Security Baseline Checklist
A practical first-pass checklist for smaller businesses that do not have an internal security owner.
Goal: identify what is covered, what is missing, and who owns the next step before an incident, customer question, or insurance renewal forces the conversation.
1. Identity and access
- Every user has a named account; shared mailboxes and shared admin accounts are documented and minimized.
- Multi-factor authentication is enforced for email, remote access, finance tools, and administrator accounts.
- Administrator roles are limited to people who actually need them.
- New-hire, role-change, and termination access steps are written down.
- At least one backup administrator exists so access is not dependent on one person.
2. Devices and patching
- All company laptops/desktops are inventoried with owner, operating system, and security status.
- Operating system and browser updates are applied on a predictable cadence.
- Endpoint protection is installed, active, and centrally visible.
- Lost-device procedure is documented, including remote lock/wipe where supported.
- Unsupported operating systems and unmanaged personal devices are identified for replacement or exception handling.
3. Email and phishing protection
- Email domain authentication is configured: SPF, DKIM, and DMARC.
- Mailbox forwarding rules and risky inbox rules are reviewed periodically.
- Staff know where to report suspicious email.
- Finance or payment-change requests require out-of-band verification.
- Security awareness reminders are short, practical, and repeated during the year.
4. Backups and recovery
- Critical systems and cloud data are listed with backup owner and frequency.
- At least one restore test has been performed recently and recorded.
- Backups are protected from normal user deletion or ransomware encryption.
- Recovery priorities are defined: what must be restored first, second, and later.
- Business owners know the realistic recovery time for the most important systems.
5. Monitoring and response
- Security alerts have a named reviewer and response expectation.
- High-risk events are defined: impossible travel, malware detection, disabled MFA, admin role changes, and mass file deletion.
- Incident contacts are documented, including business owner, IT provider, insurance carrier, and legal contact if applicable.
- Basic response steps exist for account compromise, lost laptop, ransomware, and suspicious wire/payment requests.
6. Evidence to keep
| Evidence | Why it matters | Suggested cadence |
|---|
| MFA coverage report | Shows whether account protection is actually enforced. | Monthly or before renewals |
| Endpoint protection status | Proves devices are covered and unhealthy devices are visible. | Monthly |
| Backup restore test | Shows recovery is real, not assumed. | Quarterly |
| Admin access review | Reduces blast radius and supports customer/insurance questions. | Quarterly |
| Open-risk roadmap | Keeps improvement tied to business decisions and budget. | Monthly owner review |
Use this as a baseline, not a certification claim. Regulated frameworks can be layered later when the business needs them. The first step is making security ownership, evidence, and remediation visible.