ORB Delivery Playbook (Internal) — 10 Business Days + 3 Calls
Objective
Deliver a credible, evidence-backed baseline + a prioritized 30/60/90 plan that converts cleanly into remediation or a fractional retainer.
Success criteria (definition of “done”)
- ✅ Exec Summary (PDF) + Risk Register (sheet) + 30/60/90 Plan (sheet)
- ✅ At least one restore test executed and documented
- ✅ Evidence is included but sanitized
- ✅ Actions have owner types (Leadership / IT / MSP / Vendor)
- ✅ Readout includes decision-makers
Scope (what we cover)
Core domains
- Identity & Access
- Email & Collaboration security
- Endpoints baseline (as available)
- SaaS posture (admins/access patterns)
- Backups & Restore readiness (coverage + restore test)
- Operational readiness (roles, escalation, critical workflows)
Out of scope (unless separately scoped)
- Pen testing/red teaming
- Full compliance audit (SOC 2/HIPAA/PCI)
- Large-scale remediation or migrations
- Deep appsec/code review
Calls (3 total)
- Kickoff (45–60 min): scope lock + restore target selection
- Mid-check (20–30 min): unblock access + share early signals
- Readout (45–60 min): decisions + next step
Day-by-day delivery
Day 0 — Setup
- Create client folder + internal working folder
- Create project board (Notion recommended)
- Send kickoff email + intake + access checklist
- Book Day 10 readout now
Day 1 — Kickoff + scope lock
Outputs:
- Confirm POC + stakeholders + MSP/vendor contacts
- Pick restore test target (one)
- Confirm access model + evidence plan
Day 2 — Access + evidence collection
Outputs:
- Read-only access validated; temp elevated access only if needed
- Evidence checklist started
- Systems inventory created (top 10 systems)
Days 3–4 — Baseline checks (fast, practical)
Outputs:
- Findings bullets by domain
- Sanitized evidence captured (screenshots/exports where available)
Email authentication quick check:
- Run DNS checks for MX, SPF, DMARC, and known DKIM selectors
- Validate SPF syntax / lookup risk with a local tool such as
checkdmarcorspfquery - Confirm DMARC policy and whether a reporting mailbox exists
- Confirm external forwarding controls
- If the client is a bulk sender or has deliverability complaints, check provider-side sender tooling:
- Google Postmaster Tools
- Microsoft SNDS / JMRP
- Yahoo Complaint Feedback Loop
Minimum evidence to capture:
- SPF record present/missing and any obvious syntax or lookup issues
- DMARC record present/missing and current policy (
none,quarantine,reject) - DMARC reporting mailbox configured or missing
- DKIM selector resolvable or not (where selector/provider is known)
- External forwarding control state
- Reputation-tool enrollment status for bulk senders
Days 5–6 — Restore verification (the “proof”)
Outputs:
- Restore executed to safe/sandbox location
- Time-to-restore measured
- Restore mini-runbook drafted
Day 7 — Synthesis
Outputs:
- Draft risk register (prioritized)
- Draft maturity scorecard
- Draft 30/60/90 plan outline
Day 8 — Draft deliverables
Outputs:
- Draft exec summary (PDF)
- Draft sheets (risk register + 30/60/90 plan)
Day 9 — QA + pre-read
Outputs:
- Remove contradictions; tighten language
- Sanitize evidence (blur/redact)
- Optional pre-read to POC
Day 10 — Readout + decision
Outputs:
- Leadership decisions captured
- Next step selected: remediation sprint and/or fractional retainer
Scope guardrail: “quick wins” (up to 4 hours included)
Offer up to 4 hours total of safe, reversible quick wins. Anything larger becomes remediation.
Safe quick wins menu (pick 1–3 max):
- Enforce MFA for admin accounts / remove legacy auth (where applicable)
- Disable external auto-forwarding (or tighten)
- Reduce over-privileged admin roles (least privilege pass)
- Configure backup alerts to a shared mailbox/channel
- Create a basic incident contact tree + escalation sheet
- Draft/update a restore runbook based on the test