CRM SECURITY AUDIT CHECKLIST Created by ChecklistGuro (https://checklistguro.com) --- ACCESS CONTROL & PERMISSIONS --- [ ] Default User Role Assignment Method (Manual, Automated, Hybrid) [ ] Field-Level Security Enabled? (Yes, No, Review Required) [ ] Number of Admin Users [ ] Which Profiles have Access to Sensitive Data? (Sales, Marketing, Support, Management) [ ] Last Review of User Permissions [ ] Notes on Role-Based Access Control Implementation --- PASSWORD POLICIES --- [ ] Minimum Password Length [ ] Password Complexity Requirements (Minimum 8 characters, Minimum 10 characters, Minimum 12 characters, Custom (specify in long text)) [ ] Specific Complexity Requirements (e.g., uppercase, lowercase, numbers, symbols - if custom) [ ] Password Expiration Policy (No Expiration, 30 Days, 60 Days, 90 Days, Custom (specify in long text)) [ ] Password Expiration Customization [ ] Account Lockout Policy (No Lockout, 3 Incorrect Attempts, 5 Incorrect Attempts, Custom (specify in long text)) [ ] Account Lockout Customization --- DATA ENCRYPTION --- [ ] Encryption Method at Rest (AES-128, AES-256, Other (Specify in Long Text)) [ ] Specify Encryption Method (if 'Other' selected) [ ] Encryption of Data in Transit (TLS 1.2 or higher, SSL 3.0 (Not Recommended), Other (Specify in Long Text)) [ ] Specify Encryption Protocol (if 'Other' selected) [ ] Encryption Key Rotation Frequency (Days) [ ] Key Management System (Native CRM Key Management, Third-Party Key Management System, Other (Specify in Long Text)) --- AUDIT LOGGING --- [ ] Number of Audit Log Entries Reviewed [ ] Summary of Key Audit Log Findings [ ] Audit Logging Level (e.g., Error, Warning, Info, Debug) (Error, Warning, Info, Debug) [ ] Last Audit Log Rotation Date [ ] Description of Log Retention Policy [ ] Log Storage Location (e.g., CRM, SIEM) (CRM, SIEM) --- VULNERABILITY SCANNING --- [ ] Last Scan Date (YYYY-MM-DD) [ ] Scanning Tool Used (Internal Tool, Third-Party Tool (Specify Below)) [ ] (If Third-Party) Specify Tool Name and Version [ ] Number of High Severity Vulnerabilities Found [ ] Number of Medium Severity Vulnerabilities Found [ ] Number of Low Severity Vulnerabilities Found [ ] Vulnerability Categories Scanned (Select All That Apply) (SQL Injection, Cross-Site Scripting (XSS), Authentication Bypass, Information Disclosure, Remote Code Execution, Other (Specify Below)) [ ] (If Other) Specify Other Vulnerability Categories [ ] Upload Latest Vulnerability Scan Report --- THIRD-PARTY INTEGRATIONS --- [ ] Integration Name [ ] Integration Description [ ] Data Volume Transferred (approx. per day) [ ] Authentication Method (API Key, OAuth 2.0, Other) [ ] Integration Configuration File (if applicable) [ ] Data Encryption in Transit (HTTPS, TLS, None) --- DATA BACKUP & RECOVERY --- [ ] Frequency of Full Data Backups [ ] Frequency of Incremental/Differential Backups [ ] Last Full Data Backup Date [ ] Backup Storage Location(s) [ ] Backup Storage Type (e.g., On-site, Cloud) (On-site, Cloud, Hybrid) [ ] Recovery Time Objective (RTO) [ ] Recovery Point Objective (RPO) [ ] Recovery Test Procedure Documentation Link --- COMPLIANCE & REGULATIONS --- [ ] Applicable Regulations (GDPR, CCPA, HIPAA, PCI DSS, Other (Specify)) [ ] Description of Compliance Efforts [ ] Last Compliance Review Date [ ] Number of Data Subject Access Requests (DSARs) Processed Last Year [ ] Data Residency Requirements (None, EU, US, Other (Specify)) [ ] Compliance Documentation (e.g., Privacy Policy) --- NETWORK SECURITY --- [ ] Firewall Configuration Status (Fully Configured, Partially Configured, Not Configured) [ ] Intrusion Detection/Prevention System (IDS/IPS) Status (Enabled & Active, Enabled but Not Active, Not Enabled) [ ] Allowed Ports for CRM Access [ ] Network Segmentation Description [ ] Last Network Security Assessment Date [ ] VPN Required for Remote Access? (Yes, No) --- USER TRAINING & AWARENESS --- [ ] Describe the CRM security awareness training provided. [ ] Topics covered in training (select all that apply): (Phishing Awareness, Password Security, Data Handling Best Practices, Reporting Security Incidents, Social Engineering, Device Security) [ ] Number of users trained: [ ] Date of last security awareness training: [ ] Training Delivery Method: (Online Module, In-Person Workshop, Combination) [ ] Describe any refresher training or ongoing awareness campaigns. --- END OF TEMPLATE --- Transform this text into a digital, automated, and trackable mobile app! Visit: https://checklistguro.com/templates/crm/crm-security-audit-checklist (Click "Install Template" to launch your digital inspection tool immediately)