IT Audit Please enable JavaScript in your browser to complete this form.LayoutCompany Name *Date of Audit *Contact Email *Contact Phone *Website / URLAddress *Address Line 1Address Line 2CityAlabamaAlaskaArizonaArkansasCaliforniaColoradoConnecticutDelawareDistrict of ColumbiaFloridaGeorgiaHawaiiIdahoIllinoisIndianaIowaKansasKentuckyLouisianaMaineMarylandMassachusettsMichiganMinnesotaMississippiMissouriMontanaNebraskaNevadaNew HampshireNew JerseyNew MexicoNew YorkNorth CarolinaNorth DakotaOhioOklahomaOregonPennsylvaniaRhode IslandSouth CarolinaSouth DakotaTennesseeTexasUtahVermontVirginiaWashingtonWest VirginiaWisconsinWyomingStateZip CodePhysical Security Controlled access to sensitive locations and hardware LayoutDoes the client have secure area for servers and networking equipment? YesNoHow is physical access to the secure location managed? Traditional locks+keys held by management/ITElectronic locks managed by IT and connected to Identity ManagementUnknown/client does not have secure location for servers and networking equipmentDoes the facility have controlled access? Yes, with Active Directory or other badge accessYes, with managers holding keysUnknown/client does not have controlled facility accessAre employees required to wear ID badges to identify who they are? Yes, with permissions attached to badge for facility accessYes, but badges are not used for accessing facilityNoAre background checks required for employees and contractors? Yes, employees and contractors Yes, employees onlyNoIf background checks are completed for employees, are these done on an ongoing basis or only at the time of hire? Ongoing for both employees and contractorsOngoing, but for employees only. Contractors at time of hireOngoing, but for contractors only. Employees only at time of hire.Background checks are only run only at time of hireAccount ManagementLayoutDo you create unique user accounts for each individual? YesNoDoes the organization avoid allowing individuals to user Service Accounts used by multiple people?Are all accounts and privileges documented and approved by a specific individual? YesNoDoes the organization have general rules such as "User X is a member of Group Y, therefore they get inherited privileges with their Group membership"Are administrator accounts used ONLY for completing administrative tasks? YesNoDo the organization administrators have separate Admin and User accounts?Are user accounts removed promptly when no longer required? YesNoDo you use only one approved Remote Access method? YesNoIs remote access granted only to those users that need it to complete the functions of their job? YesNoAre users required to use unique credentials for remote access and not a generic Administrator or Service Account? YesNoAre Administrator privileges restricted to the IT department? YesNoIs system access in general limited on an as-needed basis? YesNoAn example of this would be a manager needs to temporarily be granted additional privileges to complete a task, are those privileges then promptly revoked once that task is complete?Do you use an Identity Management solution? Active DirectoryOktaAuth0VmwarePingSecureAuthOtherNoneDo you have a password policy? Check the boxes that apply:AgeLengthUppercase charactersLowercase charactersSpecial CharactersDo you require multi-factor authentication? Check the boxes that correspond to the methods allowed:SMS/Phone call Mobile appHardware tokenDo you require a VPN? Yes, for all corporate resourcesYes, but only for select corporate resourcesNoDo you have fully segregated Wi-Fi networks for visitors/personal devices? YesNoDoes your organization use certificate-based user authentication? YesNoRADIUS, LDAP, Kerberos, otherDo you have standard procedures on reporting cybersecurity incidents? YesNoDo you hold regular training for employees on cybersecurity risks and vulnerabilities? YesNoInfrastructureLayoutDo you purchase equipment only from OEMs or Authorized Resellers? Yes, OEMs onlyYes, Authorized Resellers onlyYes, both OEMs and Authorized ResellersNoDo you download firmware, updates, patches, and upgrades only from validated sources? YesNoDo all purchased devices have IT approved and standardized OSes? YesNoAre antivirus and malware protection installed and required on all devices? YesNoDo you use standard configurations for each type of device? YesNoDo you have the latest drivers and patches installed on all devices? YesNoDo you maintain an up-to-date list of all hardware; name, type, location, serial number, service tag, User in current possession, etc? YesNoDo you have an endpoint management solution? System Center, SolarWinds, Symantec, ConnectWise, etc System CenterSolarWindsSymantecConnectWiseWe do not have endpoint managementDo you allow BYOD? Yes, with MDM enrollmentYes, without MDM enrollmentWe do not allow BYODIf you allow BYOD, is your MDM solution integrated with your EMM solution? YesNoWe do