(343) 505-6500 info@familysecurity.ca Ottawa, ON — Eastern Ontario
NDAA COMPLIANT · 20+ YEARS FR

Security Maintenance Audit Checklist for Ottawa & Eastern Ontario

A security maintenance audit is not a maintenance contract sales page. It is the discipline of working through a deployed commercial security system’s operational posture systematically and producing a documented gap report — preventive service cycle, panel, recorder, credential, communications path. The point is to verify the posture you already have is doing what your service agreement says it does, and to surface the equipment lineage, firmware currency, spare-parts, and audit trail continuity gaps that quietly accumulate between commissioning and the day someone finally looks at it again.

This checklist reflects what Family Security looks at during a commercial security system maintenance audit across Ottawa and Eastern Ontario. We work with facilities directors auditing a Cornwall industrial corridor warehouse security assessment checklist before service-agreement renewal, operations managers reviewing a Kingston commercial campus where the original integrator is no longer in business, and property managers running a Smiths Falls institutional building through a mid-contract SLA review after a recurring camera-offline pattern. Audiences: facilities directors, operations and property managers, risk/compliance and IT-security teams, procurement officers. Use cases: mid-contract audit, pre-renewal SLA review, post-incident review, insurance carrier requirement, NDAA mid-lifecycle review.

Why a Maintenance Audit Is Different from a Service Contract

A service contract describes what an integrator has agreed to do. A security maintenance audit verifies what is actually happening on the deployed system — preventive service cycle, firmware currency lag, audit trail continuity, spare-parts depth. The two are rarely the same on a system in production for more than eighteen months.

  • Preventive frequency promised in the contract is not the frequency executed in the field, and the gap is invisible until something fails.
  • The original integrator’s equipment lineage, firmware revision history, and as-built drawings rarely transfer cleanly when a building changes property managers or service providers.
  • End-of-life equipment and end-of-support firmware do not announce themselves — they show up as a camera offline for six weeks or a recorder that quietly stopped writing.

The audit produces an operational-posture snapshot — a defensible basis for service-agreement renewal, integrator replacement, or phased equipment refresh, independent of what the current provider says.

How We Assess a Commercial Security Maintenance Posture

The sequence runs from documentation down to physical hardware and back up to the service-agreement layer. Documentation gaps surface every other gap, and every commercial maintenance audit we run routes back through preventive service-cycle documentation before remediation gets scoped.

1. Preventive Maintenance Schedule & Service-Cycle Documentation

Field technician conducting a site walkthrough during a commercial security maintenance audit in Ottawa
  • Documented preventive schedule with frequency, scope, and last-completed-date per device class (cameras, recorders, panels, readers, door hardware).
  • Service tickets and preventive completion records reconciled against what the SLA actually obligates.
  • As-built drawings, device inventory, IP and panel address maps, and credential-format reference current within twenty-four months.
  • Change log for firmware updates, panel replacements, and reader swaps maintained continuously, not reconstructed at audit time.

A common finding: the contract names a quarterly preventive cycle and the most recent documented visit is from fourteen months ago. The audit trail is where a posture first diverges from its contract.

2. Camera & Recorder Health, Storage & Firmware Currency

Commercial CCTV recorder and monitoring workstation reviewed during an Ottawa security maintenance audit
  • Every camera on the device list responding, streaming, and writing — no silent offline cameras, no stuck PTZ presets, no recorder channels in error.
  • Recorder health current: SMART status clean, RAID events explained, retention matching the defensible window, no overwrite events outside policy.
  • Firmware within manufacturer-supported window for cameras and recorders, with known-CVE exposure identified and remediation scoped.
  • Image quality verified at the recorder, not the camera — focus drift, dirty domes, IR overexposure, and lens fungus are the four findings most common on cameras older than three years.

A common finding: a CCTV system shows 28 cameras on the device list and 24 writing usable images, because the four offline cameras are in low-traffic corridors. Camera count on paper is not camera count in service.

