This tool provides questions for audit committees to consider when assessing internal security risks.

Sample questions include: Have the critical programs and data been identified and classified with respect to security requirements? Is there an appropriate security policy? Is there a comprehensive and clear backup policy for data and programs? Are backup copies stored in a secure location? Is the data center efficiently protected against unauthorized access? Is there an access log file? Do security personnel regularly review this file?