Cyber-insurance readiness checklist.

Enforced for all users including admins, with phishing-resistant methods (authenticator app or FIDO2 / WebAuthn) preferred over SMS.

Conditional Access policy screenshot showing MFA enforcement; sign-in log sample showing 100% MFA prompts; admin role MFA report.

Service accounts that can't take MFA; legacy auth still enabled (POP/IMAP/SMTP); inherited break-glass account without MFA.

Modern EDR or XDR on every workstation and server. Microsoft Defender for Endpoint, CrowdStrike, SentinelOne, and similar are accepted. Anti-virus alone is not.

EDR console screenshot showing device coverage percentage; deployment report; named SOC analyst or 24/7 SOC contract.

Coverage gap on macOS or Linux; servers excluded; unmanaged personal devices accessing corporate data.

3-2-1 rule (3 copies, 2 media, 1 offsite). Immutability flag or air-gap. Successful restore test within the last 12 months.

Backup configuration showing immutability; last restore-test log; runbook showing the restore process and contacts.

Microsoft 365 not backed up (Microsoft does not back up tenant data by default); no documented restore test; backups stored on the same domain controllers.

Documented cadence — security patches within 14 days for high-severity, 30 days for medium. Server patching window defined. Workstation patching automated.

Patch compliance report (last 90 days); known-exposed CVE list with remediation status; documented exception process.

End-of-life operating systems still in production; unmonitored network appliances; firmware not in scope.

SPF, DKIM, DMARC at p=quarantine or stricter. Anti-phish controls in Microsoft 365 or equivalent. Impersonation protection on executives.

DMARC report aggregator screenshot; Defender for Office 365 anti-phish policy; phishing simulation result summary.

DMARC at p=none indefinitely; no DKIM on marketing-platform mail; impersonation protection not configured.

Annual minimum. Phishing simulation cadence (monthly to quarterly). Onboarding training for new hires.

Training completion log; phishing simulation results; new-hire onboarding checklist with security training step.

Training is one-and-done from years ago; no phishing simulation; non-trackable training source.

Documented IR plan. Named IR contact. Tabletop exercise within the last 12 months.

IR plan document with version and date; tabletop exercise minutes; carrier-specific breach notification clause.

No documented plan; plan from years ago never reviewed; no named IR contact; no out-of-band communication channel.

Centralized logging (SIEM or equivalent). 90-day retention minimum for sign-in logs; 365 days for audit logs.

Log retention policy; SIEM dashboard sample; alert response runbook with named owner.

Logs not centralized; retention insufficient; alerts not triaged; no documented response procedure.

Separation of admin accounts from daily-use accounts. PIM or equivalent just-in-time elevation where the license allows. Quarterly access review.

Admin account inventory; PIM activation log sample; quarterly review meeting minutes.

Global Administrator on every IT staff member; no separation of daily and admin accounts; no quarterly review.

Documented asset inventory covering servers, workstations, mobile devices, network appliances, and SaaS applications.

Asset inventory report; MDM / Intune device list; SaaS application inventory with ownership.

Manual spreadsheet that's out of date; mobile devices missing; SaaS shadow IT undocumented.