Initial Security Assessment Checklist

How to Use This Checklist

This checklist covers ten security domains that form the foundation of a sound security posture for small businesses. Work through each domain with your team, marking items as complete, in progress, or not started. The goal is not perfection on day one. It is visibility into where you stand.

Identity and Access Management

• MFA is enforced on all user accounts, including admin and service accounts
• User access reviews are conducted at least quarterly
• Shared accounts have been eliminated or documented with compensating controls
• Offboarding procedures revoke access within 24 hours of separation
• Privileged access is limited to named individuals with business justification

Endpoint Protection

• EDR or next-generation antivirus is deployed on all workstations and servers
• Endpoint agents are centrally managed with alerting on agent health
• Operating systems and applications receive patches within 30 days of release
• Removable media policies are defined and enforced
• Full-disk encryption is enabled on all laptops

Email Security

• SPF, DKIM, and DMARC records are configured and enforced for all domains
• Inbound email filtering blocks known malicious attachments and URLs
• External email banners warn recipients when messages originate outside the organization
• Auto-forwarding rules to external addresses are disabled or monitored
• Quarantine review procedures are documented

Cloud Configuration

• Cloud admin accounts use dedicated credentials with MFA
• Security defaults or conditional access policies are enabled
• Audit logging is active and retained for at least 90 days
• Guest access and external sharing settings are reviewed quarterly
• Cloud storage permissions follow least-privilege principles

Data Protection

• Sensitive data types are identified and classified
• Data retention and disposal schedules are documented
• Encryption in transit (TLS) is enforced for all external communications
• Encryption at rest is enabled for databases and file storage
• Data loss prevention rules are in place for email and cloud storage

Network Security

• Firewall rules are reviewed at least annually
• Default credentials have been changed on all network devices
• Network segmentation separates guest, corporate, and sensitive environments
• Remote access requires VPN or zero-trust network access with MFA
• Wireless networks use WPA3 or WPA2-Enterprise

Incident Readiness

• A written incident response plan exists and has been reviewed in the past 12 months
• Incident roles and escalation contacts are defined
• The plan includes procedures for notifying your cyber insurance carrier
• A tabletop exercise has been conducted within the past year
• Contact information for legal counsel and forensic providers is documented

Vendor Risk Management

• Critical vendors are inventoried with documented points of contact
• Vendor security questionnaires or certifications are collected annually
• Contracts include data protection and breach notification clauses
• Vendor access to your environment is reviewed quarterly
• SaaS application inventory is maintained and reviewed for redundancy

Security Awareness

• All employees complete security awareness training at hire and annually
• Phishing simulations are conducted at least quarterly
• Training completion rates are tracked and reported to leadership
• Role-based training is provided for high-risk roles (finance, HR, IT)
• Employees know how to report suspicious emails or activity

Compliance and Governance

• Applicable regulatory requirements are identified (state privacy laws, industry standards)
• Security policies are reviewed and updated annually
• Risk assessments are conducted at least annually
• Board or leadership receives regular security posture updates
• Cyber insurance coverage is reviewed annually against current risk profile