Infoways  Minimum Technology Standards

Minimum Technology Standards

​

To enable Us to deliver the Services effectively and meet Our obligations, Your environment must meet and maintain the following minimum standards, unless expressly agreed otherwise in writing.

​

1. Hardware and Infrastructure

• All servers, workstations, and network devices must be supported by the manufacturer and not be past End-of-Support (EOS) or End-of-Life (EOL).

• Devices must meet minimum hardware specifications required for modern operating systems and security tooling (e.g., EDR, monitoring agents).

• Network devices (firewalls, routers, switches, WAPs) must support current security protocols, logging, and remote management.

 

2. Operating Systems and Software

• Operating systems must be licensed, supported, and within vendor-supported lifecycle (e.g., Microsoft, Apple, Linux).

• Must have automatic updates enabled, or approved patch-management process aligned with agreed patching cycles.

• Microsoft 365 tenants and Azure environments must be licensed under supported SKUs (e.g., Business Premium, E3/E5, Defender plan).

• 3rd-party applications must be licensed, up-to-date, and included in a patch management scope if support is required.

 

3. Network and Connectivity 

• Stable and secure internet connectivity to support monitoring, remote support, and security agents.

• Unless managed by Us, the Client must maintain firewall, DNS filtering, or secure web gateway capable of enforcing security policies.

• VPN, remote access, or secure connectivity must be available for management and monitoring purposes.

• Appropriate network segmentation for critical assets, domain controllers, and cloud or on-prem infrastructure.

 

4. Security Baseline Requirements 

• Multi-Factor Authentication enabled for all privileged and remote access accounts, and ideally for all users. 

• Active and supported Endpoint Detection & Response or equivalent antivirus/antimalware solution.

• Unified Identity Management using Azure AD, Okta, or equivalent.

• Critical assets and admin accounts must be hardened in line with industry standards (e.g., CIS, MS Best Practice).

• Unless managed by Us, backups must be stored securely with encryption, retention policies, and offsite or cloud redundancy.

• Minimum Security Awareness Training and Acceptable Use Policies implemented for all staff.

 

5. Cloud, Email, and Data Protection 

• Microsoft 365, Google Workspace, or cloud services must have:

  • SPF, DKIM, and DMARC (at least in "Monitor" or "Quarantine") for email security.

  • Conditional Access or Zero Trust controls where supported.

  • Licensing required to enable Defender/M365 E5 or equivalent email/cloud threat protection.

  • Backup and retention policies for email, SharePoint, OneDrive, Teams or critical systems.

 

6. Access, Monitoring, and Visibility 

• Client must allow monitoring agents, logging, and alerting to be installed on relevant systems.

• Logs (including firewall, endpoint, cloud, AD, email) must be accessible for correlation and threat response.

• Client must maintain admin access where needed to implement remediation or respond to threats quickly.

• Provide access to cloud tenant, M365 Security & Compliance Center, Azure portal, or SIEM environment as applicable.

 

7. Policy, Compliance, and User Preparedness 

• Must maintain reasonable internal policies, including:

  • IT Security Policy

  • Backup & Recovery Policy

  • Access Control Policy / Acceptable Use

  • Incident Response and Reporting process

  • All users should complete baseline cybersecurity awareness training and phishing simulation (if included in the service).

 

8. Responsibilities and Exclusions 

• We cannot be held responsible for security incidents or service degradation caused by non-compliance with these standards.

• If non-compliance is found, We may recommend remediation, pause certain services, or provide a separate proposal for upgrading Your environment.

​

Last updated:8 December 2025

Current Version: 1.0