The Essential IT Security Checklist: 16 Gaps to Close Now

Did you know that 31% of all breaches over the past decade involved the use of stolen credentials? In an era where identity is the new firewall, your security posture depends on strict access control. This checklist helps you identify and bridge critical gaps using NIST and CISA frameworks.

Identity and Access Management (IAM)

Identity is the primary target for modern attacks. With analysts collecting 2.9 billion unique sets of compromised credentials in 2024 alone, your IAM policies must serve as your first line of defence.

• Enforce the Principle of Least Privilege (PoLP): You must ensure that users, including senior administrators, are granted only the minimum access levels necessary for their specific job functions to prevent lateral movement.
• Implement MFA for All Privileged Access: Mandatory multi-factor authentication is essential for every admin account, cloud console, and critical service.
• Move Beyond Personal Devices: Stop allowing employees to store corporate OTP secrets on personal smartphones. Centralising these in a secure MFA vault ensures your organisation retains ownership of the seeds rather than individual staff members.
• Audit Local Identities: You should routinely identify all local identities on your assets to ensure no shadow accounts exist outside your central directory or single sign-on (SSO) environment.
• Deploy Phishing-Resistant MFA: Where possible, migrate high-risk accounts to FIDO2 or WebAuthn hardware keys to mitigate the risk of credential interception and sophisticated phishing attacks.

Zero Trust and Infrastructure Hardening

A Zero Trust model assumes the network is already compromised. Your goal is to verify every request, regardless of where it originates, based on continuous validation.

• Integrate Risk Signals: Move toward a zero trust MFA model by incorporating risk signals such as unusual login times, new devices, or unexpected geographical locations that trigger additional verification.
• Adopt Just-in-Time (JIT) Access: Provide elevated privileges only when needed and for a strictly limited duration to reduce the window of opportunity for an attacker.
• Centralise Authentication: Use identity federation to allow a single set of credentials to be managed across multiple SaaS platforms, reducing the sprawl of individual account logins and improving visibility.
• Patch MFA Infrastructure: Routinely test and patch your authentication servers and gateways to prevent vulnerabilities from being exploited by threat actors targeting your security perimeter.

Compliance and Audit Readiness

Modern frameworks like SOC 2, ISO 27001, and PCI DSS v4.0 now look beyond the simple presence of MFA to examine how those secrets are managed, stored, and logged.

• Maintain Immutable Audit Logs: You must ensure every access event, especially for shared OTP codes, is recorded with a precise timestamp and user identity.
• Document MFA Policies: Maintain a written policy that clearly states which systems require MFA, which users are authorised, and the specific MFA compliance requirements your team must meet.
• Secure Secret Storage: Ensure all OTP secrets are stored using AES-256 encryption. Storing these in plaintext within wikis or shared spreadsheets is a major compliance failure that auditors will flag.
• Verify PCI DSS 8.4 Compliance: Confirm that MFA is implemented for all access into the cardholder data environment (CDE) and all remote network access as mandated by the latest standards.

Offboarding and Human Risk

Human error or social engineering contributes to 68% of breaches. Your offboarding process must be clinical, documented, and immediate to prevent former employees from retaining access.

• Automate Access Revocation: Establish a process where access to all MFA for teams is revoked immediately on an employee’s last day, ensuring they cannot generate codes after their departure.
• Audit Revocation Events: Use an MFA offboarding checklist to note the exact date and time of each revocation for audit trail purposes, providing the evidence required for SOC 2 or ISO certification.
• Eliminate Single Points of Failure: Ensure critical infrastructure access is not tied to a single person’s device. By sharing MFA codes securely through a centralised platform, you prevent lockouts when an engineer is unavailable or leaves the company.

Securing an organisation requires more than just checking boxes; it requires a centralised strategy for managing the credentials that protect your most sensitive data. By moving away from ad hoc sharing and personal devices, you reduce the risk of lockouts and credential theft while maintaining a clear, compliant audit trail.

Stop relying on personal phones for corporate security. Start your 14-day free trial of Gatera and centralise your team's MFA secrets in a secure, encrypted vault today.