1Client Information2Server Migration3Email Migration4Security Phase 1 - Identity & Email5Security Phase 2 - Endpoint & MDM6Company Policy Client Client Email (will receive copy) Who has been involved in project conversations? How was this project initiated? Please list specific requirements the client must follow based upon their vendors, industry, or TMG standards for every client.Upload any applications or form documents previously provided that can assist in understanding their compliance needs. Drop files here or Select files Max. file size: 50 MB, Max. files: 5. Anticipated Time Frame: IMPORTANT! This project scope guide DOES NOT include details for the following: - Networking - Server Replacement - Office Move Projects For the above project types, we will follow the similar process of Business Case providing as much detail as we can and then giving directly to the Project Team to run with the Discovery and skip this consulting form. Does this project involve a server migration of any kind? Yes No Are multiple physical locations affected by this project? If yes, please explain:Type of migration Full Cloud - server will be completely removed Partial Cloud - server will still be present but some functions will be moved away from the server Still needs to be determined No Server Migration What is the plan for the existing server? Bring to back to TMG, keep for 90 days, destroy HD, and recycle Move archived data not being transferred to external hard drive Reuse in the future Check all existing server functions that will be part of this project scope: File Shares (shared and personal) Line of Business Applications Network Functions (DHCP, DNS to Firewall) Security Functions (AD to Azure AD) Print Functions (switch to local or universal printing) N/A (No server) FILE SHARES: Explain how they would like their files structured (if applicable at this time)Click here to download Teams Migration TemplateWill any local storage need to exist after the server is removed? (i.e. NAS) Yes No Still needs to be determined Is there existing hardware capable of providing this storage?LINE OF BUSINESS APPLICATIONS:NETWORK FUNCTIONS: I have explained the network functionality changes that we will go through during the technical discovery process which may lead to a replacement of the existing firewall.SECURITY FUNCTIONS:PRINT FUNCTIONS: Does this project include an email migration? Yes No Where is the client's email currently located? On-Premise Exchange Server Legacy Email Server (POP) G Suite Other Outside of email, check all existing functions that will be part of this project scope: Microsoft Office Apps Calendars (both shared and personal) Files (Google Drive, OneDrive, etc) Scan to Email Voicemail to Email Not 100% Sure; Client Didn't Know & Will Need Project Team To Fill In Gaps MICROSOFT OFFICE APPS:CALENDARS:FILES:SCAN TO EMAIL:VOICEMAIL TO EMAIL:List any notes for the Project Engineer to use to assist in his/her discovery process:Remaining Microsoft 365 & TMG Standards to be ImplementedBy default, we would implement each of the below items in this project. The goal of this question is to have the understanding and potentially discuss with the client to gain definition as needed (mainly around MFA and moving into Phase 1 for Conditional Access). You should select all options unless you have a documented reason as to why one of these TMG Standards shouldn't be implemented. Self-Service Password Reset, Passwords to not expire, require min of 2 Authentication Methods Email Authentication (SPF, DKIM, DMARC) MFA (Minimum = Security Defaults with end user MFA; goal of MFA enforced via Conditional Access) - $6.50/user or Business Premium Defender for Office 365 - $2.50/user or Business Premium Office 365 Backup - $3.15/user Remaining Security Phase 1 Implementation (encryption, DLP, retention, Teams/SPO/OneDrive, etc) - Requires Business Premium - $22.50/user Select All Does this project include Business Premium Security Phase 1? Yes No Does this project include keeping an existing server (i.e. DUO with Phase 1)? Yes No Click Here for What's Included Phase 1 Security ControlsInitial PrepMicrosoft 365 Licensing Requirements: - Standard, automatically upgrade to Business Premium ($22.50/mo minus existing license cost) - Basic or below we can do the Entra ID P1 ($6.50/mo) + Defender for Office 365 ($2.50/mo) add-ons ONLY if they DON'T need email encryption. If they do, they will need to jump to Business Premium - If Non-Profit, automatically upgrade to Business Premium ($6.00/mo minus existing license cost) **Pricing is assuming an annual commitment**Upload Finalized User List With License TypeExport their current user list from 365 prior to consultation and confirm their existing 365 user list. Once finalized, upload final copy here to send to the Project Team.Accepted file types: xlsx, Max. file size: 50 MB.Identity Protection & MFAList the current global admins within 365 along with proposed changes needed:No licensed user should have Global Admin privileges and a minimum of 2 Global Admins should be assigned in case the other one gets locked out. If client needs this level of access, we will create a net new unlicensed account for them and remove this role from their "daily driver" account.List any accounts currently utilizing Legacy Authentication that will need to be excluded:Go into 365 Admin > Identity > Users > All Users > Sign-In Logs > Add Filter > Client App > Apply > Select Client App: None Selected > Click all the checkboxes under Legacy Authentication Clients > Apply. List any user accounts that show up. If none, write none.Authentication Methods:Confirm their stakeholders are prepared for all their users to download the Microsoft Authenticator on their mobile phones as the primary source (i.e. know their apple id passwords) Define if additional authentication methods need to be used (Yubikey, etc) By default, we WILL NOT include SMS and OTP via email is not available as a primary method and only as SSPR. If DUO, SSPR will not be available and they will need to use the DUO app or other