The Complete Security Audit Checklist for Houston Businesses in 2026

• Firewall firmware is current (patched within 30 days of critical CVE disclosure)
• No unnecessary ports open to the internet (verify with external scan from Shodan or Censys)
• RDP (port 3389) is NOT directly exposed to the internet
• VPN appliance is patched and running current firmware
• Default admin credentials on all network devices have been changed
• Guest WiFi is isolated from corporate network (separate VLAN, no route to internal resources)
• Network segmentation exists between departments, servers, and IoT/OT devices
• DNS filtering is enabled to block known malicious domains
• Intrusion detection/prevention (IDS/IPS) is active and monitored

• MFA is enforced on ALL accounts — no exceptions, no exemptions
• Phishing-resistant MFA (FIDO2/passkeys) on admin and finance accounts
• Legacy authentication protocols (SMTP AUTH, POP3, IMAP basic auth) are blocked
• Admin accounts are separate from daily-use accounts
• No shared accounts or shared passwords in use
• Former employee accounts disabled within 24 hours of departure
• Service accounts inventoried with password rotation schedule
• Conditional Access policies block sign-ins from high-risk countries
• Password policy enforces minimum 14 characters (length over complexity)
• Privileged Identity Management (PIM) enabled for admin roles

• EDR (not just antivirus) deployed on every endpoint — workstations, laptops, servers
• EDR alerts are monitored 24/7 (by internal team or MDR service)
• OS patching within 14 days for standard updates, 72 hours for critical CVEs
• Third-party application patching (browsers, Java, Adobe, etc.) is automated
• Application allowlisting deployed (ThreatLocker, WDAC, or equivalent)
• USB/removable media access is controlled and logged
• Full-disk encryption (BitLocker) enabled on all laptops
• Local admin rights removed from standard users

• SPF record configured correctly for your domain
• DKIM signing enabled for outbound email
• DMARC policy at p=reject (not p=none)
• Advanced anti-phishing with impersonation protection enabled
• Safe Links and Safe Attachments enabled (Defender for Office 365)
• Inbox rules audited for unauthorized forwarding to external addresses
• External email banner warning enabled ("This message is from outside your organization")
• Email retention and archiving meets regulatory requirements

• 3-2-1 backup rule: 3 copies, 2 media types, 1 offsite
• At least one backup is offline or immutable (cannot be encrypted by ransomware)
• Backup credentials are separate from production credentials
• Full restore test completed in the last 90 days (not just backup verification — actual restore)
• RTO and RPO are documented for every critical system
• Backup monitoring alerts on failures within 1 hour
• Disaster recovery plan documented and tested annually

• Sensitive data locations identified and classified (PII, PHI, financial, CUI)
• Data Loss Prevention (DLP) policies active for email, Teams, SharePoint
• SharePoint/OneDrive external sharing restricted (not "Anyone with the link")
• Encryption at rest enabled for databases and file storage
• Encryption in transit enforced (TLS 1.2+ for all services)
• No sensitive data stored in email, chat, or unsecured spreadsheets

• Security logs centralized in SIEM or log management platform
• Audit logging enabled in Microsoft 365 (with extended retention)
• Alerting configured for: admin account logins, new inbox rules, MFA bypass, impossible travel
• Incident response plan documented and reviewed in last 12 months
• Ransomware-specific playbook exists with decision criteria and contacts
• Dark web monitoring active for domain credential exposure
• Tabletop exercise conducted in last 12 months

• Applicable compliance frameworks identified (HIPAA, PCI-DSS, SOC 2, CMMC, ITAR)
• Last compliance assessment or audit date documented
• Employee security awareness training conducted in last 12 months
• Phishing simulation conducted in last 6 months with results documented
• Vendor/third-party security assessment process exists for critical suppliers
• Cyber insurance policy reviewed and current
• Cyber insurance application answers match actual controls (no misrepresentations)

Score each item as: Implemented, Partially Implemented, or Not Implemented. Any item marked Critical that is Not Implemented is an immediate action item. The checklist should be reviewed quarterly by your IT lead or MSP, with findings tracked in a remediation plan.

Request a professional security audit. LayerLogix conducts comprehensive security audits for Houston businesses — we'll go through every item on this checklist, plus the items specific to your industry and compliance requirements. Call 713-571-2390.

Related: Security Assessment Services | Vulnerability Assessment | Compliance Hub | M365 Hardening Checklist