Without regular reviews, outdated software, forgotten user accounts, and weak passwords can create entry points for hackers—a manufacturing unit in Gujarat lost ₹45 lakhs when attackers accessed their ERP system through an old admin account no one remembered existed. If you face a data breach and cannot prove you reviewed security recently, customers like Flipkart or Amazon will reject you as a supplier, and RBI/government auditors may impose fines under DPDP Act. Your operations could halt if ransomware locks up your billing or inventory system because a security gap was never patched. Audits for GST, ISO, or export compliance will fail if you have no documented security review.
Find where your organisation is today. Be honest — the self-assessment is only useful if it reflects reality.
Absent
You have no formal process for checking infrastructure security. You only react when something breaks or a customer complains about access issues.
Initial
You have done an informal walk-through once—maybe someone checked passwords or old user accounts—but there is no written record and no systematic plan to repeat it.
Developing
You have a basic checklist and completed one review in the past 12 months; the findings are noted but not all problems have been fixed yet.
Defined
You review infrastructure security annually using a documented checklist covering servers, networks, user access, and patch status; findings are tracked and remediation is underway.
Managed
You conduct structured security reviews twice per year with assigned responsibility; all findings are tracked in a register with remediation deadlines, and improvements from the last review are verified.
Optimised
You maintain a continuous security review process with quarterly formal assessments, automated monitoring for changes, a living audit trail, and rapid response to any gaps discovered.
| Step | What to Do | Who | Effort |
|---|---|---|---|
| 0 → 1 | Schedule a half-day session with your IT person (or local IT consultant) to walk through all servers, routers, and computers and list what is installed, who has access, and which systems have not been updated in over 6 months. Write down findings in a simple Word document. | IT Manager or hired consultant | 4–6 hours, one-time |
| 1 → 2 | Create a one-page Infrastructure Security Review Checklist covering: server OS versions and patch dates, active user accounts and their permissions, router/firewall configuration date, antivirus status on all machines, and backup verification. Complete the checklist and save it with a date. | IT Manager or consultant with business owner review | 2–3 days |
| 2 → 3 | Expand the checklist to include network diagram (even hand-drawn), list of all devices with IP addresses, password policy check, and review of which employees still have access after leaving the company. Assign findings to responsible people with 30-day fix deadlines and track completion. | IT Manager with CFO or Operations head | 2–4 weeks |
| 3 → 4 | Establish a formal Infrastructure Security Review Schedule (e.g., every June and December). Create a register to track all findings, assign ownership, set remediation dates, and hold monthly check-ins to verify fixes. Document evidence (screenshots, patch reports, access lists) for each review cycle. | IT Manager with IT Governance Committee (business owner + finance head) | 1–2 months setup, then 8–10 hours per review |
| 4 → 5 | Implement automated tools to monitor infrastructure changes (system patches, new user accounts, firewall rule changes) between reviews. Conduct surprise mini-audits quarterly. Document all findings, remediation, and verification in a centralized system. Train a backup person on the review process for continuity. | IT Manager with external security advisor | Ongoing—8–12 hours per month |
Documents and records that prove your maturity level.
- Dated Infrastructure Security Review Report or Checklist for the past 12 months, signed and filed by IT Manager
- List of all servers, computers, routers, and network devices with OS version, last patch date, and responsible owner
- User Access Audit Report showing all active user accounts, their roles, and date of last verification
- Remediation Log or Register tracking all security findings, remediation actions, completion dates, and sign-offs
- Email or meeting minutes showing review results were discussed with management and actions assigned
Prepare for these questions from customers or third-party reviewers.
- "When was your last infrastructure security review, and can you show me the documented findings?"
- "How do you verify that all servers and workstations are running current, patched versions of their operating systems?"
- "Show me your list of all user accounts with access to critical systems—how do you ensure terminated employees no longer have access?"
- "What infrastructure security issues were identified in your last review, and what is the status of remediation?"
- "If a new threat emerges (like a critical Windows or Linux vulnerability), how do you know if your systems are affected and who is responsible for patching?"
| Purpose | Free Option | Paid Option |
|---|---|---|
| Scan all computers and servers to list installed software, OS version, and missing patches automatically | GlassWire (limited version) or Nessus Essentials (free for up to 16 IPs) | Qualys VMDR (₹3–5 lakhs/year) or Rapid7 InsightVM (₹2–4 lakhs/year) |
| Document network diagram and all connected devices with IP addresses, OS, and last update date | Lucidchart (free tier with limits) or draw.io (free, open-source) | Microsoft Visio (₹15,000–20,000 per license) |
| Create and maintain audit checklists, track findings, assign remediation tasks, and monitor closure | Google Forms or Microsoft Forms for basic checklist, Google Sheets or LibreOffice Calc for tracking | AuditBoard (₹5–10 lakhs/year) or ServiceNow GRC (₹10–15 lakhs/year) |
| Monitor user accounts across all systems and alert when new accounts are created or permissions change | Manual monthly review using built-in OS tools (Windows Active Directory Users & Computers, Linux id/getent commands) | Okta Identity Platform (₹2–3 lakhs/year) or JumpCloud (₹1–2 lakhs/year) |
| Generate automated patch status reports to see which machines are missing critical updates | WSUS for Windows or Canonical Livepatch for Ubuntu (free but limited) | Automox (₹1–2 lakhs/year) or ManageEngine Patch Manager Plus (₹40,000–50,000/year) |
- Doing a review once and then forgetting about it for 2 years—mark the review date on your calendar and set an annual reminder so you do not miss the 12-month window.
- Asking the office boy or junior staff member to 'check computers' without a proper checklist or training—infrastructure reviews must be done by or supervised by someone with technical knowledge.
- Reviewing only passwords and user accounts but ignoring servers, routers, and patch levels—a comprehensive review must cover all layers: applications, systems, networks, and physical access.
- Finding problems in the review but never fixing them because no one is assigned responsibility or given a deadline—always create a remediation register with owner names and due dates.
- Not keeping records of reviews—if CERT-In or a customer audits you, you have no proof that you reviewed security; always save dated reports and sign-off emails.
| Standard | Relevant Section |
|---|---|
| DPDP Act 2023 | Section 8 (Security safeguards) and Rule 7 (Periodic assessment of security measures) |
| CERT-In Advisory | Guidelines on Cybersecurity Practices (2022)—clause on regular risk assessments and maintenance of infrastructure |
| ISO 27001:2022 | Annex A.5.20 (Monitoring) and A.12.6.1 (Management of technical vulnerabilities) |
| NIST CSF 2.0 | Govern function (GV)—GV.RO-02 (Define and communicate roles for infrastructure review) and Protect function (PR)—PR.PS-04 (Continuous monitoring) |
Ready to assess your organisation?
Answer all 191 questions and get your NIRMATA maturity score across all 12 pillars.
Start Free Self-Assessment →