Macro Policies
What are your internal policies pertaining to fleet data management and security? Is anyone exempt from these policies? If so, who and why?
Do you conduct background checks as part of your hiring process? If yes, are there any exceptions to this policy?
What security measures are in place regarding those who may visit your offices?
Employee and IT Team Training
What are your data-relevant policies that employees are briefed on and required to comply with (e.g., non-disclosure agreement; acceptable uses of laptops, smartphones, and other mobile devices; etc.)?
What data management and security training do you provide to your general staff?
What sort of training do you provide or make available to your IT staff?
Partner and Vendor Agreements
Do you have agreements and contracts with third-party partners and vendors who may have access to your data? Describe the security measures in place for such relationships.
Will your data and services be outsourced to another country? If so, which one(s)? What policies and procedures are in place to protect your data?
General Safety and Protection
What are your password policies? How frequently are they changed?
Can employees use their own devices to connect with your systems?
What procedures are in place to monitor and respond to advisories from CISA, NSA, and other similar sources?
How frequently do you backup your data? How long do you maintain backup data before it’s permanently deleted?
What measures are in place to ensure that only those who need access to certain pieces of data see only those pieces?
What type of encryption do you use?
Do you utilize multi-factor authentication (MFA)? Under what scenarios is MFA not required?
What information do you keep in the cloud? Who is your public cloud provider?
How frequently—and quickly—are patches and updates made throughout your system?
How do you monitor traffic on your system?
What firewalls do you have in place?
What is the process for adding new software to your system?
What protections are in place to guard against viruses and malware? Can individual users disable these protections?
What precautions are taken to ensure unapproved devices cannot access your local area network or your Wi-Fi?
Physical Infrastructure
Is your critical IT infrastructure in temperature-controlled rooms with appropriate fire suppression systems?
Are your servers behind locked doors? What sort of entry system do you use? How do you determine who is granted access?
Disaster Mitigation
Do you have a disaster-response plan to protect your fleet tracking and fleet reporting data?
Do you have an insurance policy in place for security breaches? If so, who is the provider?
How often do you stress test your systems, and how do you go about doing so?
Does an outside firm regularly evaluate your data management systems and policies? If so, what firm provides those services to you? Can you share the findings of your most recent report?
Where are your backup data centers located?
