Title Page
-
Audit Title
-
Client/Company Name
-
Location
-
Conducted on
-
Conducted by
Security Audit
-
Progress through the following sections, answering each question. When an item is non-compliant or marked as fail, be sure to add notes and/or media as evidence.
Access Controls
-
Are user accounts created with strong passwords?
-
Is multi-factor authentication (MFA) implemented for privileged accounts?
-
Are access rights regularly reviewed and revoked for terminated employees?
-
Does the facility use an automated access control system?
-
Are card readers utilized at all access points?
-
Are card readers securely fastened and in good working order?
Network Security
-
Is a firewall in place to control incoming and outgoing network traffic?
-
Are intrusion detection and prevention systems (IDPS) deployed?
-
Are network devices regularly patched and updated?
Data Protection
-
Is sensitive data encrypted both at rest and in transit?
-
Are regular data backups performed and tested for recoverability?
-
Are data access and usage monitored and logged?
Physical Security
-
Are all the doors and windows secure and able to be locked?
-
Are physical access controls implemented, such as access badges or biometric systems?
-
Are server rooms and data centers secured with appropriate physical safeguards?
-
Is after-hours access to server rooms monitored/controlled?
-
Are the external walls fit for purpose and are they secure?
-
Is there a visitor log and escort policy for visitors entering restricted areas?
-
Are perimeter doors alarmed?
-
Are alarms active during the day or are areas shut off?
-
Is there a regular lock-up routine?
-
Are perimeter doors supported by cameras?
-
Are computers marked with serial numbers or company information?
-
Is an intrusion alarm system used in the facility?
-
Is the intrusion alarm system in good working order?
-
Does the alarm system have a power backup?
-
Are fire prevention and suppression systems in place?
-
Are power backups available?
-
Is environmental monitoring implemented?
Incident Response
-
Is an incident response plan in place and regularly tested?
-
Are security incidents and breaches promptly reported and investigated?
-
Is there a process for notifying affected parties in the event of a data breach?
Employee Awareness and Training
-
Are employees provided with security awareness training?
-
Do they understand the importance of vigilance and challenging suspicious activity?
-
Do employees sign an acceptable use policy regarding information security?
-
Are employees regularly reminded of security best practices and policies?
-
Are employees aware of and compliant on how to report suspicious activities or incidents?
Compliance
-
Is the organization compliant with relevant security regulations and standards?
-
Are security audits conducted by third-party assessors periodically?
-
Is there a process for addressing security audit findings and implementing corrective actions?
-
Are all security policies and procedures documented?
-
Are vendor and third-party risk management plans in place?
Electronic Security
-
Is there ample/well-maintained lighting?
-
Are cameras installed?
-
How many cameras are functional?
-
How many cameras are inoperable?
-
Are cameras managed by security, IT, facilities, or others?
-
Are monitors clear?
-
Have cameras/CCTVs installed for maximum security. Assign this as an action if needed.
-
Attach photos and other relevant files as evidence.
Information Security
-
Is there an effective information security strategy?
-
Is there an effective IT strategy?
Visitors Vehicle Access
-
Is there an access control system in place for visitor vehicles?
-
Do visitors have to show ID?
-
Are visitors announced?
-
Are visitors required to park in certain areas?
-
Are there passes issued? If yes, describe the types of passes issued.
General Facility Impressions and Security Posture
-
What is the estimated volume of daily visitors?
-
Have there been security problems in the past? Describe in detail.
-
What are the biggest threats to security?
-
What assets at the facility need to be protected?
Completion
-
Summary of Findings
-
Remediation and Action Plans
-
Date of Next Audit
-
Auditor's Name and Signature