It Security Assessment Checklist

IT Security Assessment List DATE
CUSTOMER NAME
AUDIT BY
N OF ENDPOINTS
ASSETS
Hardware (in-house)
Condition Problem Result
Hardware (remote)
Software (in-house)
Software (external applications)

Web applications
INTERNET ACCESS SECURITY

Malware detection system
Condition Possible threat Mitigation
Inbound/outbound filter lists

Bandwidth restrictions
VULNERABILITIES / THREATS
RMM
Servers
Internet connection
Firewalls
Content filters
Remote desktops
Billing system
Credentials
Third-parties applications
Network infrastructure
Security configuration
SECURITY 1/2
Default passwords have been disabled
Password strength
Number of failed login attempts is limited/disabled

Antivirus
Content filter
Remote desktops
Phishing email filters

Patching
Remote authorization control

Encryption
Automatic lock of desktops

SECURITY 2/2
Anti-malware software
Verified software
Security updates are installed

Administrator account's password is rotated regularly

No remote access to admin account

Temporary files are removed

SUGGESTIONS
Policies amendments
Users' authorization corrections

Changes in procedures/operations
Replacement of outdated technology

Incidence response plan

DATE
CUSTOMER NAME
IT Security Assessment List AUDIT BY
NETWORK
Wireless access point
Firewall
Switches
IP addresses management
Network configuration
Up-to-date VPN software

RMM
SNMP
WORKSPACE AND EQUIPMENT
Up-to-date workstations
Remote endpoints
Disk space
Patching
Printers/scanners
Total workstations
Total workstations
NOTES
USER ACCOUNTS
Authentication is mandatory for all users
Unique accounts for users

Shared accounts
MFA
Least priviledge policy

Disabled stale accounts

Total workstations
Set password rotation

Total workstations
No shared credentials between environments (if multiple)

Total workstations
All default accounts are deleted

Total workstations
NOTES
DOCUMENTATION
Regulatory compliance (e.g. HIPAA)
Privacy policy
Password policy
BYOD policy
Remote access policy

Warranties
Remote access policy

Licensing
Disaster recovery plan

Business continuity plan

Business continuity plan

Document maintenance
SERVERS AND EQUIPMENT
Modern servers
Power supply
Storage capacity
Server racks/cabinets
NTP servers
Patch management
DHCP
Separate server room(-s)

Wire management
Physical security
Temperature control
Proper labelling
Workstations equipped
EOL dates
TOTAL SERVERS
Total servers
NOTES
DATA MAINTENANCE
Software used
RTO/RPO
Frequency of backups
Destination for critical data

Backups destination
Encryption
Secure offsite storage

№ of data copies
Retention time
NOTES
QUESTIONS TO ASK
1 Do you have security plan? How many Comments
times/year it is reviewed? Who has access?
2 Do you track the accesses given to the Comments

employees? (least priviledge policy)
3 How do you control credentials? MFA/2FA? Comments
4 Do you have any of the security products? Comments

Which ones?
5 How do you control remote employees? Do Comments

they have autolock/physical security/shared
accounts/access to the critical data?
6 How often do you monitor and review Comments

logbooks? How do you track vulnerable data?
How do you detect suspicious activity?
7 Do you encrypt data? If yes, how? Comments
8 How do you perform backups? Do you use 3-2- Comments

1 policy? What kind of data is backed up? What
kind of storages you use?
9 Who has access to the servers where backed Comments

data is stored?
10 Do you run tests? (Data recovery, penetration Comments

tests, etc.) How often? All data or only certain
types?
11 Do you have security awareness trainings for Comments

employees? If yes, how often? What kind of
trainings?
Title:

It Security Assessment Checklist

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

It Security Assessment Checklist

Uploaded by

Copyright:

Available Formats

IT Security Assessment List DATE

Software (external applications)

INTERNET ACCESS SECURITY

Inbound/outbound filter lists

Number of failed login attempts is limited/disabled

Phishing email filters

Remote authorization control

Automatic lock of desktops

Security updates are installed

Administrator account's password is rotated regularly

No remote access to admin account

Temporary files are removed

Users' authorization corrections

Replacement of outdated technology

Incidence response plan

Up-to-date VPN software

Unique accounts for users

Least priviledge policy

Disabled stale accounts

Set password rotation

No shared credentials between environments (if multiple)

All default accounts are deleted

Remote access policy

Remote access policy

Disaster recovery plan

Business continuity plan

Business continuity plan

Separate server room(-s)

Destination for critical data

Secure offsite storage

2 Do you track the accesses given to the Comments

3 How do you control credentials? MFA/2FA? Comments

4 Do you have any of the security products? Comments

5 How do you control remote employees? Do Comments

6 How often do you monitor and review Comments

7 Do you encrypt data? If yes, how? Comments

8 How do you perform backups? Do you use 3-2- Comments

9 Who has access to the servers where backed Comments

10 Do you run tests? (Data recovery, penetration Comments

11 Do you have security awareness trainings for Comments

Condition Problem Result

Condition Problem Result

Condition Problem Result

Condition Problem Result

Condition Problem Result

Condition Problem Result

Condition Problem Result

Condition Problem Result

Condition Problem Result

Condition Problem Result

Condition Problem Result

You might also like