Security audit
All the checklist items must be verified by each team member and audited frequently.
Account Management
Do you create a unique user account and username for each individual?
Are all user accounts and their privileges documented and approved by an authorized individual?
Are admin accounts used only for performing admin tasks?
Are user accounts, especially those with admin accounts, removed when no longer required?
Do you use only one approved remote access method?
Do you give remote access only to authorized users?
Do you give unique credentials to each remote user instead of using a common account?
Are administrative privileges restricted to your IT team?
Is system access limited based on roles and needs?
Do you use Identity and Access Management solutions?
IT and Security Policy
Do you have a robust password policy to ensure all users have strong passwords?
Have you implemented 2FA (Two-Factor Authentication)?
Do you require the use of virtual private networks (VPNs) for remote access?
Have you set up a segregated guest WiFi for visitors and employee-owned devices?
Do you regularly educate your employees about cybersecurity risks and vulnerabilities?
SOFTWARE SECURITY MANAGEMENT
Do you maintain a whitelist of applications that are allowed to be installed on computers and mobile devices?
Do you use an MDM (mobile device management) for securing your mobile devices, operating systems, and applications?
Do you keep auto-update on for your OS, applications, and anti-virus?
Are customizing options limited to power users?
Do you install software only from a trusted source?
Do you maintain a list of software installed and the corresponding license?
Do you maintain a list of accounts (usernames and passwords) that use online services?
Do you run scheduled virus scans for all users and systems?
Do you have spam filters in place for all users?
THE CLOUD SECURITY
Do the cloud services you use meet your data storage and privacy compliance requirements?
Do your SLAs have clauses on response times, business continuity, and disaster recovery?
Is access to user data restricted to required users?
Do you have a plan in place in case of loss of access to cloud services?
Do you have policies that deal with data breaches?
CYBERSECURITY
Do you use a password manager?
Do you use only legitimate software, applications, and browser extensions from trusted sources?
Are devices automatically locked when left unattended?
Is the use of USBs and external hard drives from unfamiliar sources restricted?
Do you have daily scheduled backups for all critical files and data?
Do you have a disaster recovery and business continuity plan?
Do you have an acceptable use policy covering the use of computers, mobile devices, and other IT resources as well as Social Media tools?
Do you regularly review permissions to access shared folders, systems, and applications and remove people who no longer need access?
Do you have a standard procedure for isolating infected machines and for cleaning them?
Do you regularly conduct phishing audits and penetration tests?
Do you maintain an FAQ on company IT and Security policies?
Are you able to remotely wipe mobile devices if lost or stolen?
Software Patch Management
Do you use only licensed and supported software?
Are software updates and security patches installed as soon as they are available?
Is unsupported software removed from devices that are capable of connecting to the internet?
Do you use a patch management solution?
Malware Protection
Is your anti-malware software kept on auto-update?
Is your anti-malware software configured to scan files and web pages automatically and block malicious content?
Is your anti-malware software configured to perform regular scans?