Security Assessment Checklist
Interactive checklist for security reviews and compliance assessments
How to use this checklist
- Review each security control and mark its status
- Use filters to focus on specific priorities or frameworks
- Track your completion rate and identify gaps
- Export or document findings for compliance reporting
Assessment Progress
Filters
Authentication & Access Control
Multi-factor authentication (MFA) enforced
π΄Require MFA for all user accounts, especially administrative access
Strong password policy implemented
πMinimum length, complexity requirements, password rotation
Role-based access control (RBAC) configured
πUsers have minimum necessary permissions based on roles
Session management secure
π΄Proper session timeouts, secure cookies, token rotation
Account lockout after failed attempts
π‘Prevent brute force attacks with account lockout policies
Data Protection
Data encrypted at rest
π΄All sensitive data encrypted using strong encryption (AES-256)
Data encrypted in transit
π΄TLS 1.2+ for all network communications
Sensitive data minimization
πOnly collect and store necessary sensitive data
PII/PHI handling procedures
π΄Proper procedures for handling personally identifiable information
Data backup and recovery tested
πRegular backups with tested recovery procedures
Secure data deletion procedures
π‘Proper data sanitization when deleting sensitive information
Application Security
Input validation implemented
π΄All user inputs validated and sanitized
SQL injection prevention
π΄Parameterized queries, ORM usage, input sanitization
XSS (Cross-Site Scripting) prevention
π΄Output encoding, CSP headers, sanitization
CSRF protection implemented
πAnti-CSRF tokens for state-changing operations
Security headers configured
πCSP, X-Frame-Options, HSTS, X-Content-Type-Options
API rate limiting implemented
πPrevent abuse and DoS attacks on APIs
Dependency vulnerability scanning
πRegular scanning of third-party dependencies for vulnerabilities
Infrastructure Security
Firewall configured and maintained
π΄Network segmentation and firewall rules properly configured
Regular security patching
π΄OS and software patches applied within SLA timeframes
Intrusion detection/prevention system
πIDS/IPS monitoring for suspicious activity
DDoS protection configured
πProtection against distributed denial of service attacks
Secure container configuration
πContainer images scanned, minimal base images, no root access
Secrets management system
π΄Proper storage and rotation of API keys, passwords, certificates
Monitoring & Logging
Security event logging enabled
π΄Log authentication, authorization, and security events
Log retention policy defined
π‘Appropriate retention periods for different log types
Security monitoring and alerting
πReal-time alerts for suspicious activities
Log integrity protection
πLogs protected from tampering and unauthorized access
Compliance & Governance
Security policy documented
πWritten information security policy
Incident response plan
π΄Documented procedures for security incident response
Security awareness training
πRegular security training for all employees
Vendor security assessments
π‘Third-party vendor security reviews
Regular security audits
πPeriodic internal and external security assessments
Penetration testing conducted
πRegular penetration testing by qualified professionals