Security Checklist - Secureframe

The document provides an internal security audit checklist covering general security policies and procedures, incident response planning, penetration testing, intrusion detection, personnel security, risk management, device security, software security, application security, email security, data storage and processing security, physical security, and user management. The checklist includes recommendations for setting up security policies and vulnerability scans, creating an incident response plan, starting a bug bounty program, implementing multi-factor authentication, encrypting devices and data, conducting code reviews and security scans, and restricting physical access.

Uploaded by

Nahom Dejene

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

100 views

Security Checklist - Secureframe

Uploaded by

Nahom Dejene

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 4

Internal Security Audit Checklist

General
Set up security@ email address (forward to developers group)
Perform regular system vulnerability sweeps
Create a set of security policies and document them, holding them in a specific folder,
either digitally or on paper.

Incident Response Plan

Prepare for ransomware attack (establish a response team, emergency contact list,
consider cybersecurity liability insurance, determine the limit you’re willing to pay)
Create an incident response plan that outlines responsibilities and steps for detecting,
reporting, and responding to an incident

Pentesting

Start bug bounty program (e.g., Hacker One, Bugcrowd)

Use a third-party tool (e.g., Cobalt, Securisea)

Intrusion Detection

Monitor dark web for a data breach (e.g., PhishLabs)

Host-based IDS (e.g., OSSEC, Wuzah, Tripwire, rkhunter)
Network-based IDS (e.g., Suricata, Snort, Bro)

Personnel

Onboarding (for employees and contractors):

Complete background checks
Ensure access provisioning has necessary approvals and is tracked
Complete NDAs as necessary

Risk and Vulnerability Management

Comprehensive internal risk assessment and annual review

Regular vulnerability scanning and remediation

Configuring for least functionality

Firewall rules,
Close unnecessary ports and block unnecessary protocols and services
Segment functions such as APIs, admin privileges, etc.
Device security
Encrypt all devices, such as laptops and hard drives (e.g., FileVault on Mac)
Apply device restrictions (stop backups to personal cloud storage, etc.)
Consider providing employees with mobile devices for business purposes with remote wipe
Block potentially dangerous apps and websites
Prevent users from installing software
Turn on endpoint verification

Software security
List current system security software (e.g., firewalls, AV, SIEM tools, etc.)
Consider data loss protection software
Require MFA for all third-party services
Slack
GitHub
Heroku
AWS
Others:
Set up a team password manager (e.g., 1Password)
Check all software and operating systems are fully patched and updated to the latest
versions. Consider an inventory management/patch management tool (e.g., Fleetsmith)
Domain names
Auto-renew on
Buy primary domains for 5-10 years (optional)
Transfer lock enabled (default for most services)

Application Security

Scan website (e.g., Mozilla Observatory)

Everything should pass except Content Security Policy
Code analysis
No credentials in code
Scan dependencies for vulnerabilities (e.g., GitHub, bundle-audit, npm audit, yarn
audit, CodeClimate)
Static code analysis (e.g., Brakeman, CodeClimate, others)
Secure password hashing (e.g., bcrypt, Argon2)
Require MFA for admin accounts (e.g., Google Authenticator)
Add rate-limiting
Notify users of email and password changes (sent to old email)
Record login attempts
Protect against account takeovers
Lock accounts after too many attempts
Lock accounts after successful login from credential stuffing IP
Email Security

Sender Policy Framework (SPF)

Domain Keys Internet Mail (DKIM)
Domain-based message authentication reporting & conformance (DMARC)
For inactive domains, create a null SPF record: “v=spf1 –all”

Data storage & processing security

Create an employee offboarding checklist to disable all accounts (or automate it)
Enforce encryption for all data transmissions

Data Storage

Create a list of personal data, where it’s stored, and sensitivity level
Database fields (and other data stores)
Files
Third-party services
Data at rest
Storage level encryption
Database
Elasticsearch
S3
Application-level encryption
Database fields
File uploads
Use authenticated encryption (e.g., AES-GCM or Libsodium)

Data access & processing

Data in transit
External
HTTPS everywhere (including subdomains)
HSTS header
HSTS preload list (if possible)
Secure ciphers
SSL certificates not expiring soon
Internal
Postgres (sslmode=verify-full)
Elasticsearch (HTTPS)
Redis (SSL)
Database users
Password greater than 32 characters
Use separate roles for migrations, app, and analytics
Business Intelligence tools
Personal data not accessible
Auditing/logging
Check for data leakage
Logs
Error reporting
App instrumentation
Third-party analytics
Cache stores
Email inboxes

End-user security
User Management

Every 3 months (put it on your calendar):

Verify list of admins for all services
Verify list of users for all services
Remove inactive accounts

Internal Threats

User activity logged

SSH/console logins
SSH/console commands
Separate admin privileges among multiple personnel/teams or implement approval gates

Physical & environmental security

Lock server rooms and limit physical access to servers
Establish a logbook or video surveillance to monitor physical access
Document security access levels for personnel and review access periodically
Log employee badges and keys and terminate access for departing employees
Disable means for connecting external drives and devices
Monitor temperature and humidity and set alerting thresholds
Monitor water detection
Have backup power, lighting, and fire suppression systems in place in case of emergencies
Account for natural disasters such as earthquakes and flooding in the building design

