5 easy places to start with IT compliance

An easy place to start with IT compliance or management projects is to pick something that's easy to measure.

An easy place to start with IT compliance or management projects is to pick something that's easy to measure. 

Here are 5 things to start with.

  1. Disaster recovery plan

    Is it a reasonable length? 

    Does it cover a reasonable number of scenarios?

    It is accessible if your computers are not?

    Do people know where it is?

    Is it readable? 

  2. Microsoft Secure Score

    Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more recommended actions taken.  Over 90% of cyber attacks begin with email so your security posture here is a good indication of your overall risk.

    You can read more about Microsoft Secure Score here https://learn.microsoft.com/en-us/microsoft-365/security/defender/microsoft-secure-score?view=o365-worldwide


  3. MFA adoption rate

    Ask for a list of all the applications in use and which ones have MFA enabled.  It's reasonable that some systems won't have MFA enabled but there should be a reason or other mitigating controls. 

  4. Phishing failure rate

    All employees (even executives) should be tested at least monthly.  The percentage of emails clicked should go down over time and ideally be less than 1%.  

  5. Average age of PCs

    One of the goals of a compliance program is to keep systems up and running.  Age is something that prevents computers from being up and running.  It also forces IT to choose between installing security software that may cause a machine to be unusably slow or relaxing standards to keep end users happy.