| Know every device, managed and unmanaged, on-prem, remote, cloud, with an actively maintained inventory and a process for unauthorized assets. | RMM agent coverage reconciled against network discovery; the "what's on the network that we don't manage?" sweep. | 2 / 5 |
|---|
| Authorized-software inventory; unauthorized software addressed; only supported, licensed software runs (allowlisting at higher IGs). | RMM software inventory + unsupported-software report; application control where the stack allows. | 3 / 7 |
|---|
| Classify data, map where it lives and flows, encrypt at rest and in transit, retain on schedule, dispose securely, control access by classification (DLP at IG2+). | Data map + classification policy; disk/SaaS encryption posture; retention and purge jobs; DLP for IG2 clients. | 6 / 14 |
|---|
| Hardened baselines for endpoints, servers, network gear, and cloud, CIS Benchmarks are the companion how-to, with drift managed and defaults (passwords, ports, services) eliminated. | Golden images + baseline policies; firewall/router config standards; session-lock, secure DNS, and the long tail of defaults. | 7 / 12 |
|---|
| Inventory every account (user, admin, service); unique passwords; dormant accounts disabled; admin privileges restricted to dedicated admin accounts. | Identity-platform account audit; separate admin identities for techs; quarterly dormant-account sweep. | 4 / 6 |
|---|
| Granting/revoking process, MFA for external apps, remote access, and admin access, role-based access, and (IG2+) centralized SSO and access-review cadence. | The JML workflow; MFA enforcement reports; conditional access; documented access reviews. | 5 / 8 |
|---|
| A vulnerability-management process with automated internal/external scanning, risk-ranked remediation on cadence, and automated OS + application patching. | Patch automation + monthly scan cycle; remediation SLAs by severity; the finding-to-fix loop with tickets. | 4 / 7 |
|---|
| Logging on across the estate, time-synced, retained, and (IG2+) centralized with review, DNS, command-line, and URL logging at the higher tiers. | Log retention settings everywhere at IG1; SIEM/log platform with triage runbook for IG2. | 3 / 12 |
|---|
| Supported browsers/clients only, DNS filtering (IG1!), then DMARC, attachment sandboxing, and browser-extension control at IG2+. | DNS-filter rollout; email security gateway; DMARC/SPF/DKIM enforcement: the phishing kill-chain controls. | 2 / 7 |
|---|