Data Security Checklist

Walk each active engagement folder in Box, Google Drive, SharePoint, and any client-provided VDI. Note where raw client data lives, where derived deliverables live, and any shadow copies on consultants' laptops. Engagements that ended in the last quarter but still have live data are the usual gap.

Apply the firm's four-tier scheme — Public, Internal, Confidential, Restricted. Restricted covers PHI, non-public financials, M&A working papers, and anything carrying contractual confidentiality. Tag at the folder level so downstream access controls can key off the label.

Review the engagement portfolio for any regulated data the firm is touching this quarter. The classification drives downstream gates — a HIPAA engagement requires a Business Associate Agreement before PHI access; a federal engagement requires consultant clearances.

Confirm Okta or Entra ID is the front door for Slack, the project-management tool, time tracking, the CRM, and file storage. Any tool with a local password is a gap. MFA enforcement should require TOTP or hardware key — SMS no longer counts for Restricted-tier engagements.

Each engagement workspace gets its own access list keyed to the staffed team plus the engagement partner. Bench consultants should not retain access to engagements they have rolled off. The common gotcha is shared firm-wide drives that contain Restricted-tier subfolders without permission overrides.

HIPAA engagements require a signed BAA between the firm and the covered entity before any PHI lands in firm systems. Use the firm's standard BAA template; client-form BAAs need legal review for indemnification and breach-notification timelines. No PHI access until the BAA is countersigned.

Closeout workflow should de-provision engagement-specific access within five business days of final deliverable acceptance. Audit the prior quarter's closed engagements to confirm de-provisioning actually happened — lingering access is the most common finding in client security reviews.

Pull the Jamf or Intune compliance report. FileVault on Mac, BitLocker on Windows, both with escrowed recovery keys. Any device showing non-compliant or pending should be remediated before the consultant's next engagement-data access.

Confirm the file-transfer tool, email gateway, and any custom client-data exchange surfaces enforce TLS 1.2 or higher. Personal Gmail, consumer Dropbox, and unencrypted SFTP are the three recurring offenders — block them at the network layer rather than relying on policy alone.

Personal iCloud, personal Google Drive, and personal OneDrive should be blocked via MDM on firm-issued laptops. A signed NDA does not protect the firm if a consultant's iCloud is silently syncing the client's M&A working papers to a home iPad.

Engagement repositories back up nightly to the firm's secondary region with AES-256 at rest. Verify the backup tool is honoring the engagement-tier ACLs — a backup that flattens permissions is itself a control gap.

Pick one Confidential and one Restricted engagement folder at random and restore to an isolated location. Verify file integrity and permission preservation. A backup you have never restored is a backup you do not have.

A failed or partial restore is a P1 — file the ticket with IT, scope the affected engagements, and notify the engagement partners on any Restricted-tier work. Re-test within 10 business days of remediation.

Apply each engagement's contracted retention period — typically 90 days post-closeout, but DPAs with EU clients often require sooner per GDPR Article 5(1)(e). Indefinite retention 'just in case the client comes back' is a breach risk and a contract violation.

Okta system log, Google Drive / SharePoint audit logs, and email gateway logs forwarded to the firm's SIEM with at least 12 months retention. For Restricted-tier engagements, retention extends to whatever the client's DPA specifies — sometimes 7 years.

Look for after-hours access from unfamiliar geographies, bulk downloads, and access to engagement folders by consultants not on the staffing list. Most findings are benign (a partner reviewing for QA) but the discipline of looking is the control.

Walk a realistic scenario — lost laptop with cached client deck, phishing compromise of a senior manager's account, accidental email of PHI to wrong recipient. Time the response and identify gaps in the breach-notification chain to client legal.

Cover phishing recognition, client-data handling, mobile-device discipline, and incident reporting. Subcontractors and embedded resources count too — they often get skipped because they sit outside the HRIS.

Cover the named cases: data lives on the firm-issued laptop or the client VDI, never on personal email or personal cloud. Reference the prior incident (sanitized) so the protocol is concrete, not abstract. New consultants get this twice — Day 1 and again at engagement start.

Each consultant — employee or subcontractor — signs the current data-handling policy. Store the signed copy in the personnel system; client security reviews routinely sample these.