SFC - Workspace Security
The SEAL Framework Checklist (SFC) for Workspace Security provides guidelines to help secure organizational workspaces covering device management, account security, communications, and training.
For more details on certifications or self-assessments, refer to the Certification Guidelines.
Section 1: Governance & Inventory
0/6
Documented Workspace Security Policies
Do you maintain documented security policies governing workspace operations (device standards, account management, access control)?
Accountability for Workspace Security
Is there a clearly designated person or team accountable for workspace security (policy maintenance, reviews)?
Policy Review and Update Process
Do you operate a documented review and update process for security policies with defined triggers (incidents, technology updates)?
Device Ownership and Security Status
Do you maintain an inventory of organizational devices (laptops, phones, tablets) that tracks ownership and critical security status (encryption, OS version)?
Accounts Inventory and Ownership
Do you maintain an inventory of organizational accounts (email, cloud services, social media, DNS, development tools) with defined ownership?
Information Classification by Sensitivity
Do you classify information and systems based on sensitivity and criticality to determine appropriate security controls?
Section 2: Device Security & Management
0/10
Security Requirements for Company Devices
Do you maintain documented security requirements for company issued devices (encryption, authentication, patching, software restrictions)?
Device Provisioning and Compliance
Do you have procedures for provisioning devices according to security requirements and verifying ongoing compliance?
Device Access Authentication Requirements
Do you enforce authentication requirements for device access (password complexity, timeout settings, lock screens)?
Administrative Privilege Management on Devices
Do you maintain procedures for managing administrative privileges on devices (separation from daily use accounts, approval processes)?
Corporate vs Personal Device Usage Policies
Do you maintain policies distinguishing between corporate and personal device usage with appropriate security controls?
Remote Device Management for Loss/Compromise
Do you have procedures for remotely managing organizational devices in case of loss or compromise (remote lock/wipe capabilities)?
Secure Device Decommissioning Procedures
Do you maintain procedures for secure device decommissioning including data sanitization?
Lost or Stolen Device Procedures
Do you have documented procedures for responding to lost or stolen devices?
EDR/MDM Deployment and Monitoring
Do you maintain endpoint detection and response (EDR) or mobile device management (MDM) solutions on organizational devices with documented deployment and monitoring procedures?
EDR/MDM Alert Response Procedures
Do you have procedures for responding to EDR/MDM alerts and enforcing compliance with security policies through these platforms?
Section 3: Account Management & Access Control
0/8
User Account Provisioning Lifecycle
Do you have procedures for provisioning, modifying, and deprovisioning user accounts with appropriate approvals?
MFA Enforcement with Exceptions
Do you enforce multi-factor authentication for critical accounts with a documented exceptions process?
Security Configuration Standards Maintenance
Do you maintain security configuration standards for enterprise platforms (Google Workspace, Microsoft 365, collaboration tools)?
Periodic Access Reviews and Revocation
Do you conduct periodic access reviews for corporate systems with documented revocation procedures?
Organizational Social Media Security
Do you maintain procedures for securing organizational social media and external service accounts?
Ownership Verification for External Accounts
Do you have procedures for verifying ownership and preventing unauthorized use of organizational external accounts?
Domain Registration and DNS Management
Do you maintain security procedures for domain registration and DNS management (registrar lock, change controls)?
DNS Change Validation and Approval
Do you have procedures for validating and approving DNS changes with appropriate documentation?
Section 4: Password & Credential Management
0/4
Password Policy Requirements and Rotation
Do you maintain documented password requirements with risk-based complexity and rotation standards?
Secure Password Storage and Transmission
Do you have procedures for secure password storage and transmission (password managers, encrypted channels)?
Credential Rotation Based on Risk
Do you maintain procedures for credential rotation based on risk, time intervals, or security events?
Enhanced Controls for High-Privilege Credentials
Do you have enhanced controls for high-privilege credentials (admin accounts, service accounts, API keys)?
Section 5: Development Environment Security
0/4
Evaluation Criteria for Development Tools
Do you maintain criteria for evaluating and approving development tools (IDEs, extensions, libraries, AI assistants)?
Access Control for Source Code Repositories
Do you maintain access control procedures for source code repositories with role-based permissions?
Sensitive Data Exposure Prevention in Repositories
Do you have procedures for preventing exposure of sensitive information in code repositories?
Dev Dependencies and Supply Chain Management
Do you have procedures for managing development dependencies and supply chain risks?
Section 6: Network & Communication Security
0/4
Secure Network Access Procedures
Do you maintain procedures for secure network access including remote access methods (primarily for organizations with physical offices - if not select N/A)?
Secure Organizational Communication Channels
Do you maintain procedures for securing organizational communication channels (email, messaging, collaboration tools)?
Identity Verification for Sensitive Communications
Do you have procedures for verifying identity in sensitive communications to prevent impersonation?
Employee Travel Security Procedures
Do you maintain security procedures specific to employee travel (device handling, network usage, data access)?
Section 7: Monitoring & Incident Response
0/2
Workspace Security Incident Response
Do you maintain procedures for detecting and responding to workspace security incidents (account takeovers, data leaks, device compromise)?
Workspace Incident Response Procedures
Do you have documented response procedures for different types of workspace security incidents?
Section 8: Employee Lifecycle & Training
0/6
Security Onboarding: Provisioning and Training
Do you maintain security onboarding procedures including device provisioning, account creation, and initial training?
Pre-Access Identity and Authorization Verification
Do you have procedures for verifying employee identity and authorization before granting access?
Workspace Security Awareness Program Updates
Do you maintain a security awareness program covering workspace security topics with regular updates?
Offboarding Procedures: Access Revocation and Return
Do you maintain comprehensive offboarding procedures including access revocation, device return, and credential rotation?
Adjusting Access Rights on Role Change
Do you maintain procedures for adjusting access rights when employees change roles?
Periodic Review of Access Permissions
Do you conduct periodic reviews to identify and remove unnecessary access permissions?