Technical SOPs

Control Verification SOPs (MFA · Encryption/Email · Restore-Test)

Updated 2026-06-06 For Internal — engineering

Control Verification SOPs

Verify each managed control is correctly deployed and working, and capture the evidence artifact at the same time. Run at onboarding (lifecycle Stage 4) and on each control’s cadence.

The point: verify once, evidence once, reuse everywhere. The same proof feeds the compliance report evidence appendix, the monthly report posture chips, and questionnaire answers. A control with no captured evidence can’t be claimed as a PASS. Capture it here, not later.

Every verification produces: a PASS / PARTIAL / GAP result (per §3.0.5) + a dated evidence artifact, stored against the customer’s Syncro org / evidence store, keyed by Client ID (CS-####).

V-1 — MFA enforcement verification (C-04 · all tiers)

Verify: MFA enforced tenant-wide (M365 / Workspace), no grandfathered exceptions; phishing-resistant (app/hardware, not SMS) for all admin accounts.
Steps:
1. Pull the Conditional Access / 2-Step Verification policy.
2. Confirm coverage = 100% of active users; list any exceptions.
3. Confirm admin accounts use phishing-resistant factors.
Evidence artifact: Conditional Access / 2SV policy export + coverage roster (N of N users), dated.
PASS when: 100% enforced and admins phishing-resistant. PARTIAL if exceptions exist (name them + remediation). GAP if not enforced.
Cadence: onboarding + monthly (feeds the monthly-report MFA chip).

V-2 — Encryption & email-security verification (C-06 + Defense+ encryption/DLP)

Verify: email threat protection active (anti-phishing / BEC); SPF, DKIM, DMARC present and aligned; (Defense+) email encryption, DLP, and archiving configured.
Steps:
1. Confirm the email-security policy is active and applied to all mailboxes.
2. Check DNS for SPF / DKIM / DMARC (DMARC at least p=quarantine); note gaps.
3. (Defense+) confirm encryption/DLP rules + archiving are enabled.
Evidence artifact: policy config export/screenshot + the DNS record set (SPF/DKIM/DMARC), dated.
PASS when: protection active + SPF/DKIM/DMARC present (+ DLP/archiving at Defense+).
Cadence: onboarding + on change (DNS/tenant changes).

V-3 — Backup restore-test verification (C-12 · all tiers)

Verify: immutable backups are running and a restore actually succeeds. (An untested backup is not a backup — this is the artifact the Readiness Report most often finds missing at firms.)
Steps:
1. Confirm backup jobs succeeded for the period (M365 mailboxes, SharePoint/OneDrive or Workspace equivalents).
2. Select a sample (a mailbox / file / site) and perform a restore to a safe location.
3. Confirm data integrity of the restored item.
4. Document and remove the test restore.
Evidence artifact: restore-test log — what was restored, timestamp, success/fail, integrity check, who ran it. Dated.
PASS when: restore completes + integrity confirmed.
Cadence: onboarding + quarterly.

RMM policy set (Syncro) — defined

The Syncro policy set (patch / monitoring / automation) is applied at onboarding (see the Syncro new-customer SOP, Part A step 6). The concrete Windows + Mac policies — patch SLA (Critical 7d / High 30d / Standard 60d), maintenance window, monitoring thresholds, and automation — are now defined in the RMM Policy Set SOP ✅. Patch-status is a monthly-report posture chip, so patch compliance from the policy feeds the same posture cadence as V-1/V-2.

”Done” means (per control)

Control verified to its PASS criteria
Dated evidence artifact captured + stored against the customer’s Syncro org
Posture chip set (feeds the monthly report)
Any PARTIAL / GAP logged with a remediation owner + date

Gotchas

No evidence = not a PASS. The verification isn’t done until the artifact is stored.
Restore-test is the one people skip — and it’s the one that matters in a ransomware claim. Quarterly, real restore, documented.
Keep evidence consistent across deliverables — pull from the stored artifact, don’t re-derive posture per report.