIN) directory to help verify legitimately issued
bank credit cards?
1007. Are badges issued
to these individuals?
1008. Do all employees display photo-ID badges while
in the Shipping/Receiving areas?
1009. Are permanent
records maintained for all issued and lost badges?
1010. Are all personnel working in the
Shipping/Receiving areas photographed, thumbprinted and processed through a
complete background check (which should include job and personal reference
checks, criminal records and credit history)?
1011. Are all shipments
loaded and unloaded only by company personnel?
1012. Are all shipments
checked against the corresponding manifests to insure that all merchandise
items
listed are physically accounted for?
1013. Who is
responsible for loading the trucks?
1014. Are delivery
drivers allowed access to the warehouse areas?
1015. Are there certain
points which drivers are not allowed past?
1016. Is the loading
dock monitored by surveillance cameras?
1017. Is there a
delivery schedule available?
1018. Is there an established procedure for
inspecting merchandise at the beginning and end of a trip or route?
1019. Does this
inspection procedure have it's own documentation?
1020. How often is this
inspection system tested for accuracy?
1021. Are seals use on
the trucks?
1022. Who is
responsible for issuing these seals?
1023. Are the seals
recorded and tracked by serial numbers?
1024. Do the drivers
collect any payments while on trips or routes?
1025. Are procedures designed so it is not necessary
to have any person except those either unloading or loading personnel to have
access to their respective areas?
1026. Who is
responsible for the receiving materials?
1027. Does this person
also prepare the documentation for receiving?
1028. Is this person
separate from the purchasing department?
1029. Are all incoming
shipments required to be documented immediately?
1030. Are all incoming shipments thoroughly inspected
to ensure the quantity shipped matches the quantity received?
1031. What are the
procedures for reporting and handling discrepancies?
1032. Are incoming
materials inspected for damage?
1033. What are the procedures for reporting and
returning damaged materials?
1034. Who is
responsible for these return authorizations?
1035. Are purchase orders matched with the
corresponding receiving documents?
1036. Are all adjustments made in purchase orders relayed
to the receiving department so arriving shipments will have an accurate count?
1037. Are there only
certain hours when shipments can be received?
1038. Are different times set up for receiving and
shipping functions if the same area has to be used?
1039. Is there a clear and distinct document audit
trail for each phase of shipping and receiving both inside of and outside the
facility?
1040. Are company administrative personnel and
vendors fully aware of the correct procedures followed and documents needed to
process incoming and outgoing shipments?
1041. When receiving merchandise, is the vehicle
exterior inspected by entry point personnel and any problems noted such as
broken seal, no lock on trailer, etc.?
1042. When the shipment arrives at the receiving
dock, does that area's personnel inspect the condition and the quantity of all
the merchandise?
1043. Once this inspection is complete, are the
findings compared to the company's purchase orders and the shipping invoices?
1044. Are any discrepancies noted and identified
before any receiving documentation is signed?