Security Baseline
Minimum security standards we require to keep your environment safe and supportable.
Endpoints
- Supported Windows/macOS only; EOL systems are out of scope
- RMM + EDR/AV installed and healthy
- Full‑disk encryption (BitLocker/FileVault) with escrowed keys
- Automatic patching: critical ≤ 7 days; others ≤ 30 days
- No local admin rights for end‑users
Identity & Access
- MFA required for admin, remote access, and user cloud/email
- Least‑privilege roles; emergency “break‑glass” account protected
- Legacy auth disabled wherever feasible
Microsoft 365
- Anti‑phishing/malware (Defender) with Safe Links/Attachments*
- SPF, DKIM, and DMARC enforced for domains
- External auto‑forwarding blocked by default
- OneDrive/SharePoint sync only on Managed Devices
- Tenant auditing on; risky app consents restricted
Network & Remote Access
- No inbound RDP open to the Internet
- Business‑grade firewall, current firmware, DNS filtering enabled
- Segmented Wi‑Fi (staff/guest/IoT)
- Firewall/DNS logs retained ≥ 90 days
Backup & Recovery
- 3‑2‑1 backups for servers/critical data; immutable copy where supported
- Endpoint and M365 backups when purchased
- Quarterly test restores documented
Security Awareness & Response
- User training and periodic phishing simulations
- We may isolate compromised devices and reset credentials during incidents
*Feature availability depends on license tier. This page is a summary; the signed MSA/Exhibits control if there’s a conflict.