Data Security Checklist

Quarterly data-security review for a consulting firm — covers inventory and classification of client data, access controls, encryption, backup, monitoring, and consultant awareness. Run by the Director of Operations with the engagement leads and IT.

6 sections 20 steps Collects data
1

Data Inventory and Classification

  1. Inventory client-data repositories per engagement
    • Walk each active engagement folder in Box, Google Drive, SharePoint, and any client-provided VDI. Note where raw client data lives, where derived deliverables live, and any shadow copies on consultants' laptops. Engagements that ended in the last quarter but still have live data are the usual gap.

  2. Classify data by sensitivity tier
    • Apply the firm's four-tier scheme — Public, Internal, Confidential, Restricted. Restricted covers PHI, non-public financials, M&A working papers, and anything carrying contractual confidentiality. Tag at the folder level so downstream access controls can key off the label.

  3. Flag regulated-client-data exposure
    • Review the engagement portfolio for any regulated data the firm is touching this quarter. The classification drives downstream gates — a HIPAA engagement requires a Business Associate Agreement before PHI access; a federal engagement requires consultant clearances.

    Collects list
2

Access Controls and Identity

  1. Enforce SSO and MFA across firm SaaS
    • Confirm Okta or Entra ID is the front door for Slack, the project-management tool, time tracking, the CRM, and file storage. Any tool with a local password is a gap. MFA enforcement should require TOTP or hardware key — SMS no longer counts for Restricted-tier engagements.

  2. Apply least-privilege access per engagement
    • Each engagement workspace gets its own access list keyed to the staffed team plus the engagement partner. Bench consultants should not retain access to engagements they have rolled off. The common gotcha is shared firm-wide drives that contain Restricted-tier subfolders without permission overrides.

  3. Execute Business Associate Agreement before PHI access
    • HIPAA engagements require a signed BAA between the firm and the covered entity before any PHI lands in firm systems. Use the firm's standard BAA template; client-form BAAs need legal review for indemnification and breach-notification timelines. No PHI access until the BAA is countersigned.

    Collects file
  4. Schedule access revocation at engagement closeout
    • Closeout workflow should de-provision engagement-specific access within five business days of final deliverable acceptance. Audit the prior quarter's closed engagements to confirm de-provisioning actually happened — lingering access is the most common finding in client security reviews.

3

Encryption and Endpoint Hardening

  1. Verify full-disk encryption on firm laptops
    • Pull the Jamf or Intune compliance report. FileVault on Mac, BitLocker on Windows, both with escrowed recovery keys. Any device showing non-compliant or pending should be remediated before the consultant's next engagement-data access.

  2. Require TLS 1.2+ for data in transit
    • Confirm the file-transfer tool, email gateway, and any custom client-data exchange surfaces enforce TLS 1.2 or higher. Personal Gmail, consumer Dropbox, and unencrypted SFTP are the three recurring offenders — block them at the network layer rather than relying on policy alone.

  3. Disable personal cloud sync on managed devices
    • Personal iCloud, personal Google Drive, and personal OneDrive should be blocked via MDM on firm-issued laptops. A signed NDA does not protect the firm if a consultant's iCloud is silently syncing the client's M&A working papers to a home iPad.

4

Backup and Retention

  1. Configure automated encrypted backups
    • Engagement repositories back up nightly to the firm's secondary region with AES-256 at rest. Verify the backup tool is honoring the engagement-tier ACLs — a backup that flattens permissions is itself a control gap.

  2. Run quarterly restore-from-backup test
    • Pick one Confidential and one Restricted engagement folder at random and restore to an isolated location. Verify file integrity and permission preservation. A backup you have never restored is a backup you do not have.

    Collects list
  3. Open remediation ticket for failed restore
    • A failed or partial restore is a P1 — file the ticket with IT, scope the affected engagements, and notify the engagement partners on any Restricted-tier work. Re-test within 10 business days of remediation.

  4. Purge client data at engagement closeout
    • Apply each engagement's contracted retention period — typically 90 days post-closeout, but DPAs with EU clients often require sooner per GDPR Article 5(1)(e). Indefinite retention 'just in case the client comes back' is a breach risk and a contract violation.

5

Monitoring and Audit

  1. Enable audit logging across SSO and storage
    • Okta system log, Google Drive / SharePoint audit logs, and email gateway logs forwarded to the firm's SIEM with at least 12 months retention. For Restricted-tier engagements, retention extends to whatever the client's DPA specifies — sometimes 7 years.

  2. Review quarterly logs for anomalous access
    • Look for after-hours access from unfamiliar geographies, bulk downloads, and access to engagement folders by consultants not on the staffing list. Most findings are benign (a partner reviewing for QA) but the discipline of looking is the control.

  3. Run incident-response tabletop exercise
    • Walk a realistic scenario — lost laptop with cached client deck, phishing compromise of a senior manager's account, accidental email of PHI to wrong recipient. Time the response and identify gaps in the breach-notification chain to client legal.

    Collects date
6

Awareness and Policy

  1. Deliver annual security training to all consultants
    • Cover phishing recognition, client-data handling, mobile-device discipline, and incident reporting. Subcontractors and embedded resources count too — they often get skipped because they sit outside the HRIS.

  2. Walk through the client-data handling protocol
    • Cover the named cases: data lives on the firm-issued laptop or the client VDI, never on personal email or personal cloud. Reference the prior incident (sanitized) so the protocol is concrete, not abstract. New consultants get this twice — Day 1 and again at engagement start.

  3. Capture signed policy acknowledgement
    • Each consultant — employee or subcontractor — signs the current data-handling policy. Store the signed copy in the personnel system; client security reviews routinely sample these.

    Collects signature Collects paragraph

Use this template

Copy it to your account, customize the steps, and run it with your team in minutes.


Sections 6
Steps 20
Category Consulting
Price Free to start
Need a different process

Browse hundreds of free templates across every team and industry.

Back to template library

Run Data Security Checklist with your team

Customize the steps, assign roles, set a schedule, and keep a complete record for every run.