Loading...
Templates Inspections SEO page

Run: BAS Cybersecurity Hardening Acceptance Checklist

This BAS Cybersecurity Hardening Acceptance Checklist verifies the controls that should be in place before owner turnover: credentials, segmentation, firmwar...

Fill this out, get a PDF emailed to you. No account required. Want to run it with your team and track results? Sign up free →

Inspection Details and Scope

Credential and Account Hardening

Verify that no default passwords remain on controllers, servers, gateways, workstations, or network devices.
Shared administrative logins should not be used for routine BAS administration unless explicitly approved and documented.
Confirm that accounts created for installation, testing, or factory support are disabled or removed before turnover.
Verify minimum length, complexity, and change requirements are documented and enforced where supported by the platform.
Confirm access lists are restricted to approved owner, integrator, and support personnel with a documented need.

Network Segmentation and Architecture

Verify separation using VLANs, firewalls, ACLs, or equivalent controls.
Confirm no BAS controllers, HMIs, or gateways are directly exposed to the internet unless formally approved and risk-assessed.
Verify that inbound and outbound rules supporting BAS communications are documented and limited to required services.
Confirm remote support access uses an approved VPN, jump host, or secure gateway rather than direct device access.
Verify the as-built network diagram shows controllers, servers, gateways, firewalls, and remote access points.

Firmware, Patch, and Device Baseline

Record firmware or software versions for BAS servers, supervisory controllers, field controllers, gateways, and network appliances.
Verify versions are at or above the approved project baseline and do not include known unsupported releases.
Confirm available security updates have been applied or deferred with documented owner approval and risk acceptance.
Confirm unnecessary services, ports, and protocols are disabled or blocked at the device or network layer.
Verify a current configuration backup or restore image exists for critical BAS servers and controllers.

Remote Access and Monitoring Controls

Verify remote access pathways are closed or disabled unless actively needed and approved.
Confirm MFA is enabled for VPN, remote desktop, cloud portals, or other remote access methods when available.
Verify login events, session start/stop, and administrative actions are retained in system logs or SIEM forwarding where available.
Confirm servers, controllers, and gateways use a consistent time source for accurate event logging and incident review.
Verify there is a defined process for reviewing failed logins, configuration changes, and suspicious remote access activity.

Turnover Documentation and Acceptance

Confirm delivery of network diagrams, account inventory, firmware baseline, backup/restore procedure, and remote access instructions.
Record any unresolved items, compensating controls, and target dates for closure.

Get your results

Enter your email — we'll send you a PDF of your filled-out template, plus the occasional MangoScoop newsletter (templates, workflow tips, product updates). Unsubscribe anytime — link is in every email.

Generated with MangoApps Templates — browse 250+ free
Ask AI Product Advisor

Hi! I'm the MangoApps Product Advisor. I can help you with:

  • Understanding our 40+ workplace apps
  • Finding the right solution for your needs
  • Answering questions about pricing and features
  • Pointing you to free tools you can try right now

What would you like to know?

AI-generated responses may not be 100% accurate