Security Audit Checklist Template

Use the Security Audit Checklist Template to review your internal IT security, vulnerabilities, control plans, monitor logs, process and device security.

Security Audit Checklist Template



General

1. Is a security email address set up and forwarded to the developer's group?


Photo Comment

2. Are regular system vulnerability sweeps performed?


Photo Comment

3. Are security policies created, documented, and held in a specific folder, either digitally or on paper?


Photo Comment
Incident Response Plan

1. Is there preparation for a ransomware attack, including establishing a response team, creating an emergency contact list, considering cybersecurity liability insurance, and determining the limit you're willing to pay?


Photo Comment

2. Is an incident response plan created that outlines responsibilities and steps for detecting, reporting, and responding to an incident?


Photo Comment
Pentesting

1. Has a bug bounty program started (e.g., HackerOne, Bugcrowd)?


Photo Comment

2. Is a third-party tool used for pen-testing (e.g., Cobalt, Securisea)?


Photo Comment
Intrusion Detection

1. Is the dark web monitored for a data breach (e.g., PhishLabs)?


Photo Comment

2. Is a host-based IDS used (e.g., OSSEC, Wuzah, Tripwire, Hunter)?


Photo Comment

3. Is a network-based IDS used (e.g., Suricata, Snort, Bro)?


Photo Comment
Personnel

1. Is onboarding for employees and contractors completed with background checks?


Photo Comment

2. Is access provisioning ensured to have necessary approvals and tracking?


Photo Comment

3. Are NDAs completed as necessary?


Photo Comment
Risk And Vulnerability Management

1. Is a comprehensive internal risk assessment and annual review conducted?


Photo Comment

2. Are regular vulnerability scans and remediation performed?


Photo Comment
Configuring For Least Functionality

1. Are firewall rules set?


Photo Comment

2. Are unnecessary ports closed, and unnecessary protocols and services blocked?


Photo Comment

3. Are functions such as APIs and admin privileges segmented?


Photo Comment
Device Security

1. Are all devices, such as laptops and hard drives, encrypted (e.g., FileVault on Mac)?


Photo Comment

2. Are device restrictions applied to stop backups to personal cloud storage, etc.?


Photo Comment

3. Is consideration given to providing employees with mobile devices for business purposes with remote wipe capabilities?


Photo Comment

4. Are potentially dangerous apps and websites blocked?


Photo Comment

5. Are users prevented from installing software?


Photo Comment

6. Is endpoint verification turned on?


Photo Comment
Software Security

1. Is there a list of current system security software (e.g., firewalls, AV, SIEM tools, etc.)?


Photo Comment

2. Is data loss protection software considered?


Photo Comment

3. Is MFA required for all third-party services such as Slack?


Photo Comment

4. Is MFA required for all third-party services such as GitHub?


Photo Comment

5. Is MFA required for all third-party services such as Heroku


Photo Comment

6. Is MFA required for all third-party services, including others?


Photo Comment

7. Is a team password manager set up?


Photo Comment

8. Are all software and operating systems checked to be fully patched and updated to the latest versions?


Photo Comment

9. Is an inventory/patch management tool considered (e.g., Fleetsmith)?


Photo Comment

10. Is auto-renew on for domain names?


Photo Comment

11. Are primary domains bought for 5-10 years (optional)?


Photo Comment
Application Security

1. Is transfer lock enabled (default for most services)?


Photo Comment

2. Is the website scanned using a tool like Mozilla Observatory?


Photo Comment

3. Does everything pass in the website scan except for the Content Security Policy?


Photo Comment

4. Is a code analysis conducted?


Photo Comment

5. Are there no credentials present in the code?


Photo Comment

6. Are the dependencies scanned for vulnerabilities using tools like GitHub, bundle-audit, npm audit, yarn audit, or CodeClimate?


