Gatera
Start free trial
All articles

February 10, 2026

The IT Team Security Checklist for 2026

A practical, prioritized security checklist for IT teams — covering authentication, access management, monitoring, and incident response for the current threat landscape.

Security checklists are only useful if they're realistic. Many published security frameworks are comprehensive but overwhelming — they cover everything, which makes it hard to know where to start.

This checklist is prioritized for IT teams at small-to-mid-sized organizations. It focuses on the controls that have the highest impact per effort, based on the current threat landscape.

How to Use This Checklist

Work through each section and mark items as:

  • Done — you have this in place
  • 🔄 In Progress — you're actively working on it
  • Gap — you know this is a gap
  • Unknown — you're not sure of your current state

Items marked ❓ or ❌ are your action items. Prioritize based on the risk level indicated for each item.

Section 1: Identity and Authentication

Authentication is the front door. This section covers the controls that matter most.

MFA Coverage

  • [ ] All admin accounts use MFA (Critical) — no exceptions for "internal only" or "legacy" justifications
  • [ ] All cloud console access requires MFA (Critical) — AWS, GCP, Azure, DigitalOcean, etc.
  • [ ] All SaaS admin panels require MFA (High) — GitHub, Cloudflare, Stripe, your CRM, your HR system
  • [ ] VPN and remote access require MFA (Critical) — not just password
  • [ ] Developer access to production requires MFA (High)
  • [ ] CI/CD pipelines use service accounts, not personal credentials (High)

MFA Code Management

  • [ ] Shared OTP codes are in a team vault, not on personal phones (High) — see why this matters
  • [ ] OTP vault access is role-based and audited (High)
  • [ ] MFA offboarding is documented and takes less than 5 minutes (High) — see our offboarding checklist
  • [ ] No critical service has a single person as the only MFA holder (Critical)

Authentication Type

  • [ ] SMS-based OTP is replaced with TOTP or hardware keys (Medium) — SMS is phishable
  • [ ] High-value admin access uses FIDO2/hardware keys where possible (Medium)
  • [ ] Password manager is required for all employees (High)
  • [ ] Minimum password complexity is enforced (Medium)
  • [ ] Credentials are checked against breach databases (Medium)

Section 2: Access Control

Who has access to what? This section ensures access is minimal, reviewed, and revocable.

  • [ ] Least privilege is enforced (High) — users have only the access their role requires
  • [ ] Admin rights are separate from daily use accounts (High) — admin accounts not used for email/browsing
  • [ ] Service accounts use minimal permissions and rotate credentials (High)
  • [ ] Access rights are reviewed quarterly (Medium) — stale access is removed
  • [ ] New employee onboarding follows a documented checklist (Medium)
  • [ ] Offboarding follows a documented checklist (Critical) — all access revoked on day of departure
  • [ ] Third-party vendor access is inventoried and reviewed (Medium) — includes contractors, integration partners
  • [ ] Root/owner accounts are not used for daily operations (High)

Section 3: Endpoint Security

Endpoints are the most common initial compromise vector.

  • [ ] All devices have full-disk encryption (High) — FileVault on Mac, BitLocker on Windows
  • [ ] Screen lock activates after ≤5 minutes of inactivity (Medium)
  • [ ] Endpoint protection (EDR) is deployed and monitored (High)
  • [ ] Automatic OS updates are enforced (High)
  • [ ] Mobile Device Management (MDM) policy exists for work devices (Medium)
  • [ ] BYOD policy is documented if personal devices access company systems (Medium)
  • [ ] USB ports are restricted where appropriate (Low–Medium depending on environment)
  • [ ] Devices are remotely wipeable (High) — especially laptops

Section 4: Network Security

  • [ ] All external services use TLS 1.2 or higher (Critical)
  • [ ] DNS is managed centrally, with change logging (High)
  • [ ] Firewall rules are documented and reviewed periodically (Medium)
  • [ ] Outbound traffic filtering is in place (Medium)
  • [ ] Network segmentation separates production from internal/dev (Medium–High)
  • [ ] SSH access uses key-based auth, not passwords (High)
  • [ ] No services listening on the internet that shouldn't be (Critical) — regular external port scan

Section 5: Secrets and Credentials Management

  • [ ] No hardcoded credentials in source code (Critical) — enforce with static analysis / pre-commit hooks
  • [ ] API keys and secrets are stored in a secrets manager (High) — AWS Secrets Manager, Vault, etc.
  • [ ] API keys are scoped to minimum required permissions (High)
  • [ ] API keys are rotated on a defined schedule (Medium)
  • [ ] Departing employees' API keys are revoked immediately (Critical)
  • [ ] OTP secrets for shared accounts are in a team vault (High) — not in a Google Doc or Slack

Section 6: Data Protection

  • [ ] Sensitive data is identified and classified (Medium)
  • [ ] Data retention policy is documented (Medium)
  • [ ] Backups are encrypted and stored off-site or in a separate cloud region (High)
  • [ ] Backup restoration is tested at least annually (High) — untested backups are not backups
  • [ ] Customer data access is logged (High)
  • [ ] GDPR / data privacy obligations are documented (Medium–High depending on jurisdiction)

Section 7: Monitoring and Detection

  • [ ] Centralized logging is in place (High) — cloud logs, application logs, auth logs aggregated
  • [ ] Authentication failures are alerted (High) — unusual patterns trigger alerts
  • [ ] Privileged actions are logged (High) — admin logins, config changes, data access
  • [ ] Log retention meets compliance requirements (Medium)
  • [ ] Cloud billing anomaly alerts are set up (Medium) — unusual spend often indicates compromise
  • [ ] Uptime and availability monitoring is in place (Medium)

Section 8: Incident Response

  • [ ] Incident response plan is documented (High)
  • [ ] Incident severity levels are defined (Medium)
  • [ ] Key contacts are documented (High) — who to call for legal, PR, executive, cloud support
  • [ ] IR plan is reviewed at least annually (Medium)
  • [ ] Tabletop exercises are conducted (Medium) — walk through a simulated incident

Section 9: Supply Chain and Third-Party Risk

  • [ ] Third-party software is reviewed before deployment (Medium)
  • [ ] SaaS vendor security assessments are conducted (Medium)
  • [ ] Contractor access follows the same standards as employee access (High)
  • [ ] SLA and security requirements are in vendor contracts (Medium)

Scoring Your Organization

After working through the checklist:

  • Fewer than 5 gaps: Strong security posture. Focus on deepening existing controls.
  • 5–15 gaps: Average. Prioritize Critical and High items immediately.
  • More than 15 gaps: Significant exposure. Start with authentication and access control — they have the highest impact.

Where to Start

If you have limited time and need to prioritize:

  1. Ensure all admin accounts have TOTP or hardware key MFA (today)
  2. Move shared OTP codes from personal phones to a team vault (this week)
  3. Document and verify your offboarding process (this week)
  4. Review who has admin rights and remove what's not needed (this month)
  5. Enable full-disk encryption on all devices (this month)

These five items address the most common initial attack vectors and do so with minimal disruption to operations.

Gatera helps you check off several of the authentication and MFA management items on this list — a team vault with access control, audit logging, and instant revocation, built for IT teams.

Ready to secure your team's MFA codes?

Gatera centralizes all your OTP codes in an encrypted vault. No more personal phones, no more chaos.

Start your 14-day free trial