IT Policy Review Checklist

Walk the Public / Internal / Confidential / Restricted tiers with the data owners. Update the handling matrix where systems have changed since last review — new SaaS apps, new client data inflows, new repositories. Tag the M365 / Google Workspace sensitivity labels to match.

Confirm BitLocker on every Windows endpoint and FileVault on every Mac, with recovery keys archived in Entra ID / JAMF. Validate TLS 1.2+ on all internal services and database TDE where required. Common gap: legacy SQL servers still negotiating TLS 1.0 — pull the cipher report from your vuln scanner.

Confirm three copies, two media, one offsite — with at least one immutable copy (object lock, write-once tape, or separate cloud account credentials). Backup writable from production is not ransomware-resilient. Pull the Veeam / Datto / Rubrik success report and reconcile against the in-scope system list.

Restore one production-tier system into an isolated network and confirm the application boots, authenticates, and serves data. Backup success metrics go green for years while the actual restore fails on a rotated credential or a vendor format change. Document RTO actual versus RTO target.

Pull the Entra ID / Okta MFA enrollment report and chase any user without a phishing-resistant factor. Confirm conditional access blocks legacy basic-auth (IMAP, POP, SMTP AUTH) — leaving these open is the most common way attackers bypass MFA entirely. Check that service accounts and break-glass accounts are exempted correctly, not accidentally.

Compare the role-to-group mapping against the current org chart. Watch for the classic AD bloat pattern — Domain Users granted file-share access for one project five years ago and never removed. Reconcile Tier 0 / Tier 1 / Tier 2 admin separation; helpdesk techs should not hold Domain Admin.

For each SaaS in the SSO catalog, confirm SCIM deprovisioning fires on HR termination — not just license revocation. Test with a sample disabled account: mailbox forwarding rules removed, OneDrive ownership transferred, GitHub org membership revoked. Apps without SCIM go on a manual offboarding list owned by name.

Send each system owner the user-access export and require sign-off in writing. Flag accounts that haven't logged in for 90+ days, service accounts older than the rotation policy, and any access not aligned with current role. SOC 2 and SOX ITGC both expect a documented review with evidence — not a verbal confirmation.

Disable (do not delete) flagged accounts and capture before/after screenshots from the IdP. For service accounts, coordinate rotation with the owning team so dependent jobs don't break — a six-year-old service account may have undocumented consumers.

Confirm legacy full-tunnel VPN access is restricted or replaced by per-app ZTNA. Review CyberArk / BeyondTrust / Delinea session recordings for the privileged sessions sample. Confirm just-in-time elevation is in use for Domain Admin — standing privilege is the pass-the-hash entry point.

Refresh the IR plan against the current tech stack and named contacts. Update the EDR vendor (CrowdStrike / SentinelOne / Defender), the SIEM, the cyber-insurance carrier hotline, and outside counsel. A plan with last year's contacts is worse than no plan during a real Sev 1.

Walk the named Incident Commander, Communications Lead, Forensics Lead, and Legal Liaison roles. Verify PagerDuty / Opsgenie schedules cover after-hours and holidays without a single point of failure. Each role names a primary and a backup.

Use a realistic scenario — ransomware on the file server, BEC on the CFO's mailbox, or a public-facing CVE exploit. Time the response and identify decision-points where the plan was unclear. Capture the after-action notes; SOC 2 auditors expect annual evidence.

For each gap surfaced in the tabletop, assign a named owner and target date. Schedule role-specific training (forensics handoff, evidence preservation, comms templates) within 30 days. Re-run the affected scenario at the next quarterly drill.

Review the high-volume / low-signal alerts and suppress or tune them. Confirm Sev 1 detection (impossible travel, mass mailbox download, EDR isolation event) routes to PagerDuty and pages the on-call within minutes. Quiet noisy alerts before fatigue masks the real one.

Confirm the IR log template captures timestamps, decisions, evidence chain-of-custody, and external notifications. Cyber insurance and counsel will both ask for this in the 24 hours after an incident; reconstructing it from chat scrollback is not acceptable evidence.

Confirm the framework that drives this cycle's evidence — most orgs have one anchor (SOC 2 Type II for B2B SaaS, HIPAA for healthcare clients, PCI DSS for cardholder data, CMMC for DIB). Note any secondary frameworks in the additional notes; controls usually overlap and can be evidenced once.

Confirm the audit period (typically 6–12 months) with the assessor and align the evidence-collection cadence in Vanta / Drata / Secureframe. Lock the kickoff date and the readiness-review date; common slip is starting evidence collection a month before the period closes.

Map notification clocks for each in-scope regime: HIPAA 60 days to affected individuals, GDPR 72 hours to supervisory authority, state laws (CCPA, CTDPA, etc.) layered on top. For MSPs, list the per-client BAA / MSA notification windows — they often differ from the regulatory floor.

Send the updated acceptable use, access control, and incident response policies through outside counsel or in-house legal. Capture sign-off in writing — a signature on the policy version is the audit artifact, not a Slack thumbs-up.

Push this cycle's artifacts — access review attestations, restore drill log, tabletop after-action, policy sign-offs — into the GRC platform with the period tag. Auditors will ask for the raw evidence with timestamps; rebuilding it post-hoc is the most expensive part of audit prep.

Reconcile the NinjaOne / Datto RMM / ConnectWise Automate inventory against HR headcount and the procurement ledger. Flag agents that haven't checked in for 30+ days and devices missing encryption posture. Asset sprawl is the foundation under most license true-up surprises.

Verify Test → Pilot → Production rings on a 7–14 day cadence in Intune / SCCM / Automox. Auto-applying Patch Tuesday to production without a test ring is how a single KB takes down the app servers Monday morning. Confirm the change-window and rollback plan are documented per ring.

Walk the SaaS request workflow with finance — every new tool routes through IT for security review and license assignment. Shadow-IT subscriptions paid on personal cards are the most common gap. Confirm the procurement intake form references the data-classification matrix.

Review devices nearing end-of-warranty and end-of-support. For disposal, confirm BitLocker / FileVault wipe with a certificate of destruction from the e-waste vendor; a re-image without confirmed key destruction is not adequate for regulated data.

Reconcile Microsoft, Adobe, VMware, and Oracle deployments against entitlements before a vendor audit forces the conversation. VMware per-core licensing changes and Microsoft 365 license-tier creep produce six-figure surprises. Pull the SAM report and flag overages with a remediation date.