← Back to templates
🔍 Template

Security audit checklist

Self-assessment checklist for IT teams to evaluate your school's security posture. No expensive consultants required.

Download this checklist

Last updated: January 2025 • No email required

Download PDF Download Markdown

The security audit checklist

This checklist covers the fundamentals that every school should have in place. It's designed for self-assessment, not to replace a professional penetration test.

Access controls (10 items)

  • Multi-factor authentication (MFA) enabled for all staff email accounts
  • MFA enabled for all administrative systems (SIS, HR, finance)
  • Password policy enforced (minimum length, complexity, rotation)
  • Terminated employee accounts disabled within 24 hours
  • Privileged access limited to those who need it
  • Admin accounts separate from daily-use accounts
  • Vendor access reviewed and revoked when not needed
  • Guest network isolated from internal network
  • Student accounts have appropriate restrictions
  • Service accounts audited and documented

Network security (8 items)

  • Firewall configured and rules documented
  • Network segmented (students, staff, admin, IoT)
  • Wireless networks use WPA3 or WPA2-Enterprise
  • Remote access requires VPN or zero-trust solution
  • DNS filtering blocking malicious domains
  • Web filtering appropriate for educational setting
  • Network monitoring in place for anomalies
  • Public-facing services minimized and secured

Endpoint security (6 items)

  • Antivirus/EDR installed on all endpoints
  • Automatic updates enabled for OS and applications
  • Encryption enabled on all devices (BitLocker, FileVault)
  • Mobile device management (MDM) for school devices
  • USB/removable media policy enforced
  • End-of-life systems identified and replaced/isolated

Data protection (6 items)

  • Backup system in place and tested
  • Backups stored offline/offsite (ransomware protection)
  • Backup restoration tested within last 90 days
  • Sensitive data identified and classified
  • Data retention policies documented and followed
  • Data disposal procedures in place

Email security (5 items)

  • SPF, DKIM, and DMARC configured
  • Advanced threat protection enabled
  • External email warning banner in place
  • Phishing simulation conducted in past year
  • Reported phishing process documented

Policies and procedures (5 items)

  • Acceptable use policy current and communicated
  • Incident response plan documented
  • Security awareness training conducted annually
  • Vendor security requirements documented
  • Cyber insurance coverage adequate and current

Scoring guide

35-40

Strong security posture. Focus on continuous improvement.

25-34

Solid foundation with gaps to address. Prioritize critical items.

Below 25

Significant vulnerabilities. Address MFA and backups immediately.

If you can only do 5 things

Resource-constrained? Focus on these five items first. They provide the most protection for the least effort.

  1. 1. Enable MFA everywhere - stops the majority of credential attacks
  2. 2. Verify your backups work - test a restore, not just the backup job
  3. 3. Keep offline backups - ransomware can't encrypt what it can't reach
  4. 4. Train your staff - most breaches start with a clicked link
  5. 5. Have an incident plan - know who to call before you need to

How to use this checklist

  1. 1. Schedule 2-3 hours for the initial assessment
  2. 2. Mark each item as Yes, No, or Partial
  3. 3. Note evidence for "Yes" items (you may need this for insurance)
  4. 4. Create an action plan for "No" items, prioritized by risk
  5. 5. Reassess quarterly to track progress

Related resources

📚

Cybersecurity essentials guide

Detailed guidance on implementing these controls

🚨

Incident response plan

Be ready when something goes wrong

Want a professional assessment?

This self-assessment covers the fundamentals. For a deeper technical assessment or help addressing gaps, we can help.

Talk to an expert