Security Baseline

Minimum security standards we require to keep your environment safe and supportable.

Endpoints
  • Supported Windows/macOS only; EOL systems are out of scope
  • RMM + EDR/AV installed and healthy
  • Full‑disk encryption (BitLocker/FileVault) with escrowed keys
  • Automatic patching: critical ≤ 7 days; others ≤ 30 days
  • No local admin rights for end‑users
Identity & Access
  • MFA required for admin, remote access, and user cloud/email
  • Least‑privilege roles; emergency “break‑glass” account protected
  • Legacy auth disabled wherever feasible
Microsoft 365
  • Anti‑phishing/malware (Defender) with Safe Links/Attachments*
  • SPF, DKIM, and DMARC enforced for domains
  • External auto‑forwarding blocked by default
  • OneDrive/SharePoint sync only on Managed Devices
  • Tenant auditing on; risky app consents restricted
Network & Remote Access
  • No inbound RDP open to the Internet
  • Business‑grade firewall, current firmware, DNS filtering enabled
  • Segmented Wi‑Fi (staff/guest/IoT)
  • Firewall/DNS logs retained ≥ 90 days
Backup & Recovery
  • 3‑2‑1 backups for servers/critical data; immutable copy where supported
  • Endpoint and M365 backups when purchased
  • Quarterly test restores documented
Security Awareness & Response
  • User training and periodic phishing simulations
  • We may isolate compromised devices and reset credentials during incidents