Security Audit Checklist

Walk every door at the corporate office and any onsite leasing center. Test deadbolts, electronic strikes, and any keypad or fob reader. Confirm the after-hours alarm arms and that former-employee codes have been removed — stale fob entitlements after turnover are the most common finding here.

Verify each camera at the leasing office, mailroom, package room, parking, and amenity spaces shows a current live image and that the NVR is retaining footage for the firm's stated window (commonly 30 days). Note any blind spots created by new landscaping or signage.

The maintenance supervisor reconciles the physical key board and fob assignment list against the current employee and vendor roster. Any key issued to a terminated employee, a former vendor, or a tenant that has moved out is rotated immediately.

Pull the last 90 days of move-outs and confirm each unit has a rekey or full lock change logged before the new tenant moved in. Missing entries are a liability exposure — a prior tenant retaining keys to an occupied unit is a fact pattern firms cannot defend.

Review the vendor security documentation for AppFolio, Buildium, Yardi, or whichever PMS the firm runs. Confirm encryption at rest and TLS in transit, and confirm the firm's own admins do not export tenant SSNs or DOBs into spreadsheets stored on local drives or shared network folders.

FCRA consumer reports (TransUnion SmartMove, RentPrep, Experian RentBureau output) require secure retention and disposal. Confirm reports older than the firm's retention window are destroyed via shred or secure delete and that adverse-action notices were sent for every denied applicant in the audit window.

Pull the PMS audit log for the last quarter. Flag any access to the rent roll or screening reports by users outside leasing, accounting, or compliance roles. Investigate off-hours exports — a common precursor to a departing-employee data exfiltration incident.

Open a sandbox restore of last night's PMS backup and verify the rent roll, lease documents, and tenant ledgers come back intact. Backups that have never been restored are not backups. Record the result; a failed restore triggers immediate remediation in the next step.

Open a ticket with the PMS vendor and rerun the backup job. Do not close the audit until a clean restore is demonstrated end-to-end — a silent backup failure is what turns a ransomware incident into a permanent data loss.

Pull the PMS user list and confirm every account — including service accounts and integrations like Zillow Rental Manager and the screening provider — has MFA enrolled. Disable any account that has not logged in for 90 days; dormant leasing-agent accounts are a frequent intrusion vector.

Confirm every leasing-office laptop and onsite kiosk is on a current OS build with security patches applied within the last 30 days. Self-showing kiosks (Tenant Turner, Showdigs, Rently) sit on the property network and are easy to forget.

Walk the maintenance vendor portal and any 24/7 dispatch integrations (Latchel, Lessen) and remove access for vendors whose COIs have lapsed or whose contracts have ended. Vendor accounts left active after the relationship ends are a documented breach pattern.

Run an authenticated scan against the corporate office network and any onsite leasing center networks. Attach the report; the IT lead triages criticals and highs against the firm's standard remediation SLA before sign-off.

Cover the named cases that come up in screening: service animals are not pets, ESAs with a valid letter escape pet rent and breed restrictions, source-of-income protections in operating jurisdictions, and the FCRA adverse action notice requirement when denying based on a screening report. Capture the attendance roster in the LMS.

Send a simulated phishing email targeting leasing agents and accounting (the wire-fraud risk concentrates in accounts payable approving a vendor banking change). Record the click rate; assign retraining to anyone who entered credentials.

Pull the password manager (1Password, Bitwarden, LastPass) admin console and confirm every active employee has an enrolled vault and that shared vendor credentials live there rather than in a shared spreadsheet or sticky note at the leasing desk.

Confirm leasing agents are applying credit, income, and rental-history thresholds uniformly and not screening out Section 8 vouchers, SSI/SSDI, or child support in jurisdictions where source of income is a protected class. Spot-check three recent denials against the documented criteria.

Each operating state has its own breach notification statute with a hard deadline (commonly 30-60 days from discovery). Confirm the plan lists the right state Attorney General contacts and the credit-monitoring vendor the firm has pre-selected.

Verify after-hours phone numbers for the IT lead, the firm's outside counsel, the cyber-insurance carrier, the PMS vendor support, and the property owners or HOA boards who need to be notified. Stale contacts at 2am during a live incident is the textbook avoidable failure.

Walk the response team through a scenario: a leasing agent's laptop is stolen with a cached export of applicant credit reports. Time the team's decisions on containment, legal notification, and tenant communication. Score the drill; weak performance triggers a plan update in the next step.

Document the gaps surfaced during the drill — unclear ownership, missing contact, slow legal escalation — and update the written plan. Re-circulate the revised plan to every named role and capture acknowledgment in the LMS.

The Director of Operations or Compliance Officer reviews the full audit, captures the overall result, and assigns owners for any open remediation items. The signed record is filed for the firm's standard retention and surfaces at the next quarterly audit.