Solanasis Docs

02_Internal_Delivery_Playbook

4 min read

ORB Delivery Playbook (Internal) — 10 Business Days

Goal

Deliver a credible, board-readable baseline and a 30/60/90 plan that naturally converts into remediation work or a fractional retainer.

Success criteria (definition of “done”)

  • ✅ Client receives Exec Summary + Risk Register + 30/60/90 Plan
  • ✅ At least one restore test is executed and documented (scope agreed)
  • ✅ Findings include evidence (screenshots, configs, policy links, logs—sanitized)
  • ✅ Actions are prioritized and assigned an owner type (IT, vendor, leadership)
  • ✅ Readout occurs with decision-makers

Scope (what we cover)

Core domains

  1. Identity & Access
    • Admin accounts, MFA, SSO, shared accounts, privilege management
  2. Email & Collaboration Security
    • Phishing controls, DMARC/SPF/DKIM posture, sharing settings
  3. Endpoints
    • Device inventory, patching, disk encryption, EDR/AV posture
  4. Cloud/SaaS Configuration
    • M365/Google Workspace baseline settings, core SaaS access patterns
  5. Backups & Restore Readiness
    • Backup coverage, restore testing, ransomware protections, retention
  6. Operational Resilience
    • Critical workflows, vendor dependencies, incident roles, documentation

Out of scope (unless separately scoped)

  • Full penetration testing
  • Full compliance audit (SOC 2 / HIPAA / PCI)
  • Deep appsec review, code review
  • Large-scale migration execution

Framework (lightweight)

Use a simple mapping (don’t overdo it):

  • NIST CSF categories (Identify/Protect/Detect/Respond/Recover)
  • CIS Controls as plain-language controls

Standard tool stack (AI-native, low cost)

  • Docs: Google Drive or Microsoft SharePoint + a shared “Client ORB Folder”
  • Project tracking: Trello/ClickUp/Notion (choose one)
  • Meetings: Google Meet / Zoom + automatic transcription
  • Evidence capture: Loom (short clips), screenshots, exported config pages
  • AI drafting: ChatGPT / Claude for first drafts (always human-reviewed)
  • Automation: Zapier/Make to create folders, tasks, and reminders from intake form

Rule: AI can draft. Humans approve. Never paste secrets into AI.

Delivery Timeline (Day-by-Day)

Day 0 (Pre-kickoff) — Setup

Owner: Solanasis

  • Create client folder structure (see 05_Client_Folder_Structure.md)
  • Prepare:
    • Intake form
    • Access checklist
    • Kickoff agenda
  • Create project board with lanes:
    • Intake / Access
    • Evidence Gathering
    • Analysis
    • Draft Deliverables
    • Final Review

Day 1 — Kickoff + Intake

Outputs:

  • Confirm scope + restore test target
  • Confirm POC + stakeholders
  • Confirm tools (M365/Google, backup solution, endpoint tools)

Calls:

  • 45–60 min Kickoff call (use 08_Kickoff_Agenda.md)

AI-native tip:

  • Record + transcribe. Use AI to summarize notes and extract action items.
  • Store summaries in the client folder under /working/meeting-notes/.

Day 2 — Access + Evidence Collection

Outputs:

  • Access confirmed (read-only where possible)
  • Evidence list started

Tasks:

  • Follow 07_Access_Checklist.md
  • Request:
    • Org chart / vendor list
    • Current policies (if any)
    • Asset list (if exists)

Days 3–4 — Security Baseline Checks

Outputs:

  • Findings notes by domain
  • Screenshots/evidence captured

Checks:

  • Identity/admin posture
  • Email security + sharing settings
  • Endpoint baseline and patching posture (as available)
  • SaaS access patterns and key system settings

Days 5–6 — Backup + Restore Verification

Outputs:

  • Restore test executed and documented
  • “Recoverability reality” notes

Restore test options (pick one):

  • Restore a file set from backup to a safe location
  • Restore a VM snapshot (if applicable)
  • Restore a key SaaS dataset (e.g., M365 mailbox / SharePoint / Google Drive export)
  • Validate RTO/RPO assumptions

Evidence:

  • Time to restore
  • What failed (permissions, missing coverage, slow process)
  • Any ransomware protection features enabled/disabled

Day 7 — Synthesis Draft

Outputs:

  • Draft risk register
  • Draft maturity scorecard
  • Draft 30/60/90 plan outline

AI-native:

  • Feed your bullet findings (no secrets) to AI to propose:
    • Risk titles
    • Plain-English impact statements
    • Remediation options and effort levels

Day 8 — Deliverable Drafting

Outputs:

  • Draft Exec Summary
  • Draft findings narrative
  • Draft action plan with owners

Use templates in /deliverables.

Day 9 — Internal QA + Stakeholder Pre-Read

Outputs:

  • Final polish + consistency check
  • Send “pre-read” to client POC if appropriate

QA checklist: see 14_QA_Completion_Criteria.md

Day 10 — Leadership Readout + Next-Step Decision

Outputs:

  • 45–60 min readout meeting
  • Agreement on next steps:
    • Remediation sprint
    • Fractional retainer
    • Both

Close strong:

  • “Here are the top 5 actions that reduce your risk the most in the next 30 days.”
  • “Here’s what you can delegate vs what needs leadership decisions.”

How this converts to Fractional

End every ORB with:

  • A 90-day plan + optional “we run it with you” path
  • Clear monthly cadence proposal:
    • Monthly security + ops review
    • Quarterly restore drill
    • Vendor/permissions hygiene
    • Incident readiness tabletop

Graph View

Backlinks