ORB Evidence Checklist (Internal)
Identity & Access
- Admin role list screenshot/export
- MFA enforcement settings
- Conditional access policies (if any)
- Password policy settings
- Guest user settings
Email & Collaboration
- Anti-phishing settings
- SPF/DKIM/DMARC record status (high level)
- External forwarding controls
- Sharing defaults (Drive/SharePoint)
Endpoints
- Inventory list (count + types)
- Encryption posture
- Patch compliance snapshot
- EDR/AV status
Backups & Restore
- Backup job list + coverage
- Retention rules
- Immutability / ransomware protections (if available)
- Restore test:
- start time
- end time
- result
- blockers
Ops Readiness
- Who is “incident owner”
- Contact tree
- Vendor escalation path
- Documentation quality snapshot
Evidence rules
- Capture just enough proof to support findings.
- Sanitize: blur emails, names, IDs where needed.