Security Checklist

Security Hardening Checklist — SOC Teams & DevSecOps

Step-by-step security hardening checklist covering the complete attack surface for enterprise environments — identity, endpoints, network, cloud infrastructure, application security, and compliance readiness.

• Identity hardening — MFA enforcement, privileged access review, service account audit, and session timeout policies
• Endpoint hardening — EDR deployment, OS patching cadence, software inventory, and removable media controls
• Network security — firewall rule review, TLS 1.3 enforcement, VLAN segmentation, and intrusion detection tuning
• Cloud security — IAM least-privilege, storage ACL review, secrets rotation, and cloud trail logging
• Application security — OWASP Top 10 scan, dependency audit, WAF rule validation, and DAST testing
• Compliance readiness — SOC 2, ISO 27001, and PCI DSS control gap assessment with evidence requirements

Identity and Privileged Access Hardening Procedures

Identity is the primary attack surface in modern enterprise environments — the majority of successful breaches now involve compromised credentials rather than technical vulnerability exploitation. Identity hardening starts with MFA enforcement across all user accounts, including service accounts, and extends through privileged access governance, session management, and identity anomaly monitoring. Every privileged account should be subject to regular access review, time-limited privilege elevation, and session recording. Service accounts — often neglected in access review programmes — should be inventoried, their permissions documented, and unnecessary ones deprovisioned. Login anomaly detection should alert on impossible travel, new device authentication, and off-hours access for privileged users.

• MFA enforcement audit — verify MFA is active for all users, with no exemptions for service accounts or executives
• Privileged account review — quarterly inventory of all admin accounts with business justification and access scope
• Service account audit — full inventory of service accounts, their permissions, last-used dates, and owning teams
• PAM deployment assessment — verify privileged sessions are recorded and approved through a PAM workflow
• Login anomaly detection — confirm alerting is configured for impossible travel, new device, and off-hours admin access

Endpoint Security Hardening and EDR Deployment Validation

Effective endpoint security requires both preventing initial compromise through hardening measures and ensuring rapid detection when prevention fails through EDR deployment. Hardening measures include enforcing OS patching within defined SLA windows, maintaining an accurate software inventory that enables rapid identification of affected assets when new vulnerabilities are disclosed, disabling AutoRun and removable media execution, enabling host-based firewalls, and deploying application allowlisting on high-value systems. EDR agent deployment should be validated for 100 percent coverage across all managed endpoints — coverage gaps in EDR deployment are a significant blind spot that attackers can exploit to operate undetected.

• OS patch compliance rate — percentage of endpoints patched within defined SLA (Critical 72h, High 7d, Medium 30d)
• EDR agent coverage — verify 100% of managed endpoints have active, communicating EDR agents
• Software inventory completeness — accurate CMDB with all installed software across the endpoint fleet
• Removable media controls — USB device restrictions enforced via GPO or MDM for all managed endpoints
• Application allowlisting — high-value system enforcement preventing execution of unapproved executables

Network Security Hardening and Segmentation Assessment

Network hardening encompasses firewall rule hygiene, encryption enforcement, segmentation validation, and intrusion detection tuning. Firewall rule reviews should identify overly permissive rules — particularly any-to-any rules, rules allowing direct internet access from internal servers, and rules that have not been reviewed in over 12 months. TLS 1.3 enforcement should be validated at all entry points, with TLS 1.0 and 1.1 explicitly disabled and weak cipher suites removed from TLS 1.2 configurations. VLAN segmentation should isolate high-value systems from general-purpose internal networks, with inter-VLAN routing restricted to explicitly required flows documented in a network traffic matrix.

• Firewall rule hygiene — quarterly review removing shadow rules, overly permissive entries, and undocumented flows
• TLS 1.3 enforcement — disabling TLS 1.0/1.1 at all ingress points and removing weak cipher suites from TLS 1.2
• VLAN segmentation validation — verifying high-value network segments are isolated with only documented inter-VLAN flows
• IDS/IPS tuning review — quarterly review of intrusion detection signatures, suppression rules, and alert queue quality
• Network traffic baseline — documenting expected inter-system communication patterns for anomaly detection reference

Cloud Security Hardening and Infrastructure Configuration Review

Cloud infrastructure hardening requires validating IAM configurations, storage access controls, secrets management practices, and audit logging across all cloud accounts. IAM least-privilege reviews should identify users and roles with permissions significantly exceeding their actual usage — cloud IAM systems generate access advisor data showing which permissions have not been used in 90 or 180 days, enabling data-driven privilege reduction. Storage access control reviews should identify any publicly accessible storage buckets or containers and confirm that all sensitive storage uses server-side encryption. Secrets management should verify that all application credentials are stored in a secrets management service rather than environment variables or code repositories.

• IAM permission reduction — using access advisor data to identify and remove unused permissions from all roles
• Public storage audit — identifying any storage buckets or blob containers with public access enabled
• Secrets management validation — confirming no secrets are stored in environment variables, code, or configuration files
• Cloud audit log coverage — verifying CloudTrail, Azure Monitor, or GCP Audit Logs are enabled and retained
• Root/owner account protection — MFA enforcement, no active access keys, and usage alerting on root credentials