A practical IT infrastructure audit checklist for BC businesses. Review servers, network, security, backups, and compliance to identify risks before they become incidents.
Most IT problems that bring a business to a managed IT provider were visible months before they became critical. Servers running past end-of-life, backup jobs that had not been tested in over a year, accounts belonging to former employees still active with full permissions. A structured IT infrastructure audit identifies these risks before they cause downtime, a security incident, or a compliance finding.
This checklist covers the areas that matter most for BC businesses. It is designed to be useful whether you are conducting an internal review, preparing for a managed IT engagement, or evaluating your current provider’s thoroughness.
1. Hardware Inventory and End-of-Life Status
The starting point for any infrastructure audit is a complete inventory of physical and virtual hardware.
Servers. Document each server: manufacturer, model, purchase date, operating system version, and current warranty status. Flag any server running an operating system past its end-of-support date. Windows Server 2012 and 2012 R2 reached end of support in October 2023. Systems running these versions are no longer receiving security patches from Microsoft.
Workstations. Inventory all desktop and laptop computers, noting operating system, RAM, storage capacity, and purchase date. Workstations older than four to five years in business use often have performance issues that erode productivity in ways that go unmeasured. Hardware older than six years typically represents meaningful security and reliability risk.
Network hardware. Document all switches, routers, wireless access points, and firewalls. Note firmware versions and whether automatic firmware updates are configured. Network hardware is one of the most frequently overlooked categories in infrastructure reviews. Firmware vulnerabilities on network equipment are a well-documented attack vector.
Uninterruptible power supplies. UPS units have a battery lifespan of three to five years. Aging batteries that appear functional may fail to hold charge during an actual power event. Note the age of each UPS and when batteries were last tested or replaced.
2. Software and Licensing
Operating system patch levels. Verify that all workstations and servers are current on operating system patches. In a managed environment, this is enforced by patch management policies. In an unmanaged environment, it is common to find systems that have not received patches for months due to deferred restarts or excluded update policies.
Third-party application versions. Operating system patches are table stakes. Equally important are patches for browsers, PDF readers, Office applications, Java, and line-of-business applications. Vulnerabilities in unpatched third-party software are among the most common entry points for malware.
License compliance. Verify that software installations match purchased licences. This matters both for compliance with vendor agreements and for identifying unlicensed software that may carry security risk.
End-of-life applications. Identify any applications running versions that are no longer supported by the vendor. This is particularly relevant for ERP platforms like older versions of Sage 300, where running an unsupported version means no security patches and no vendor support if something breaks.
3. User Accounts and Access Controls
Active Directory or Azure AD review. Pull a list of all active user accounts and compare against current employees. Former employee accounts that remain active are a significant security risk. They may retain access to sensitive systems and files, and are frequently targeted in credential-based attacks because they are less likely to be monitored.
Privileged account review. Identify all accounts with administrator or elevated permissions. Administrators should have separate privileged accounts distinct from their daily-use accounts. Privileged access should be limited to the minimum required for each role.
Service accounts. Document all service accounts (accounts used by applications and automated processes rather than people). Service accounts often have elevated permissions and are frequently set up without expiry dates. Auditing these accounts identifies permissions that can be scoped down or accounts that are no longer in use.
Multi-factor authentication enforcement. Verify that MFA is enforced for all user accounts, particularly for remote access, administrative accounts, and cloud services. Accounts without MFA are significantly more vulnerable to credential attacks.
Password policy. Confirm that password complexity and expiry policies are configured and enforced. The current guidance from NIST and Microsoft recommends longer passphrases over complex character requirements combined with short expiry windows, but any enforced password policy is better than none.
4. Network Security and Configuration
Firewall rule review. Pull the current firewall ruleset and review for rules that are overly permissive, outdated, or no longer needed. Rules allowing inbound access from any IP address, or rules created for temporary purposes that were never removed, are common findings.
Network segmentation. Verify whether your network is segmented into separate zones: guest wireless, corporate wireless, server network, and any operational technology or industrial equipment networks. Flat networks where all devices communicate freely with all other devices increase the blast radius of a security incident.
Remote access configuration. If remote access is provided via VPN, verify the VPN solution is current and that access is restricted to authorised users. Remote Desktop Protocol (RDP) exposed directly to the internet is a significant and well-documented risk. Any direct RDP exposure should be treated as a critical finding.
DNS and email security records. Verify SPF, DKIM, and DMARC records are configured correctly for your email domain. These records reduce the risk of your domain being used in phishing attacks and improve email deliverability. Missing or misconfigured records are a common finding that is relatively straightforward to correct.
5. Backup and Recovery
Backup coverage. Verify what is being backed up. Common gaps include cloud-hosted data (Microsoft 365 email and SharePoint are not automatically backed up by Microsoft to a restorable point), local workstations, and data stored on network shares that were added after the backup policy was originally configured.
Backup frequency. For most BC businesses, daily backups represent the minimum acceptable frequency for business-critical data. Systems where data changes frequently may require more frequent backup windows.
Offsite or cloud storage. Backups stored only on the same premises as the systems being backed up are vulnerable to the same physical events: fire, flood, theft, or ransomware that encrypts network shares. Verify that backups are replicated offsite or to cloud storage.
Tested restores. A backup that has never been tested is not a reliable backup. Document when backup restores were last tested, what was restored, and whether the restore was successful. If restores have never been tested, that is a critical finding.
Recovery time objective alignment. Understand how long a full recovery from each backup would take and compare that against what your business can tolerate. If your backup strategy would require three days to restore operations and your business cannot tolerate more than four hours of downtime, the strategy needs to change.
6. Security Tools and Coverage
Endpoint protection. Verify that antivirus or endpoint detection and response (EDR) software is installed, active, and current on all workstations and servers. Note the distinction between basic antivirus (signature-based detection) and EDR (behavioural detection with response capabilities). Many BC businesses are running basic antivirus with no visibility into what is happening on their endpoints.
Email security filtering. Verify that email passes through a filtering layer that checks for spam, phishing, and malicious attachments. Microsoft 365 includes basic filtering; more comprehensive email security tools provide additional layers including link scanning and impersonation protection.
Security event logging. Determine whether security events are being logged and whether anyone is reviewing them. A system generating log data that no one is monitoring provides limited security value. Managed IT providers with security operations capability review logs as part of the engagement.
7. BC Regulatory Compliance Considerations
PIPA and PIPEDA. BC businesses are subject to both BC’s Personal Information Protection Act (PIPA) and federal PIPEDA. These laws require that personal information be protected by reasonable security measures. The audit should identify where personal data is stored, who has access to it, and whether retention and disposal practices are documented.
Data residency. Some BC businesses, particularly those in healthcare or those contracting with provincial government agencies, have requirements that personal data be stored on Canadian servers. Verify whether cloud tools, backup platforms, and monitoring systems comply with applicable data residency obligations.
Breach notification readiness. PIPA requires notification to affected individuals and the OIPC if a breach creates a real risk of significant harm. Verify whether your organisation has a documented breach response process and who is responsible for making notification decisions.
Using This Checklist
A thorough infrastructure audit typically takes four to eight hours for a small to mid-sized environment when conducted by an IT professional with remote access to your systems. The output should be a prioritised list of findings with recommended remediation steps.
SFS Technologies conducts infrastructure assessments as part of onboarding new managed IT clients and as standalone engagements for BC businesses that want an independent review of their current environment. Contact us to discuss what an assessment looks like for your business.
