SFC: Workspace Security | Security Alliance — Security Checklist

Access management, device security, network controls, and data protection.
Org:
Owner:
Date:

1. Governance & Inventory

  • Workspace Security Owner
    Is there a clearly designated person or team accountable for workspace security?
  • Workspace Security Policy
    Do you maintain a workspace security policy that is accessible and understood by all personnel?
  • Asset Inventory
    Do you maintain an inventory of organizational devices and accounts with defined ownership?
  • System and Data Classification
    Do you classify systems and data by sensitivity to determine appropriate security controls?
Notes:

2. Device Security

  • Device Security Standards
    Do you define and enforce security standards for organizational devices?
  • Device Lifecycle Management
    Do you have procedures for device loss, theft, and secure decommissioning?
  • Endpoint Protection
    Do you deploy and monitor endpoint protection on organizational devices?
  • Physical and Travel Security
    Do you maintain physical security requirements for workspaces and travel?
Notes:

3. Account, Access & Credential Management

  • Account Lifecycle Management
    Do you have procedures for provisioning, modifying, and revoking user accounts?
  • Multi-Factor Authentication
    Do you enforce multi-factor authentication across organizational accounts?
  • Organizational Account Security
    Do you maintain security standards for all organizational accounts, including enterprise platforms and external services?
  • Credential Management Standards
    Do you enforce credential management standards, including secure storage and individual accountability?
  • Access Reviews
    Do you conduct periodic access reviews and promptly adjust permissions when roles change?
Notes:

4. Software & Application Security

  • Software Evaluation and Approval
    Do you evaluate and approve software, extensions, and tools before organizational use?
  • Source Code and Repository Security
    Do you secure source code repositories against unauthorized access and credential exposure?
Notes:

5. Network & Communication

  • Network Security
    Do you enforce secure network access for organizational systems?
  • Secure Communications
    Do you secure organizational communications and verify identity for sensitive interactions?
Notes:

6. People & Training

  • Security Onboarding
    Do you verify employee identity and provide security onboarding before granting system access?
  • Security Offboarding
    Do you have comprehensive offboarding procedures for departing personnel?
  • Security Awareness and Training
    Do you maintain a security awareness program with regular training and testing?
Notes:

7. Monitoring & Risk Management

  • Workspace Security Monitoring and Incident Response
    Do you detect and respond to workspace security incidents?
  • Insider Threat Assessment
    Do you assess insider threat risks and enforce least-privilege access for each role?
  • Third-Party Access Management
    Do you manage third-party access with time-limited, purpose-specific permissions?
Notes: