IT Strategy Checklist

Export the device list from NinjaOne, Datto RMM, or whichever RMM is in scope and reconcile against IT Glue / Hudu, the M365 Intune device list, and the HR system. Orphaned devices (in RMM, not in HR; in HR, not in RMM) are the usual finding — flag them for the offboarding queue.

Walk the diagram against reality — Meraki / FortiGate / Palo Alto configs, ISP circuits, failover paths, VLAN segmentation. Single-circuit sites and flat networks are the two findings that show up in every audit.

Pull the hiring plan from HR / Finance and translate to laptop, license, VPN, and storage demand. Bake in a 10% buffer for backfills and contractors. M365 license tier mix (E3 vs E5 vs F1) drives a non-trivial chunk of the budget — flag changes early.

Confirm the Intune Autopilot profile, JAMF prestage, and approved SKUs for the next refresh cycle. Standardization is the lever that keeps imaging time and helpdesk variance down.

Per-system RTO/RPO with named owner. The runbook lives where on-call can find it at 3am — not buried in SharePoint. Test the doc by handing it to a Tier 2 who hasn't seen it and asking them to walk a failover.

Tenable, Qualys, or Rapid7 InsightVM with credentialed scans — not network-only. Triage CVSS 9+ first, then chase the long tail. Attach the scan export to this step for the audit trail.

In Entra ID / Okta, run the MFA coverage report and the sign-in logs filtered for legacy auth (IMAP, POP, SMTP basic, EWS). Service accounts and shared mailboxes are the usual gaps. MFA without blocking legacy auth is bypass-by-design.

Apply Conditional Access policies to enforce MFA on the gap accounts and block legacy auth org-wide. Coordinate with mailbox admins on shared-mailbox migration to modern auth before flipping the block.

Confirm which frameworks apply this cycle. For SOC 2, refresh the change-management, access-review, and vendor-management evidence binders. For HIPAA, confirm BAAs are current with every subprocessor handling PHI.

Test ring (IT staff) → pilot ring (volunteer power users, ~5%) → production ring, with 7-14 days between rings. Document the rollback plan and the blackout windows on the calendar.

Pick a tier-1 system, restore into an isolated VLAN, validate data integrity, and time the run. The success metric is a verified restore — not a green dashboard. Veeam / Datto / Rubrik will all happily report success on a backup that won't restore.

Treat a failed drill as a P1. File the ticket with the backup vendor, document the failure mode, and schedule the re-test. A failed drill that's not remediated within the cycle is the finding that ends up on the SOC 2 exception list.

Pull the encryption status report from Intune / JAMF and confirm recovery keys are escrowed. The gap is usually older devices that predate the policy or BYOD machines that slipped through enrollment.

Walk the matrix with Legal — public, internal, confidential, restricted — and confirm M365 retention labels and Purview policies map cleanly. Litigation holds get reviewed here too.

Compare actual SAN, OneDrive, and Azure Blob growth against last quarter's projection. Anomalous growth often points to a runaway log file or a user dumping personal media into OneDrive.

Pull the last 90 days from ServiceNow / Freshservice / ConnectWise PSA. Top-3 categories drive the next training cadence; outlier MTTR drives the runbook updates.

Pick a template that matches the threat trends from the SIEM, not last year's defaults. Coordinate the date with HR so the campaign doesn't land during open enrollment.

Cover what shipped in the last quarter's Microsoft roadmap that affects users — Copilot rollout, Teams updates, Loop. Record the session and post to the helpdesk knowledge base.

Pull the CSAT trend from the PSA and segment by tech and ticket category. A specific tech with a CSAT outlier is a coaching conversation, not a public chart.

Users who clicked on three consecutive simulations get assigned remediation training and their manager is notified per the awareness policy. The same 12 users every quarter is the pattern to watch for.

Every vendor, every contract, every renewal date, every named contact. The gap that shows up in audits is the vendor that's been auto-renewing for three years with nobody actively managing it.

Pull uptime and response-time data from the vendor portals (Meraki Dashboard, Datto status, M365 Service Health) and compare against contracted SLAs. Credits for missed SLAs almost always require a written claim — file them.

Auto-renew clauses bite when nobody's watching. 90 days out is the window to negotiate; 30 days out you've lost leverage. Microsoft, Veeam, and CrowdStrike renewals especially benefit from a quote-shop.

Refresh the vendor security file: SOC 2 Type II report, signed BAA where PHI is in scope, DPA where GDPR / CCPA applies. A vendor without a current SOC 2 either provides a bridge letter or moves to the risk-accepted list.

Map subprocessors of your top-10 vendors — the SolarWinds and Kaseya supply-chain incidents are the reason this row exists on the risk register. Flag concentrations (e.g., five vendors all hosting on the same region of one cloud).