5 easy places to start with IT compliance

An easy place to start with IT compliance or management projects is to pick something that's easy to measure.

Brent Kenreich
Mar 31, 2023
Compliance_Progress_Tracking

An easy place to start with IT compliance or management projects is to pick something that's easy to measure. 

Here are 5 things to start with.

  1. Disaster recovery plan

    Is it a reasonable length? 

    Does it cover a reasonable number of scenarios?

    It is accessible if your computers are not?

    Do people know where it is?

    Is it readable? 

  2. Microsoft Secure Score

    Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken.  Over 90% of cyber attacks begin with email so your security posture here is a good indication of your overall risk.

    You can read more about Microsoft Secure Score here https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide

     

  3. MFA adoption rate

    Ask for a list of all the applications in use and which ones have MFA enabled.  It's reasonable that some systems won't have MFA enabled but there should be a reason or other mitigating controls. 

  4. Phishing failure rate

    All employees (even executives) should be tested at least monthly.  The percentage of emails clicked should go down over time and ideally be less than 1%.  

  5. Average age of PCs

    One of the goals of a compliance program is to keep systems up and running.  Age is something that prevents computers from being up and running.  It also forces IT to choose between installing security software that may cause a machine to be unusably slow or relaxing standards to keep end users happy. 

Frequently Asked Questions: IT Compliance Starting Points

What does this article propose?

It proposes five measurable, straightforward items any business can review or implement as starting points for IT compliance.

What are those five starting items?

  • A documented disaster recovery plan
  • Your Microsoft Secure Score (for Microsoft 365 security posture)
  • The rate of multi-factor authentication (MFA) adoption
  • The phishing failure rate (how many users click test phishing emails)
  • The average age of PCs in your environment (older machines lead to higher risk)

Why focus on the age of PCs?

Older PCs are more likely to fail, may not support newer security features, and may slow performance—all of which increase risk and reduce productivity.

Can small businesses with limited IT resources still use this list?

Yes—these items are chosen for feasibility and impact, making them ideal for smaller businesses trying to improve compliance without a large IT team.

What is the article’s key takeaway?

Start simple, measure progress, build upward. Compliance doesn’t require solving everything at once; it requires consistent momentum and measurable improvement.

Similar posts