Data Security Checklist
Quarterly data-security review for a consulting firm — covers inventory and classification of client data, access controls, encryption, backup, monitoring, and consultant awareness. Run by the Director of Operations with the engagement leads and IT.
Data Inventory and Classification
-
Inventory client-data repositories per engagement
Walk each active engagement folder in Box, Google Drive, SharePoint, and any client-provided VDI. Note where raw client data lives, where derived deliverables live, and any shadow copies on consultants' laptops. Engagements that ended in the last quarter but still have live data are the usual gap.
-
Classify data by sensitivity tier
Apply the firm's four-tier scheme — Public, Internal, Confidential, Restricted. Restricted covers PHI, non-public financials, M&A working papers, and anything carrying contractual confidentiality. Tag at the folder level so downstream access controls can key off the label.
-
Flag regulated-client-data exposure
Review the engagement portfolio for any regulated data the firm is touching this quarter. The classification drives downstream gates — a HIPAA engagement requires a Business Associate Agreement before PHI access; a federal engagement requires consultant clearances.
Collects list
Access Controls and Identity
-
Enforce SSO and MFA across firm SaaS
Confirm Okta or Entra ID is the front door for Slack, the project-management tool, time tracking, the CRM, and file storage. Any tool with a local password is a gap. MFA enforcement should require TOTP or hardware key — SMS no longer counts for Restricted-tier engagements.
-
Apply least-privilege access per engagement
Each engagement workspace gets its own access list keyed to the staffed team plus the engagement partner. Bench consultants should not retain access to engagements they have rolled off. The common gotcha is shared firm-wide drives that contain Restricted-tier subfolders without permission overrides.
-
Execute Business Associate Agreement before PHI access
HIPAA engagements require a signed BAA between the firm and the covered entity before any PHI lands in firm systems. Use the firm's standard BAA template; client-form BAAs need legal review for indemnification and breach-notification timelines. No PHI access until the BAA is countersigned.
Collects file -
Schedule access revocation at engagement closeout
Closeout workflow should de-provision engagement-specific access within five business days of final deliverable acceptance. Audit the prior quarter's closed engagements to confirm de-provisioning actually happened — lingering access is the most common finding in client security reviews.
Encryption and Endpoint Hardening
-
Verify full-disk encryption on firm laptops
Pull the Jamf or Intune compliance report. FileVault on Mac, BitLocker on Windows, both with escrowed recovery keys. Any device showing non-compliant or pending should be remediated before the consultant's next engagement-data access.
-
Require TLS 1.2+ for data in transit
Confirm the file-transfer tool, email gateway, and any custom client-data exchange surfaces enforce TLS 1.2 or higher. Personal Gmail, consumer Dropbox, and unencrypted SFTP are the three recurring offenders — block them at the network layer rather than relying on policy alone.
-
Disable personal cloud sync on managed devices
Personal iCloud, personal Google Drive, and personal OneDrive should be blocked via MDM on firm-issued laptops. A signed NDA does not protect the firm if a consultant's iCloud is silently syncing the client's M&A working papers to a home iPad.
Backup and Retention
-
Configure automated encrypted backups
Engagement repositories back up nightly to the firm's secondary region with AES-256 at rest. Verify the backup tool is honoring the engagement-tier ACLs — a backup that flattens permissions is itself a control gap.
-
Run quarterly restore-from-backup test
Pick one Confidential and one Restricted engagement folder at random and restore to an isolated location. Verify file integrity and permission preservation. A backup you have never restored is a backup you do not have.
Collects list -
Open remediation ticket for failed restore
A failed or partial restore is a P1 — file the ticket with IT, scope the affected engagements, and notify the engagement partners on any Restricted-tier work. Re-test within 10 business days of remediation.
-
Purge client data at engagement closeout
Apply each engagement's contracted retention period — typically 90 days post-closeout, but DPAs with EU clients often require sooner per GDPR Article 5(1)(e). Indefinite retention 'just in case the client comes back' is a breach risk and a contract violation.
Monitoring and Audit
-
Enable audit logging across SSO and storage
Okta system log, Google Drive / SharePoint audit logs, and email gateway logs forwarded to the firm's SIEM with at least 12 months retention. For Restricted-tier engagements, retention extends to whatever the client's DPA specifies — sometimes 7 years.
-
Review quarterly logs for anomalous access
Look for after-hours access from unfamiliar geographies, bulk downloads, and access to engagement folders by consultants not on the staffing list. Most findings are benign (a partner reviewing for QA) but the discipline of looking is the control.
-
Run incident-response tabletop exercise
Walk a realistic scenario — lost laptop with cached client deck, phishing compromise of a senior manager's account, accidental email of PHI to wrong recipient. Time the response and identify gaps in the breach-notification chain to client legal.
Collects date
Awareness and Policy
-
Deliver annual security training to all consultants
Cover phishing recognition, client-data handling, mobile-device discipline, and incident reporting. Subcontractors and embedded resources count too — they often get skipped because they sit outside the HRIS.
-
Walk through the client-data handling protocol
Cover the named cases: data lives on the firm-issued laptop or the client VDI, never on personal email or personal cloud. Reference the prior incident (sanitized) so the protocol is concrete, not abstract. New consultants get this twice — Day 1 and again at engagement start.
-
Capture signed policy acknowledgement
Each consultant — employee or subcontractor — signs the current data-handling policy. Store the signed copy in the personnel system; client security reviews routinely sample these.
Collects signature Collects paragraph
Use this template
Copy it to your account, customize the steps, and run it with your team in minutes.
Browse hundreds of free templates across every team and industry.
Back to template libraryRelated templates
More workflows your team can run.
Run Data Security Checklist with your team
Customize the steps, assign roles, set a schedule, and keep a complete record for every run.