3. Access Control Panel Health, Credential Audit & Door Hardware

Technician evaluating access control panel and door hardware during an Ottawa commercial security maintenance audit
  • Panel firmware current, battery cycle reviewed against documented replacement interval, communications path to the head-end supervised and alarming on loss.
  • Cardholder database audited for dormant credentials, terminated employees still active, contractor cards past expiry, and shared credentials in privileged groups.
  • Door hardware inspected for strike wear, REX-button supervision, position-switch alignment, and failsafe vs failsecure correct per door.
  • Reader population reviewed for credential-format consistency, OSDP vs Wiegand mix, and known reader EOL — access control readers commissioned five-plus years ago may be on EOL formats without anyone in facilities knowing.

A common finding: 12-18% of cardholder records on a commercial Kantech access control or Lenel access control head-end belong to people who no longer work in the building. Dormant credential drift is the most consistent maintenance finding across Ottawa commercial AC postures we audit.

4. Intrusion Alarm Panel, Communications Path & Monitoring Status

Technician evaluating an intrusion alarm panel and monitoring path during an Ottawa commercial maintenance audit
  • Alarm panel firmware current, battery and replacement cycle reviewed, zone-by-zone supervision verified.
  • Communications path to the monitoring station supervised and redundant — primary IP, cellular failover, line-fault supervision tested within the documented cycle.
  • Monitoring station account current: pass codes, key-holder list, response order, and false-alarm history reviewed against contract.
  • Zone programming reconciled — disabled, bypassed, and stay/away programming documented with a reason, not left as a workaround.

A common finding: a chronically false-alarming zone has been disarmed at the panel for three months, the work order never closed, the contract still bills monitoring. Communications-path supervision catches what zone programming hides.

5. Cyber Posture, Firmware Currency & Default-Credential Hygiene

IT rack with network access controller reviewed during an Ottawa commercial security maintenance audit
  • Firmware currency lag tracked per device class with known-CVE exposure identified and a documented patch cadence — per NIST SP 800-40 Rev. 4 enterprise patch management guidance, lifecycle patching is operational security.
  • Default credentials, vendor service accounts, and integrator back-door logins on cameras, recorders, panels, and head-end servers identified and rotated.
  • VLAN segmentation between security devices and corporate IT verified, remote-admin paths reviewed, MFA on head-end admin accounts confirmed.
  • Vendor end-of-support tracked per device class so EOL is identified before the device becomes a lifecycle risk on the security system integration.

A common finding: a four-plus-year-old system is running camera firmware eighteen months out of supported window, against a published CVE, never flagged. Firmware currency lag is invisible until it isn’t.

6. NDAA Section 889 Equipment Lineage Review

Field technician verifying NDAA-compliant equipment lineage during a commercial security maintenance audit in Ottawa
  • Camera, recorder, panel, reader, and controller manufacturer lineage documented and reconciled against the NDAA Section 889 covered-entity prohibition.
  • OEM white-label exposure reviewed — a device branded one way at the bezel may be manufactured by a covered entity; this is the most common mid-lifecycle compliance surprise.
  • Federal-adjacent and public-sector buildings reviewed against NDAA-compliant security systems requirements and any Section 889 obligations carried by tenants.
  • Remediation timeline scoped for non-compliant equipment, with phased replacement windows that preserve operational continuity.

A common finding: a system commissioned before federal-adjacent Section 889 procurement tightened has three OEM-white-label cameras routing back to a covered manufacturer. Equipment lineage surfaces this, not the bezel label.

7. Spare Parts Inventory & End-of-Life Equipment Identification

  • Spare-parts depth reviewed against the deployed device list — minimum stock for cameras, readers, panels, recorder drives, and door hardware that the SLA’s MTTR actually requires.
  • End-of-life equipment identified per device class with documented replacement priority — EOL cameras, readers, panels, and recorder storage cycles flagged before they fail.
  • Replacement budget framed against the security system upgrades roadmap so EOL replacement is a planned program, not an emergency.

A common finding: SLA promises four-hour MTTR on camera failure, integrator stocks zero spares for the model, manufacturer back-order is six weeks. Spare-parts depth is the SLA stress test most contracts never get.

