Security is not only about technology, but also human resources. There is no point having a great security policy in place if people ignore it. So-called "information security" will not be taken seriously if an important server and the data it contains are kept in an unsecured, unmonitored room.

Does your organization perform background investigations on prospective employees or contractors? Are visitors monitored to ensure they do not access certain areas of the facility without an appropriate escort?

Unless you are comfortable with people wandering in and out of your offices as they please, companies need to formalize procedures for escorting visitors through your premises. This is especially critical if visitors will be near desktop computers that could be used to access electronic data.