not allow BYODServersLayoutDo you have restricted access to servers, both physical and remote? Physical and remotePhysical onlyRemote onlyWe do not have restricted access to serversDo you have up-to-date antivirus and malware definitions on all servers? YesNoUnknownDo you have intrusion detection and prevention in place for servers? YesNoUnknownDo your servers have full disk encryption configured? YesNoUnknownDo you perform regular backups of servers? Yes, local onlyYes, cloud onlyYes, local and cloudNo Do you maintain off-site backups? Yes, in the cloudYes, offlineYes, both in the cloud and offlineWe do not maintain off-site backupsDo you use a server health monitoring solution? YesNoDo you have logging enabled and regularly analyzed for anomalies? Yes, logs are enabled and regularly reviewedYes, logs are enabled, but we do not regularly review themLogs are not enabledDo you complete regular audits of your corporate network? Yes, for both devices and trafficYes, but only for devicesYes, but only for trafficNoDo you utilize containerization/virtualization to isolate different services? YesNoWorkstations and Software LayoutDo you maintain whitelists for applications and websites? YesNoAre customization options/Local Administrator privileges restricted to approved Power Users? YesNoIs Trusted Source Installation required? YesNoDo you maintain a list of software installed and the license assignments? YesNoDo you maintain a list of users and accounts that use online services? YesNoDo you run scheduled virus scans for all users and systems? YesNoDo you have spam and phishing filters in place for all users? YesNoCloudLayoutDo the cloud services you use meet your data storage and privacy compliance requirements? YesNoDo you SLAs have clauses on response times, business continuity, and disaster recovery? YesNoIs access to user data restricted to only authorized users and only for as long as they need to complete their task? YesNoDo you have a plan in place of loss of access to cloud services? YesNoDo you have policies that deal with data breaches? YesNoCybersecurityLayoutDo you require the use of a password management solution? YesNoDo you allow only trusted software, applications, and browser extensions? YesNoDo you have management policies in place for browsers? YesNoAre devices automatically locked when left unattended? YesNoIs the use of external storage devices, flash drives, HDDs, etc., disabled or restricted to an as-needed basis? YesNoDo you have daily scheduled backups for all critical files/data? (workstations) YesNoDo you have a disaster recovery and business continuity plan? YesNoDo you have an Acceptable Use Policy covering the use of computers, mobile devices, and IT resources as well as Social Media? YesNoDo you regularly review and audit permissions to shared folders, systems, and applications and remove people who no longer need access? YesNoDo you have a standard procedure for isolating and cleaning infected machines? YesNoDo you regularly conduct phishing audits/penetration tests and follow up with employee education/training? YesNoDo you maintain an FAQ or KB on IT and Security policies? YesNoAre you able to remotely wipe and lock mobile devices if lost or stolen? YesNoNetworkLayoutDo you have redundancy and failover solutions in place? YesNoThese could be solutions such as CradlePoint failover, ring protected networks, etc.Do you have a firewall in place to protect your internal network against unauthorized access? YesNoDo you have a strong password for your firewall device that is different from the default one? YesNoIs “Deny All” your default posture on all access lists, inbound and outbound? YesNoIs every rule on your firewall documented and approved by an authorized individual? YesNoIs every rule on your firewall documented and approved by an authorized individual? (copy) YesNoIs every alert promptly logged and investigated? YesNoDo you use only secure routing protocols, which use authentication? YesNoDo you promptly disable any permissive firewall rules that are no longer required? YesNoDo you require WP2-Enterprise with certificate-based authentication? YesNoAre ports not assigned to specific devices promptly disabled? YesNoDo you use physical or virtual separation top isolate critical devices onto network segments? PhysicalVirtualWe do not practice network segmentationAre all unnecessary services on routers and switches disabled? YesNoDo you use only licensed and supported software? YesNoAre updates and patches installed as soon as they are released? YesNoIs unsupported software removed from devices that connect to the internet? YesNoDo you use a patch management solution? YesNoIs your anti-malware kept on auto-update? YesNoIs your anti-malware configured to scan files and web pages automatically and block malicious content? YesNoIs your anti-malware configured to perform regular scans? YesNoAdditional NotesSubmit
