A comprehensive checklist for protecting organisational data across people, processes, and technology.
[ ] Data classification policy exists and is understood by staff
[ ] All data is categorised (Public / Internal / Confidential / Highly Sensitive)
[ ] Data owners are assigned for each category
[ ] Data retention schedules are documented and enforced
[ ] Data minimisation principles applied (collect only what is needed)
[ ] Data flows mapped (where data is stored, processed, transmitted)
[ ] Shadow IT and unsanctioned tools are prohibited and monitored
[ ] Access granted on a least‑privilege basis
[ ] MFA enabled for all users, especially admins
[ ] Role‑based access control (RBAC) implemented
[ ] Access rights reviewed quarterly
[ ] Privileged accounts monitored and protected
[ ] Service accounts documented and secured
[ ] Joiner–Mover–Leaver (JML) process enforced
[ ] All sensitive data encrypted at rest
[ ] All sensitive data encrypted in transit
[ ] Strong encryption standards used (AES‑256, TLS 1.2+)
[ ] Encryption keys stored in secure key‑management systems
[ ] Backups encrypted and tested regularly
[ ] Cloud storage configured with secure defaults (no public buckets)
[ ] Devices protected with full‑disk encryption
[ ] MDM/Endpoint Manager used for device control
[ ] Automatic screen lock enabled
[ ] USB and removable media restricted
[ ] Anti‑malware and EDR deployed
[ ] Lost/stolen devices can be remotely wiped
[ ] Firewalls configured with least‑privilege rules
[ ] Network segmentation implemented
[ ] VPN or Zero Trust access for remote users
[ ] Secure DNS and web filtering enabled
[ ] Logging enabled for all network devices
[ ] Cloud security posture monitored (CSPM)
[ ] Sensitive data never shared via email without encryption
[ ] Secure file‑transfer tools used (SFTP, encrypted portals)
[ ] External sharing restricted and monitored
[ ] Data‑loss prevention (DLP) policies applied
[ ] Third‑party integrations reviewed for security
[ ] Contracts include data‑protection clauses
[ ] Regular backups performed (daily/weekly depending on criticality)
[ ] Backups stored offsite or in separate cloud region
[ ] Backup integrity tested regularly
[ ] Ransomware‑resilient backups (immutable storage) enabled
[ ] Disaster recovery plan documented and tested
[ ] Audit logs enabled for all critical systems
[ ] Logs protected from tampering
[ ] Alerts configured for suspicious activity
[ ] SIEM/SOC monitors data‑related events
[ ] Data‑access anomalies investigated promptly
[ ] Dormant accounts flagged and removed
[ ] Vendor risk assessments completed
[ ] Contracts include security and data‑protection requirements
[ ] Third‑party access reviewed regularly
[ ] Cloud providers meet compliance standards
[ ] Data shared with vendors is minimised and controlled
[ ] Mandatory annual data‑security training
[ ] Phishing simulations conducted regularly
[ ] Staff trained on data‑classification rules
[ ] Clear reporting process for data incidents
[ ] Policies accessible and easy to understand
[ ] Data‑breach response plan documented
[ ] Roles and responsibilities defined
[ ] Breach detection and escalation procedures in place
[ ] Regulatory reporting timelines understood (e.g., GDPR 72‑hour rule)
[ ] Lessons learned reviewed after every incident