compatible MFA method.Email SecurityDo we have access to make DNS changes?Go into TMG Glue > Domains > Registrar. If lists TMG, then we are good, if lists someone else, look under passwords to see if we have that account listed. Yes No Determine current SPF/DKIM needs:If client doesn't know, we can get DMARC set up and then revisit SPF/DKIM once we have DMARC reports via Valimail.List the key stakeholders that will be set up for impersonation protection:Compliance and Information ProtectionEmail Encryption / Sensitivity LabelsDescribe Sensitivity Labels and how we will be setting up the initial "Encrypt-Only" label. By default we will not be expanding outside the 1 label unless they have a specific requirement. We will revisit this and review the history in Phase 3 to determine how this needs to expand.Email RetentionHow long should email be retained? The default is 7 years. After 7 years, should the emails be automatically deleted or just remove the retention protection? Should we set up archiving to move email from inbox to archive after 1-year to prevent mailbox from filling up? 1-year is the default but can be changed. Should Protection Lock be enabled? This would be for fully compliance driven reason as once you make these policies, you cannot remove them or change them later.Data Loss PreventionDescribe data loss prevention and how our default policy is to look for credit card numbers, bank account numbers, social security numbers sent to external contacts outside of your org. If these are found, we will set it to send an alert email to the designated POC that will describe who sent, what was found, and who was being sent to.Would they like to add End User Cyber Security Training + Phishing Testing ($3/user/mo)?https://themillergroup.com/cybersecurity-training/ Yes No Already has it in place Setting End User Expectations: 1. Users will need to register for MFA utilizing the methods discussed (authenticator app) which may prompt them to authenticate again on their other devices when utilizing the Office apps. 2. "External email" banner will display for emails coming from outside organization. 3. If users are being prompted for MFA pushes when they aren't actively logging in, they need to report fraud to our team so we can investigate. 4. Anyone with a current Global Admin account will receive a new account login that is using an unlicensed account. 5. End users will be able to reset their own passwords without needing to contact TMG 6. If a user needs to encrypt sensitive information when sending an email, they will need to select the label titled "Encrypt-Only" within Outlook List any notes and / or follow up items for Phase 1: Does this project include Business Premium Security Phase 2? Yes No In order to implement the following security controls, the client will need to have Business Premium licenses for all users ($22.50/mo) and Phase 1 complete.Click Here for What's Included in Phase 2 Security ControlsInitial PrepWill this be a hybrid set up or full cloud? Hybrid with local domain controller Full cloud Still needs to be determined Does the client currently have DUO providing MFA for desktop logins? Yes No Does the client currently have DUO providing MFA for domain admin login? Yes No No Domain Does the client currently have DUO providing MFA for remote access? Yes No Are there any licenses that will need to be upgraded fully to Business Premium in order to enforce Phase 2 security controls? If yes, list those accounts here:Main points would be clients that used add-ons for AAD P1 and MDO for Phase 1 and don't have Business Premium. Also, the "email only" users, what is the expectations for them in Phase 2 Security Controls? Do they have a computer they use? Will MDM be a part of this solution?How would they like to handle BYOD for personal computers?How would they like to handle BYOD for cell phones / tablets?Computer Profile Migration + EnrollmentExplain migration process from AD or local to AAD and list the quantities of what devices fall into what buckets quantity wise:Project Engineer will later confirm the usage of these computers as necessary.Upload current devices in RMM and add columns for biometrics and encryption readyAccepted file types: xlsx, Max. file size: 50 MB.Explain Endpoint Encryption & List Notes:Explain Computer MFA (Windows Hello for Business) & List Notes:Are there any computers that are not currently meeting baseline requirements (OS, age, etc)?Are there any Macs or Linux computers that need to be a part of this project?Ask client and/or look in Addigy for confirmationClick here to view all FAQs around WHFBEndpoint Security ControlsDiscuss & Confirm DNS Filtering categories:Click here to view all the DNS filtering categoriesAs part of TMG's standard security controls for endpoints, we will implement the following once the devices are AAD joined and enrolled into Intune: - Endpoint Detection & Response (EDR) - Next Generation Antivirus - Windows Firewall Policies Device Access & Compliance PoliciesDiscuss Device Compliance Policies & Notes:Discuss Mobile Device Compliance Policies & Notes:Discuss Mobile Device Management (MDM) options:Discuss App Protection Policies:Automated App Deployment & ManagementDiscuss App Deployment & Intune (mobile devices):Discuss App Deployment & Intune (computers):Discuss Groups Configurations:Explain Windows Autopilot Opportunities:Setting End User Expectations: 1. With additional protection on the computers, our staff will be notified of any detected security threats on the included devices. 2. If doing MDM, any users currently using the buillt-in mail app on their phone will now be required to use the Outlook app as the mail app will no longer functionList any notes and / or follow up items for Phase 2: Check all cyber security policies you wish to have created or want to update based on the security controls listed on the previous pages: Acceptable Use Policy Bring Your Own Device (BYOD) Policy Mobile Device Policy User Termination Policy Removable Media Policy (USB sticks) Notes around creation of company policies: 29406
