ORB Delivery Playbook (Internal) — 10 Business Days + 3 Calls
Objective
Deliver a credible, evidence-backed baseline + a prioritized 30/60/90 plan that converts cleanly into remediation or a fractional retainer.
Success criteria (definition of “done”)
- ✅ Exec Summary (PDF) + Risk Register (sheet) + 30/60/90 Plan (sheet)
- ✅ At least one restore test executed and documented
- ✅ Evidence is included but sanitized
- ✅ Actions have owner types (Leadership / IT / MSP / Vendor)
- ✅ Readout includes decision-makers
Scope (what we cover)
Core domains
- Identity & Access
- Email & Collaboration security
- Endpoints baseline (as available)
- SaaS posture (admins/access patterns)
- Backups & Restore readiness (coverage + restore test)
- Operational readiness (roles, escalation, critical workflows)
Out of scope (unless separately scoped)
- Pen testing/red teaming
- Full compliance audit (SOC 2/HIPAA/PCI)
- Large-scale remediation or migrations
- Deep appsec/code review
Calls (3 total)
- Kickoff (45–60 min): scope lock + restore target selection
- Mid-check (20–30 min): unblock access + share early signals
- Readout (45–60 min): decisions + next step
Day-by-day delivery
Day 0 — Setup
- Create client folder + internal working folder
- Create project board (Notion recommended)
- Send kickoff email + intake + access checklist
- Book Day 10 readout now
Day 1 — Kickoff + scope lock
Outputs:
- Confirm POC + stakeholders + MSP/vendor contacts
- Pick restore test target (one)
- Confirm access model + evidence plan
Day 2 — Access + evidence collection
Outputs:
- Read-only access validated; temp elevated access only if needed
- Evidence checklist started
- Systems inventory created (top 10 systems)
Days 3–4 — Baseline checks (fast, practical)
Outputs:
- Findings bullets by domain
- Sanitized evidence captured (screenshots/exports where available)
Days 5–6 — Restore verification (the “proof”)
Outputs:
- Restore executed to safe/sandbox location
- Time-to-restore measured
- Restore mini-runbook drafted
Day 7 — Synthesis
Outputs:
- Draft risk register (prioritized)
- Draft maturity scorecard
- Draft 30/60/90 plan outline
Day 8 — Draft deliverables
Outputs:
- Draft exec summary (PDF)
- Draft sheets (risk register + 30/60/90 plan)
Day 9 — QA + pre-read
Outputs:
- Remove contradictions; tighten language
- Sanitize evidence (blur/redact)
- Optional pre-read to POC
Day 10 — Readout + decision
Outputs:
- Leadership decisions captured
- Next step selected: remediation sprint and/or fractional retainer
Scope guardrail: “quick wins” (up to 4 hours included)
Offer up to 4 hours total of safe, reversible quick wins. Anything larger becomes remediation.
Safe quick wins menu (pick 1–3 max):
- Enforce MFA for admin accounts / remove legacy auth (where applicable)
- Disable external auto-forwarding (or tighten)
- Reduce over-privileged admin roles (least privilege pass)
- Configure backup alerts to a shared mailbox/channel
- Create a basic incident contact tree + escalation sheet
- Draft/update a restore runbook based on the test