CIS Controls and Sub-Controls Mapping To ISO
No ratings yet
CIS Controls and Sub-Controls Mapping To ISO
47 pages
CIS Controls v7.1 Mapping To ISO 27001 v19.07
100% (1)
CIS Controls v7.1 Mapping To ISO 27001 v19.07
46 pages
Baseband Manually Integration
No ratings yet
Baseband Manually Integration
9 pages
The Ultimate C - C - CPE - 12 - SAP Certified Development Associate - SAP Extension Suite
0% (1)
The Ultimate C - C - CPE - 12 - SAP Certified Development Associate - SAP Extension Suite
2 pages
Checklist For Client
No ratings yet
Checklist For Client
7 pages
EH ASSIGNMENT
No ratings yet
EH ASSIGNMENT
15 pages
Presentation-11
No ratings yet
Presentation-11
16 pages
Update of OWSAP Checklist v1
No ratings yet
Update of OWSAP Checklist v1
35 pages
Lab 6
No ratings yet
Lab 6
5 pages
Cloud Security Checklist
No ratings yet
Cloud Security Checklist
1 page
Practical Security Cheatsheet
No ratings yet
Practical Security Cheatsheet
2 pages
CISO_MindMap_2025
No ratings yet
CISO_MindMap_2025
1 page
Cyber Assets
No ratings yet
Cyber Assets
7 pages
1 Audit
No ratings yet
1 Audit
3 pages
CISO MindMap 2024
No ratings yet
CISO MindMap 2024
1 page
Lab 6
No ratings yet
Lab 6
5 pages
AUD IN CIS ENVIRONMENT (1)
No ratings yet
AUD IN CIS ENVIRONMENT (1)
18 pages
Action Plan For Implementing Cyber Essentials
No ratings yet
Action Plan For Implementing Cyber Essentials
4 pages
Cyber Security - Simple Risk Assessment
No ratings yet
Cyber Security - Simple Risk Assessment
2 pages
Security Operations
No ratings yet
Security Operations
23 pages
Network Security Audit Checklist 1
No ratings yet
Network Security Audit Checklist 1
3 pages
Network Security Audit Sample
0% (1)
Network Security Audit Sample
3 pages
Devops Security Checklist
100% (2)
Devops Security Checklist
14 pages
Breathe-10-Step-Cyber-Security-Checklist
No ratings yet
Breathe-10-Step-Cyber-Security-Checklist
6 pages
Comprehensive Cloud Security Best Practices - The Script
No ratings yet
Comprehensive Cloud Security Best Practices - The Script
5 pages
Cybersecurity Checklist
No ratings yet
Cybersecurity Checklist
11 pages
Secure Code Review Checklist
No ratings yet
Secure Code Review Checklist
3 pages
Check List Cloud
No ratings yet
Check List Cloud
9 pages
ISMS Requirements
100% (1)
ISMS Requirements
6 pages
Cyber Security Framework V1.0
No ratings yet
Cyber Security Framework V1.0
39 pages
Third-Party-Service Provider-Audit
No ratings yet
Third-Party-Service Provider-Audit
41 pages
IT SOP Security Checkpoints
No ratings yet
IT SOP Security Checkpoints
2 pages
63 Web Application Security Checklist For IT Security Auditors and Developers
No ratings yet
63 Web Application Security Checklist For IT Security Auditors and Developers
4 pages
Unit42 Cybersecurity Checklist 57 Tips
No ratings yet
Unit42 Cybersecurity Checklist 57 Tips
6 pages
MITRE-ATTACK-Mitigations-ProperFormat-WorkingCopy - 01-29-2020 v1.1
No ratings yet
MITRE-ATTACK-Mitigations-ProperFormat-WorkingCopy - 01-29-2020 v1.1
1,201 pages
Unit - 1 Introduction
No ratings yet
Unit - 1 Introduction
10 pages
Checklist_and_Guidelines
No ratings yet
Checklist_and_Guidelines
12 pages
CIS Controls Navigator Export 2024-04-08T18!37!02
No ratings yet
CIS Controls Navigator Export 2024-04-08T18!37!02
12 pages
Controls
No ratings yet
Controls
4 pages
Final Recommendation
No ratings yet
Final Recommendation
42 pages
Devops Security Checklist
No ratings yet
Devops Security Checklist
15 pages
Naukri_SharadKumar[17y_0m]
No ratings yet
Naukri_SharadKumar[17y_0m]
8 pages
Information Security and Analysis Labda4: NIST Report For VIT
No ratings yet
Information Security and Analysis Labda4: NIST Report For VIT
11 pages
SCR-List
No ratings yet
SCR-List
3 pages
Unit 2
No ratings yet
Unit 2
17 pages
Cloud Computing Security
No ratings yet
Cloud Computing Security
27 pages
MGT MICROPROJECT 22203C0007
No ratings yet
MGT MICROPROJECT 22203C0007
