The following is a layout of how I would apply cybersecurity fundamentals with the approach of building a bare minimum cybersecurity checklist for basic IT operations.
My approach in building/establishing a Minimum Acceptable Security Posture for a given environment.
Table of Contents
1. Identity & Access
- 1.Unique accounts for every user no shared logins under any circumstances.
- 2.Strong password policy enforced minimum 12 characters with complexity requirements.
- 3.MFA enabled on all critical systems email, VPN, and admin accounts at minimum.
- 4.Least privilege principle applied users only receive the access required to perform their specific role.
- 5.Accounts disabled or removed immediately when employees leave the organization.
2. Endpoint Protection
- 6.Antivirus or EDR installed and actively monitored on all devices.
- 7.Automatic OS and software updates enabled patching applied consistently across all endpoints.
- 8.Full-disk encryption enabled on all devices (BitLocker for Windows, FileVault for macOS).
- 9.Screen lock after inactivity configured for 5 to 15 minutes.
- 10.Unauthorized software installs restricted admin rights limited to those who require them.
3. Network Security
- 11.Firewall enabled at the network perimeter and on all endpoints.
- 12.Guest Wi-Fi separated from the corporate network via segmentation.
- 13.VPN required for all remote access to internal systems and resources.
- 14.Default router and switch credentials changed vendor defaults are never left in place.
- 15.Unused ports and services disabled reduce the attack surface at the network level.
4. Data & Backups
- 16.Regular backups scheduled daily or weekly at minimum depending on data criticality.
- 17.Backups stored offsite or in the cloud following the 3-2-1 rule: three copies, two media types, one offsite.
- 18.Backup restoration tested at least annually an untested backup is an unreliable backup.
- 19.Sensitive data identified and access restricted know what you have and who can reach it.
5. Email & Phishing
- 20.Spam and phishing filtering active on all mail services.
- 21.SPF, DKIM, and DMARC configured for your organization's domain.
- 22.Users trained to recognize phishing at least annually, with simulations where possible.
- 23.External email warning banners enabled alerts users when mail originates outside the organization.
6. Policies & Governance
- 24.Acceptable Use Policy documented and signed by all staff members.
- 25.Incident response plan exists even a basic one-page document outlining roles and steps.
- 26.Asset inventory maintained a current record of all hardware and devices in the environment.
- 27.Software and license inventory maintained know what is installed and where.
7. Monitoring & Logging
- 28.Login and authentication logs collected and retained minimum 90-day retention.
- 29.Failed login alerts configured automated notification on repeated or suspicious failures.
- 30.Admin and privileged activity logged all elevated-access actions should be recorded.
- 31.Someone is actively reviewing alerts a person or tool must be assigned to monitor and respond.
Most breaches exploit failures in just a handful of these areas weak passwords, no MFA, unpatched systems, and phishing. If your organization is just getting started, lock those four down first and work outward from there.
A baseline is not the finish line it is the starting line. Once these controls are consistently met across your environment, the next step is hardening specific systems, adopting risk-based controls aligned to your organization's threat model, and working toward any applicable compliance frameworks such as NIST CSF, SOC 2, HIPAA, or CMMC.
Implementing and maintaining a security baseline demonstrates not only technical discipline, but also a commitment to responsible information security management an essential mindset for any IT professional operating in today's threat landscape.