Evidence Checklist (Internal)
Identity & Access
- Admin roles list
- MFA enforcement screenshot/config
- Guest/externals settings
Email/Collaboration
- Anti-phishing settings
- External forwarding controls
- Sharing defaults snapshot
Endpoints
- Inventory counts
- Patch posture snapshot
- Encryption posture snapshot
Backups/Restore
- Coverage/job list snapshot
- Retention snapshot
- Restore test:
- start time
- end time
- result
- blockers
Ops readiness
- Incident roles/contact tree
- Vendor escalation path
- Documentation/runbook snapshot
Evidence rules
- Capture just enough to support claims
- Sanitize: blur names/emails/IDs where needed