This security checklist is a practical, actionable guide for anyone deploying digital signage. Use it during project planning, installation, and commissioning. Every item takes minutes to implement but prevents hours of security incidents. Print it, pin it to your project board, and check off each item before signing off on a deployment.
Pre-Deployment (Network Planning)
| ✓ | Action | Reference |
|---|---|---|
| ☐ | Create dedicated VLAN for media players | Network Segmentation |
| ☐ | Configure firewall: allow ports 80/443, 81/9802 from CMS only | Firewall Rules |
| ☐ | Enable 802.1X on signage switch ports (if supported) | 802.1X |
| ☐ | Configure NTP for accurate time sync across fleet | — |
| ☐ | Document network architecture with signage VLAN placement | Architecture |
Player Commissioning
| ✓ | Action | Reference |
|---|---|---|
| ☐ | Update firmware to latest version before connecting to production | Firmware Lifecycle |
| ☐ | Change default management password (unique per site/player) | Hardening |
| ☐ | Restrict management interface access to admin IPs only | Hardening |
| ☐ | Verify SNMP is disabled (or properly configured if needed) | SNMP |
| ☐ | Install custom CA certificate in trust store (if using internal PKI) | Certificates |
| ☐ | Verify TLS 1.2+ is enforced (default since firmware 4.3.0) | TLS |
| ☐ | Mount player in locked enclosure or behind display | Physical |
CMS Configuration
| ✓ | Action | Reference |
|---|---|---|
| ☐ | Configure RBAC: admin, content manager, editor, viewer roles | Roles |
| ☐ | Enable SSO integration (SAML/OIDC for Arya, AD for Elementi) | IAM |
| ☐ | Enable audit logging from day one | Audit |
| ☐ | Test emergency content override procedure | Incident Response |
| ☐ | Verify content publishing uses HTTPS | TLS |
Post-Deployment Verification
| ✓ | Action | Reference |
|---|---|---|
| ☐ | Verify all players show correct content via remote screenshots | Monitoring |
| ☐ | Configure offline alert thresholds (e.g., 15 min) | KPIs |
| ☐ | Test offline mode: disconnect network, verify content continues | Pipeline |
| ☐ | Document incident response contacts and procedures | Playbook |
| ☐ | Schedule quarterly firmware update window | Lifecycle |
| ☐ | Hand off security documentation to the customer's IT team | — |
Common Mistakes
- Skipping the checklist for "small" projects. 5 screens or 5,000 — the same security fundamentals apply. A small project that skips hardening becomes a large liability when the customer scales.
- Treating security as a final step. Security starts in the design phase (VLAN planning) and continues through commissioning. Don't bolt it on after installation.
- No handoff documentation. The integrator leaves. The customer's IT team inherits a system they don't understand. Document everything: architecture diagram, credentials, hardening settings, emergency procedures. We can help with deployment →