# Remote Access / Security Checklist

Use this checklist before replacing a VPN, deploying zero trust access, or giving contractors access to internal systems.

## Access inventory

List each private resource:

| Resource | Owner | Users/groups | Sensitivity | Access method | Notes |
|---|---|---|---|---|---|
| | | | | | |

## Identity controls

- SSO enabled for all users.
- MFA required for all users.
- Contractor accounts have expiry dates.
- Admin accounts are separate from normal accounts.
- SCIM or documented offboarding exists.

## Device controls

- Managed devices identified.
- Unmanaged device policy documented.
- Disk encryption required where appropriate.
- Endpoint protection or posture checks defined.
- Lost-device process documented.

## Network/resource controls

- No user gets broad network access by default.
- Access is granted by group and resource.
- Production systems require separate approval.
- Logs are retained and reviewed.
- Break-glass access exists and is tested.

## Migration plan

1. Inventory VPN users and resources.
2. Pilot zero trust access with one low-risk team.
3. Deploy redundant connectors/gateways.
4. Move contractor access first if risk is high.
5. Monitor denied access and support tickets.
6. Retire broad VPN groups gradually.
7. Review access monthly.