Security Standards Baseline
Northwatch's minimum security and supportability standards are designed to protect your business, your data, and your day-to-day operations. These requirements establish a secure and stable foundation for the systems you rely on, helping reduce the risk of account compromise, ransomware, data loss, extended downtime, and other preventable disruptions.
If your environment does not currently meet these standards, that does not automatically prevent us from working together. It does mean you must be willing to transition to them as part of onboarding, which may require remediation or replacement of unsupported systems before full management begins.
1. Core Managed IT Baseline
This is the minimum supportable standard for any fully managed client.
Mandatory requirements
- Supported operating systems only
- Supported line-of-business software only where vendor support exists
- Centralized device management for managed endpoints
- Automated patch management for OS and supported third-party apps
- Managed endpoint protection installed and active
- MFA required for administrative accounts, M365/Google admin roles, VPN access, and remote access tools
- Unique user accounts only; no shared admin credentials except documented break-glass accounts
- Password policy enforced for managed identities
Microsoft 365 / Email baseline
- MFA enforced for admins
- MFA enforced for users where feasible, at minimum for priority users
- Legacy authentication disabled where possible
- Mailbox auditing enabled where supported
- Basic anti-phishing and anti-malware protections enabled
- Least-privilege admin role assignment
- External forwarding controlled or disabled unless approved
Backup baseline
- Backup solution deployed or verified for agreed systems/data
- Backup monitoring enabled with alerts on failure
- Restore scope and responsibility documented
Network baseline
- Business-grade supported firewall/router
- Secure remote administration only
- Modern Wi-Fi encryption with separate guest network where applicable
- Basic network and asset documentation maintained
Supportability rules
- Unsupported or end-of-life systems must be removed, isolated, or excluded from management
- Devices outside standards may be excluded from SLA
2. Managed Security Baseline
Includes everything in Core Managed IT, plus active security controls and review.
Additional mandatory requirements
- Managed endpoint detection and response enabled
- Security alert triage process defined
- Documented vulnerability review cadence
Identity and access controls
- Privileged access reviewed regularly
- Administrative role separation where feasible
- Conditional access policies applied where supported
Vulnerability management
- Regular vulnerability scanning with remediation tracking
- Risk-ranked remediation guidance
Email and cloud hardening
- Stronger phishing and impersonation protections
- Tenant hardening and suspicious rule review
Incident readiness
- Documented containment and escalation process
- Defined communication path for incidents
3. Advanced Security Baseline
Includes everything in Managed Security, plus deeper monitoring, governance, and compliance support.
Additional mandatory requirements
- Centralized security logging across defined systems
- Expanded threat detection coverage
- Formalized security review rhythm
Governance controls
- Security posture and risk reporting
- Documented policy alignment and exception tracking
Monitoring depth
- Continuous or near-continuous monitoring expectations
- Priority incident response workflow
Northwatch Security Baseline by Package
| Control | Core Managed IT | Managed Security | Advanced Security |
|---|---|---|---|
| MFA and identity baseline | Required | Required + review | Required + expanded controls |
| Email security baseline | Required if managed | Required | Required |
| Vulnerability scanning | Limited/periodic | Included | Continuous/expanded |
| Security alert monitoring | Basic platform alerts | Included | Expanded monitoring |
| Centralized logging | No | Limited/selected sources | Required |
| Incident response support | Best effort/project-based | Included at defined level | Priority response included |
| Security awareness training | Optional | Recommended/available | Included |
| Compliance and risk reporting | No | Limited | Included |