Client Trust. Defensible Evidence. Fewer Surprises.

Client Data Protection Scorecard

Start the full Scorecard

Answer questions across seven key security and IT control areas to see whether your firm has the visibility, evidence, and ownership needed to show that client-data protection is being actively managed — not merely assumed.

"*" indicates required fields

This field is for validation purposes and should be left unchanged.

1 - Identity & Access Control

Can your firm prove MFA is enforced for all active users and administrators?*
Are privileged/admin accounts reviewed on a recurring cadence?*
Are former employees, seasonal staff, and contractors removed promptly from critical systems?*
Is there a current user roster that defines who should have access?*
Are access exceptions documented with an owner and review date?*

2 - Endpoint & Threat Protection

Can your firm prove all active endpoints are covered by endpoint protection?*
Are unresolved security alerts reviewed and escalated?*
Is there a reliable list of all active laptops, desktops, and servers?*
Are unmanaged or missing devices treated as control deviation?*
Can leadership see endpoint coverage without relying only on vendor assumptions?*

3 - Backup & Recovery Readiness

Can your firm prove backup jobs succeeded in the last 30 days?*
Are Microsoft 365, file shares, and key business systems included in backup scope?*
Are newly created accounts, drives, or folders checked for backup coverage?*
Has leadership reviewed what data may be unrecoverable?*
Are recovery gaps documented before a disruption occurs?*

4 - Data Protection & Encryption

Are laptops encrypted?*
Are encryption keys escrowed or recoverable?*
Are confidential client files stored in approved systems?*
Are broad-access folders reviewed?*
Are client-data sharing methods documented and controlled?*

5 - Platform Stability & Technical Debt

Are critical systems patched within a defined window?*
Are unsupported servers, workstations, or applications tracked as risks?*
Does your firm regularly review whether public-facing systems have known security weaknesses that need attention?*
Are recurring outages or performance issues escalated into leadership review?*
Does leadership know which aging systems could disrupt deadline periods?*

6 - Human Risk & Security Culture

Are staff assigned recurring security awareness training?*
Is training completion tracked?*
Are phishing simulation results reviewed?*
Are repeated failures escalated?*
Does leadership know whether human risk is improving, stable, or declining?*

7 - Governance, Evidence & Decision Ownership

Does your firm maintain a current source-of-truth user and asset roster?*
Are control failures summarized for leadership?*
Are exceptions documented with owner, reason, risk, and review date?*
Does leadership regularly review which IT and security risks need investment now and which can safely wait?*
Can the firm produce evidence within 48 hours if a client, insurer, auditor, or leadership team asks?*
Name*