8. Service-Agreement Coverage, Response-Time SLAs & Audit Trail Continuity

  • Service agreement scope read against the deployed device list — every camera, panel, reader, and recorder covered or explicitly excluded with documented rationale.
  • Response-time SLA reviewed for business-hours, after-hours, and critical-fault tiers, reconciled against actual response history in the ticket system.
  • Audit trail continuity verified across integrator handoffs — every preventive visit, firmware update, and credential change traceable from commissioning to current state.
  • Renewal posture reviewed: auto-renewal clauses, price escalators, scope-creep on non-covered devices, and termination-for-cause provisions read with the same discipline as the technical inventory.

A common finding: the agreement obligates a four-hour critical-fault response and the documented twelve-month average is eleven hours. Audit trail continuity is what makes SLA enforcement defensible.

Common Findings in Ottawa Security Maintenance Audits

Across the maintenance audits Family Security has performed for commercial security systems in Ottawa and Eastern Ontario — Cornwall industrial corridor, Kingston commercial campus, Smiths Falls institutional, and Brockville distribution — the recurring findings cluster around a small number of operational drifts.

  • Documented preventive cycle running behind SLA-promised frequency, with the most recent ticket older than the contract permits.
  • Offline cameras and dropped recorder channels in fault for weeks or months without integrator surfacing.
  • Dormant cardholder credentials at 12-18% of the head-end database — terminated staff, expired contractors, unattributed shared cards still active.
  • Firmware currency lag — multiple device classes outside the manufacturer-supported window, often against known CVEs.
  • Default credentials, vendor service accounts, and integrator back-door logins still present years after commissioning.
  • Spare-parts depth insufficient to meet the SLA’s MTTR on the device classes most likely to fail.
  • NDAA Section 889 OEM white-label exposure on systems commissioned before federal-adjacent procurement tightened.
  • Service-agreement scope drifted from the deployed device list — new devices not covered, removed devices still billed.

Maintenance posture does not degrade catastrophically — it degrades quietly. Preventive cycles slip a month at a time. Firmware currency lags a quarter at a time. The maintenance audit surfaces accumulated drift before it shows up as an incident, insurance claim, or procurement escalation.

When to Schedule a Security Maintenance Audit

A maintenance audit is most defensible when scheduled before a decision needs to be made, not after one has been forced. The output is documented findings, prioritized remediation, and a scoped service-agreement and equipment-refresh path — sized to operational reality, not to a catalog. Per NIST SP 800-40 Rev. 4 enterprise patch management guidance, lifecycle posture is an operational discipline, not an event.

  • Mid-contract audit before renewal, when the integrator’s performance against the documented SLA needs to be evaluated independently.
  • Pre-renewal SLA review when contract terms, response-time tiers, or pricing are about to be renegotiated.
  • Post-incident operational review after a forced door, missed alarm, unrecoverable recorder, or insurance claim — where posture needs to be reconstructed from the audit trail.
  • Insurance carrier requirement when policy renewal asks for documented evidence of preventive maintenance and audit trail continuity.
  • NDAA Section 889 mid-lifecycle review for federal-adjacent buildings, public-sector tenants, or procurement-driven supply-chain compliance.
  • Integrator transition planning when the current service provider is being replaced and the incoming integrator needs a defensible baseline.
  • Pre-procurement scoping for a planned security system upgrade, where the audit produces the gap report the upgrade scope is built against.
  • Sibling scoping when a warehouse security assessment, office security assessment, or property management security review identifies maintenance posture as the primary concern.
  • Cross-discipline scoping when a commercial CCTV assessment or access control upgrade assessment surfaces a maintenance handoff needing its own review.

Next Step

Family Security is a commercial security integrator working with facilities, operations, and procurement teams across security camera systems, intrusion alarm, and Ottawa access control programs in Ottawa and Eastern Ontario. We audit maintenance postures on systems we did not install — the deliverable is a documented gap report against the deployed device list, the SLA, firmware currency, and audit trail continuity, not a quote for a new contract.

A SiteScope security maintenance audit ends with a structured Technician Review Note, not a service quote.

Book a SiteScope maintenance audit
Talk to a commercial security specialist