Security Checklist: Easy things companies can do to increase security

February 26, 2022
March 22, 2016
Security Checklist: Easy things companies can do to increase security

You can break cyber security down to three basic areas: People, Process and Technology. All three are necessary to have a properly functioning digital security strategy. Below is a checklist of what companies can do to keep assets safe.


People are the weakest link in the security chain. You can install the best security technology money can buy, but if your people are not trained up and/or if they don’t follow the Standard Operating Procedures (SOP) you put into place, you will have security incidents. Therefore, it’s necessary to ensure you invest properly in education for your employees and give them the tools they need to keep your digital assets safe. Some of the areas are listed below:

  • Rotate passwords every 90 days
  • Require complex and/or long passwords (i.e. diceware:
  • Use a different password for every login
  • Use a password manager (i.e. 1password:
  • Use different usernames and passwords for privileged access
  • Do not share passwords
Clean Desk/Screen
  • Lock screens after 5 minutes of inactivity automatically and require a password when the screen locks
  • Clear desks and/or whiteboards of sensitive information at the end of the day
Vendor Management
  • 3rd party companies are targets
  • Many think they are too small to matter
  • Freelance personnel are security holes
  • Ensure you vet your third parties - make them contractually commit to a certain level of information security, especially around sensitive data you may share
Education and Awareness
  • Basic security awareness training should be conducted at least annually
  • Ongoing training should include posters and social engineering tests
  • Developers must learn secure coding and invest in a secure SDLC
  • Make it easily trackable and interactive
Remote Access
  • Ensure employees follow secure practices when connecting remotely
  • Use two factor authentication
  • Only provide remote access to those who need it and ensure you are reviewing access logs


Standard Operating Procedures (SOPs) are necessary controls which ensure secure processes are followed for the protection of data. The most essential processes are explained below:

Asset Management
  • Know your critical assets and information and track them
  • Rank your assets by criticality - the most critical assets should be the most protected
  • Have a process by which you can track new assets and remove decommissioned assets
  • Determine what you consider an “asset”, remember that assets can also be people, roles or processes
Risk Assessment of Vendors
  • Keep a list of vendors, and rank them based on how much sensitive information they have access to
  • Create a questionnaire for each vendor to determine the level of risk
  • Conduct your own risk assessment of the vendors which hold your most sensitive and mission-critical data
  • Be prepared to get audited yourself and have documented proof that you are doing what you say you are doing when it comes to information security
Onboarding/Offboarding checklist
  • Checklist of where to provision accounts when hiring/terminating
  • Should be tailored to each department
  • This should include contractors
  • Department heads should be accountable for the services they supervise The most logical place for this to live is the ticketing system
Remote Management
  • SysAdmins should be able to push updates to computers. (i.e. JAMF on Macs and System Management/Group Policy for Windows)
  • All endpoints should be accessible and have some degree of control
  • Create a written Acceptable Use Policy.  All staff and contractors should have to read and sign the policy before they are allowed on the network
  • An Information Security Policy should define your overall approach to InfoSec
  • Security Standards and SOPs should be created which cover the areas of third-parties, information security (including deployment and hardening of services by the technical team) and risk management
  • Disaster Recovery is an often overlooked but very necessary procedure to have This should include contact lists in case of an emergency, a recovery plan for the most critical assets and provide a schedule for regular tests of the procedure
Vulnerability Management
  • Run scans on your network for external IP addresses to find security holes you never thought of
  • Track all vulnerabilities and have a documented plan to remediate - i.e. low and informational risks are accepted, medium depends on sensitivity of asset, etc
  • Conduct ongoing Vulnerability Assessments and have an outside party conduct Penetration Tests annually at a minimum (more frequently if your web-facing assets are sensitive)


Technology is the most obvious aspect of Information Security. This includes hardware and software products which should support the policies and procedures that have been defined for the organization. Note: policies and procedures should be enacted before the technological controls are put in place.

Network Best Practices
  • Segment your networks - ensure essential services are protected in their own area and shared, less restricted services (i.e. guest internet access) is separated
  • 802.x should be used for wireless access control
  • The perimeter model is outdated - assume you are already breached and protect the information itself
Next Generation (or Application-aware) Firewall
  • Firewalls are necessary to protect networks, and can handle the network segmentation
  • Can determine avoidance/tunnelling protocols and block/alert
  • Also called “UTM” or Unified Threat Management, they will typically have Intrusion Prevention/Detection (IPS/IDS) and URL filtering built in
Endpoint Protection
  • Malware protection on the endpoint is still necessary
  • Host Intrusion Prevention Systems (HIPS) can be very effective (for blocking USBs, etc)
  • Consider whitelisting for the most sensitive hosts
  • Central management is key

Although this list can seem daunting, there’s a good chance that a number of these controls are already in place for your organization, it’s just necessary to formalize and track them. When it comes to Cyber Security, It’s not a matter of if, but when, so the sooner you get started the more effective your system will be.