R ritvik.singh/portfolio
~/portfolio/ blog/ office-audits
// grc 2025.05.30·8 min read

Office security audits: the checklist that survived contact with reality.

Paper checklists become useless fast. After walking through offices with a template that failed repeatedly, here's what the revised version actually catches — and the finding that appears in almost every engagement.

Why template checklists fail

Most physical security audit templates come from compliance frameworks. They ask questions like "Is there a clean desk policy?" and "Are server rooms locked?". The answer is almost always yes. The document gets filed, the auditor leaves, and three weeks later someone photographs a whiteboard full of client names through the glass-walled meeting room.

The gap is between stated policy and observable behaviour. A clean desk policy exists. The CFO's password is on a sticky note under his keyboard. Both things are true simultaneously. A useful audit methodology has to go beyond questions that confirm the policy exists and observe whether it's actually followed.

The walk-through methodology

I run physical security audits in two passes. The first pass is unannounced — arrive with the building manager's permission but without alerting the floor. Walk common areas, meeting rooms, print stations, and server access corridors. Photograph anything notable (with explicit permission in the engagement scope). The second pass is announced — sit down with IT and facilities and verify documentation, access logs, and camera coverage.

The two-pass approach matters because behaviour changes when people know they're being observed. The unannounced pass captures the real operational baseline.

Scope the engagement clearly: physical audits require written permission defining exactly where you can go, what you can photograph, and who you can shadow. No exceptions, even for internal teams. A "just have a look around" engagement without written scope creates liability on both sides.

Wi-Fi segmentation

Guest Wi-Fi that reaches the internal network is the highest-frequency finding across every engagement. The typical scenario: an office has a guest SSID that IT configured years ago. Nobody checked whether it's actually isolated. A Nmap scan from the guest network confirms it reaches internal subnets.

// quick guest network isolation check
# connect to guest SSID, then: $ nmap -sn 192.168.1.0/24 # if internal hosts respond — not isolated $ traceroute 8.8.8.8 # verify path goes direct to internet, not through internal gateway $ nmap -p 445,3389,22 10.0.0.0/8 --open # SMB/RDP/SSH open from guest = critical finding

Badge habits

Tailgating — following an authorised person through a door without badging in — is the social engineering attack that works every time in an untrained office. People hold doors open because it feels rude not to. Three findings appear consistently:

  • Server room tailgating — the door requires a badge but isn't monitored. Holding it open for someone in a hi-vis vest gets through 100% of the time in unannounced tests.
  • Badge sharing — contractors and visitors use an employee's badge rather than getting a visitor badge issued. Appears in access logs as the employee being in two places at once.
  • Deactivated badge access — former employees whose physical access was never removed. Confirmed by cross-referencing the active badge list against HR's offboarding records.

Printer security

Network printers are almost universally forgotten. The default admin password is unchanged, the management web interface is accessible from the entire network, and print jobs are stored in a local queue that survives a power cycle. The two checks that take under five minutes:

  1. Browse to the printer's IP. If the admin interface loads without a password prompt — finding logged.
  2. Ask whether the printer hard drive is encrypted or wiped before disposal. Answer is almost always "we hadn't thought about that."

Sample findings from a real engagement

From a 2025 audit of a 60-person financial services office in Delhi (details changed):

HIGH
Guest SSID not isolated — reaches internal subnets
Nmap from guest Wi-Fi returned 14 internal hosts including a file server. SMB port 445 open and responding.
HIGH
3 former employees with active physical access badges
HR offboarding checklist did not include badge deactivation. All three had left in the preceding 6 months.
MED
Server room accessible via tailgate — no camera coverage
Tester gained access by following a maintenance contractor. Camera covers corridor but not the door itself.
MED
Network printer admin interface: default credentials
admin/admin accepted on all 4 floor printers. Print history accessible, config changeable.
LOW
Visitor sign-in log stored in open reception area
Physical log book visible and accessible to any visitor. Contains full names, companies, and host contacts for 6 months of visits.

The guest Wi-Fi finding was fixed same-day. Badge deactivation was added to the HR offboarding checklist and retroactively applied. The printer finding took three weeks because "the vendor has to reset them" — which is itself a process finding worth documenting.

← fastapi backend back to blog