Title Page
-
Audit Title
-
Client/Company Name
-
Location
-
Conducted on
-
Conducted by
Security Audit
-
Progress through the following sections, answering each question. When an item is non-compliant or marked as fail, be sure to add notes and/or media as evidence.
Access Controls
-
Are user accounts created with strong passwords?
-
Is multi-factor authentication (MFA) implemented for privileged accounts?
-
Are access rights regularly reviewed and revoked for terminated employees?
-
Does the facility use an automated access control system?
-
Are card readers utilized at all access points?
-
Are card readers securely fastened and in good working order?
Network Security
-
Is a firewall in place to control incoming and outgoing network traffic?
-
Are intrusion detection and prevention systems (IDPS) deployed?
-
Are network devices regularly patched and updated?
Data Protection
-
Is sensitive data encrypted both at rest and in transit?
-
Are regular data backups performed and tested for recoverability?
-
Are data access and usage monitored and logged?
Physical Security
-
Are all the doors and windows secure and able to be locked?
-
Are physical access controls implemented, such as access badges or biometric systems?
-
Are server rooms and data centers secured with appropriate physical safeguards?
-
Is there a visitor log and escort policy for visitors entering restricted areas?
-
Are perimeter doors alarmed?
-
Are perimeter doors supported by cameras?
-
Are computers marked with serial numbers or company information?
-
Is an intrusion alarm system used in the facility?
-
Are fire prevention and suppression systems in place?
-
Are power backups available?
Incident Response
-
Is an incident response plan in place and regularly tested?
-
Are security incidents and breaches promptly reported and investigated?
-
Is there a process for notifying affected parties in the event of a data breach?
Employee Awareness and Training
-
Are employees provided with security awareness training?
-
Do they understand the importance of vigilance and challenging suspicious activity?
-
Do employees sign an acceptable use policy regarding information security?
-
Are employees regularly reminded of security best practices and policies?
-
Are employees aware of and compliant on how to report suspicious activities or incidents?
Compliance
-
Is the organization compliant with relevant security regulations and standards?
-
Are security audits conducted by third-party assessors periodically?
-
Is there a process for addressing security audit findings and implementing corrective actions?
-
Are all security policies and procedures documented?
-
Are vendor and third-party risk management plans in place?
Information Security
-
Is there an effective information security strategy?
-
Is there an effective IT strategy?
General Facility Impressions and Security Posture
-
What is the estimated volume of daily visitors?
-
Have there been security problems in the past? Describe in detail.
-
What are the biggest threats to security?
-
What assets at the facility need to be protected?
Completion
-
Summary of Findings
-
Remediation and Action Plans
-
Date of Next Audit
-
Auditor's Name and Signature