Photo Comment

7. Is a static code analysis performed using tools like Brakeman, CodeClimate, or others?


Photo Comment

8. Are secure password hashing methods such as bcrypt or Argon2 used?


Photo Comment

9. Is MFA required for admin accounts (e.g., Google Authenticator)?


Photo Comment

10. Is rate-limiting added?


Photo Comment

11. Are users notified of email and password changes, with notifications sent to the old email?


Photo Comment

12. Are login attempts recorded?


Photo Comment

13. Are measures in place to protect against account takeovers?


Photo Comment

14. Are accounts locked after too many failed login attempts?


Photo Comment

15. Are accounts locked after a successful login from a credential-stuffing IP?


Photo Comment
Email Security

1. Is the Sender Policy Framework (SPF) configured?


Photo Comment

2. Are Domain Keys Identified Mail (DKIM) settings in place?


Photo Comment

3. Are Domain-based Message Authentication, Reporting & Conformance (DMARC) configured?


Photo Comment

4. For inactive domains, has a null SPF record been created with “v=spf1 –all”?


Photo Comment
Data Storage & Processing Security

1. Is an employee offboarding checklist in place to disable all accounts (or automate the process)?


Photo Comment

2. Is encryption enforced for all data transmissions?


Photo Comment
Data Storage

1. Is a list of personal data created, detailing where it’s stored and its sensitivity level?


Photo Comment

2. Are the database fields (and other data stores) containing personal data identified?


Photo Comment

3. Are files containing personal data identified and listed?


Photo Comment

4. Are third-party services storing personal data identified and documented?


Photo Comment

5. Is storage level encryption enabled for data at rest?


Photo Comment

6. Is encryption enabled for the Database?


Photo Comment

7. Is encryption enabled by Elasticsearch?


Photo Comment

8. Is encryption enabled for S3 storage?


Photo Comment

9. Is application-level encryption applied to database fields and file uploads?


Photo Comment

10. Is authenticated encryption used, such as AES-GCM or Libsodium?


Photo Comment
Data In Transit - External

1. Is HTTPS enabled everywhere, including subdomains?


Photo Comment

2. Is the HSTS header implemented?


Photo Comment

3. Is the domain included in the HSTS preload list (if possible)?


Photo Comment

4. Are secure ciphers being used?


Photo Comment

5. Are SSL certificates valid and not expiring soon?


Photo Comment
Data In Transit - Internal

1. Is PostgreSQL configured with sslmode=verify-full?


Photo Comment

2. Is Elasticsearch configured to use HTTPS?


Photo Comment

3. Is Redis configured to use SSL?


Photo Comment
Database Users

1. Are passwords greater than 32 characters?


Photo Comment

2. Are separate roles used for migrations, the app, and analytics?


Photo Comment
Business Intelligence Tools

1. Is personal data restricted from being accessible?


Photo Comment

2. Are auditing and logging mechanisms implemented to track access and usage of Business Intelligence tools and related data?


Photo Comment
Data Leakage Checks

1. Are logs generated and maintained for activities?


Photo Comment

2. Is there a system in place for reporting and monitoring errors?


Photo Comment

3. Are Business Intelligence tools instrumented to gather performance metrics and usage data?


Photo Comment

4. Are third-party analytics tools integrated securely?


Photo Comment

5. Are cache stores (if used) secured and monitored to prevent data exposure?


Photo Comment

6. Are email inboxes monitored and secured to prevent unauthorized access or data leakage?


Photo Comment
User Management

1. Is the list of admins for all services verified every 3 months?


Photo Comment

2. Is the list of users for all services verified every 3 months?


Photo Comment

3. Are inactive accounts removed every 3 months?


Photo Comment
Internal Threats

1. Is user activity logged?


Photo Comment

2. Are SSH/console logins logged?


Photo Comment

3. Are SSH/console commands logged?


Photo Comment

4. Have admin privileges been separated among multiple personnel/teams?


Photo Comment

5. Are approval gates implemented for administrative actions?


Photo Comment
Physical & Environmental Security

1. Are server rooms locked to limit physical access to servers?


Photo Comment

2. Is there a logbook or video surveillance system to monitor physical access to server rooms?


Photo Comment

3. Are security access levels documented for personnel, and is access periodically reviewed?


Photo Comment

4. Are employee badges and keys logged, and is access terminated promptly for departing employees?


Photo Comment

5. Are means for connecting external drives and devices disabled on servers?


Photo Comment

6. Is temperature and humidity monitored, with alerting thresholds set?


Photo Comment

7. Is there monitoring for water detection in server rooms?


Photo Comment

8. Are backup power, lighting, and fire suppression systems in place and tested regularly for emergencies?


Photo Comment

9. Has the building design accounted for natural disasters such as earthquakes and flooding?


Photo Comment

Is this sample what you are looking for?
Sign up to use & customise this template, or create your own custom checklist:

Checklist by GoAudits.com – Please note that this checklist is intended as an example. We do not guarantee compliance with the laws applicable to your territory or industry. You should seek professional advice to determine how this checklist should be adapted to your workplace or jurisdiction.

Easy inspection app for your digital checklists