6 pages
Application Security Checklist
No ratings yet
Application Security Checklist
7 pages
GROUP8 TerminalAssesment
No ratings yet
GROUP8 TerminalAssesment
19 pages
Cyber Security Framework V1.01
100% (1)
Cyber Security Framework V1.01
42 pages
Cybersecurity Checklist PDF
No ratings yet
Cybersecurity Checklist PDF
11 pages
Is Operations - 4
No ratings yet
Is Operations - 4
5 pages
Security Controls Checklist BeyondTrust
No ratings yet
Security Controls Checklist BeyondTrust
10 pages
CISSP OVER ALL DOMAINS CONCEPT
No ratings yet
CISSP OVER ALL DOMAINS CONCEPT
4 pages
Cqure Academy Checklist
No ratings yet
Cqure Academy Checklist
4 pages
7. Host security for servers
No ratings yet
7. Host security for servers
2 pages
Cyber Security Road Map White Pages
No ratings yet
Cyber Security Road Map White Pages
11 pages
Least Privilege: Do Not Expose Unnecessary Services
No ratings yet
Least Privilege: Do Not Expose Unnecessary Services
7 pages
The Data Security Checklist For Business 1701221498
No ratings yet
The Data Security Checklist For Business 1701221498
12 pages
Security+ Boot Camp Study Guide
From Everand
Security+ Boot Camp Study Guide
Chad Russell
5/5 (1)
WordPress 3 Ultimate Security
From Everand
WordPress 3 Ultimate Security
Olly Connelly
4.5/5 (1)
“Information Systems Unraveled: Exploring the Core Concepts”: GoodMan, #1
From Everand
“Information Systems Unraveled: Exploring the Core Concepts”: GoodMan, #1
Patrick Mukosha
No ratings yet
Phase 2 Software
No ratings yet
Phase 2 Software
6 pages
Esquema Eletrico-Main Board
No ratings yet
Esquema Eletrico-Main Board
15 pages
FortiGate FortiWiFi 50E Series
No ratings yet
FortiGate FortiWiFi 50E Series
6 pages
ATEL DW516 Atel User Manual
No ratings yet
ATEL DW516 Atel User Manual
37 pages
Isilon - ESRS Cluster
No ratings yet
Isilon - ESRS Cluster
12 pages
VPN Clients Quick Guide: Iportalmais June 27, 2012
No ratings yet
VPN Clients Quick Guide: Iportalmais June 27, 2012
24 pages
Myra Jara JingTutorial
No ratings yet
Myra Jara JingTutorial
90 pages
Fix Your Computer Is Low On Memory Warning
No ratings yet
Fix Your Computer Is Low On Memory Warning
11 pages
Raster Animation
No ratings yet
Raster Animation
3 pages
Q bank
No ratings yet
Q bank
4 pages
Curtain-U Rail-User Manual
No ratings yet
Curtain-U Rail-User Manual
18 pages
Grade 11 With Info Sy. 2021 2022
No ratings yet
Grade 11 With Info Sy. 2021 2022
51 pages
Entry Level Interview Questions and Answers 1286
No ratings yet
Entry Level Interview Questions and Answers 1286
8 pages
ReleaseNotes 4.07.13.2243
No ratings yet
ReleaseNotes 4.07.13.2243
5 pages
Cisco Catalyst 1000 Datasheet
No ratings yet
Cisco Catalyst 1000 Datasheet
23 pages
Iso 5127 2017 en PDF
No ratings yet
Iso 5127 2017 en PDF
19 pages
Planner of B.SC .ITVI 2022-Nov
No ratings yet
Planner of B.SC .ITVI 2022-Nov
1 page
A Comprehensive and Systematic Look Up Into Deep Learning Based Object Detection Techniques - A Review
No ratings yet
A Comprehensive and Systematic Look Up Into Deep Learning Based Object Detection Techniques - A Review
29 pages
Module_14_TransportLayer
No ratings yet
Module_14_TransportLayer
44 pages
GA-B85M-D2V SI_R30
No ratings yet
GA-B85M-D2V SI_R30
33 pages
CV KaziNoshin
No ratings yet
CV KaziNoshin
2 pages
10 HHW Compiled 24-25-1
No ratings yet
10 HHW Compiled 24-25-1
2 pages
ICT121 - JULY - 2017 - Exam Paper
No ratings yet
ICT121 - JULY - 2017 - Exam Paper
8 pages
Raw Waveform Processing - BayesMap Solutions, LLC
No ratings yet
Raw Waveform Processing - BayesMap Solutions, LLC
3 pages
Mod #02 Moomoo - Io
No ratings yet
Mod #02 Moomoo - Io
287 pages
Python Notes
No ratings yet
Python Notes
9 pages
B. Ing
No ratings yet
B. Ing
10 pages
0.1) Draft How To Reformat A Computer Using Windows 7 ICT Lesson Plan Grade 9
No ratings yet
0.1) Draft How To Reformat A Computer Using Windows 7 ICT Lesson Plan Grade 9
13 pages