Workspace Security — Security Checklist

Do you maintain documented security policies governing workspace operations (device standards, account management, access control)?

Is there a clearly designated person or team accountable for workspace security (policy maintenance, reviews)?

Do you operate a documented review and update process for security policies with defined triggers (incidents, technology updates)?

Do you maintain an inventory of organizational devices (laptops, phones, tablets) that tracks ownership and critical security status (encryption, OS version)?

Do you maintain an inventory of organizational accounts (email, cloud services, social media, DNS, development tools) with defined ownership?

Do you classify information and systems based on sensitivity and criticality to determine appropriate security controls?

Do you maintain documented security requirements for company issued devices (encryption, authentication, patching, software restrictions)?

Do you have procedures for provisioning devices according to security requirements and verifying ongoing compliance?

Do you maintain procedures for device procurement through verified supply chains and verification of device integrity upon receipt?

Do you enforce authentication requirements for device access (password complexity, timeout settings, lock screens)?

Do you maintain procedures for managing administrative privileges on devices (separation from daily use accounts, approval processes)?

Do you maintain policies distinguishing between corporate and personal device usage with appropriate security controls?

Do you have procedures for remotely managing organizational devices in case of loss or compromise (remote lock/wipe capabilities)?

Do you maintain procedures for secure device decommissioning including data sanitization?

Do you have documented procedures for responding to lost or stolen devices?

Do you maintain endpoint detection and response (EDR) or mobile device management (MDM) solutions on organizational devices with documented deployment and monitoring procedures?

Do you have procedures for responding to EDR/MDM alerts and enforcing compliance with security policies through these platforms?

Do you maintain policies for browser and application security (browser isolation, extension approval, external file handling)?

Do you maintain requirements for physical workspace security for both on-site and remote work environments?

Do you have procedures for provisioning, modifying, and deprovisioning user accounts with appropriate approvals?

Do you enforce multi-factor authentication for critical accounts with a documented exceptions process?

Do you maintain security configuration standards for enterprise platforms (Google Workspace, Microsoft 365, collaboration tools)?

Do you conduct periodic access reviews for corporate systems with documented revocation procedures?

Do you maintain procedures for securing organizational social media and external service accounts?

Do you have procedures for verifying ownership and preventing unauthorized use of organizational external accounts?

Do you maintain policies for account security controls (recovery method restrictions, organizational identity verification)?

Do you maintain security procedures for domain registration and DNS management (registrar lock, change controls)?

Do you have procedures for validating and approving DNS changes with appropriate documentation?

Do you maintain documented password requirements with risk-based complexity and rotation standards?

Do you have procedures for secure password storage and transmission (password managers, encrypted channels)?

Do you maintain procedures for credential rotation based on risk, time intervals, or security events?

Do you have enhanced controls for high-privilege credentials (admin accounts, service accounts, API keys)?

Do you maintain policies prohibiting credential sharing and requiring individual accounts for accountability?

Do you maintain criteria for evaluating and approving development tools (IDEs, extensions, libraries, AI assistants)?

Do you maintain access control procedures for source code repositories with role-based permissions?

Do you have procedures for preventing exposure of sensitive information in code repositories?

Do you have procedures for managing development dependencies and supply chain risks?

Do you maintain procedures for secure network access including remote access methods (primarily for organizations with physical offices - if not select N/A)?

Do you maintain procedures for securing organizational communication channels (email, messaging, collaboration tools)?

Do you have procedures for verifying identity in sensitive communications to prevent impersonation?

Do you maintain security procedures specific to employee travel (device handling, network usage, data access)?

Do you maintain procedures for detecting and responding to workspace security incidents (account takeovers, data leaks, device compromise)?

Do you have documented response procedures for different types of workspace security incidents?

Do you maintain security onboarding procedures including device provisioning, account creation, and initial training?

Do you have procedures for verifying employee identity and authorization before granting access?

Do you maintain a security awareness program covering workspace security topics with regular updates?

Do you conduct regular phishing simulations and social engineering awareness exercises with follow-up training for personnel who fail?

Do you maintain comprehensive offboarding procedures including access revocation, device return, and credential rotation?

Do you maintain procedures for adjusting access rights when employees change roles?

Do you conduct periodic reviews to identify and remove unnecessary access permissions?

Do you conduct insider threat assessments to identify potential damage scenarios and ensure access is minimized for each role?

Do you maintain procedures for managing third-party access (time-limits, purpose-specific permissions, audit trails)?