Infoways Minimum Technology Standards

Minimum Technology Standards

To enable Us to deliver the Services effectively and meet Our obligations, Your environment must meet and maintain the following minimum standards, unless expressly agreed otherwise in writing.

1. Hardware and Infrastructure

All servers, workstations, and network devices must be supported by the manufacturer and not be past End-of-Support (EOS) or End-of-Life (EOL).
Devices must meet minimum hardware specifications required for modern operating systems and security tooling (e.g., EDR, monitoring agents).
Network devices (firewalls, routers, switches, WAPs) must support current security protocols, logging, and remote management.

2. Operating Systems and Software

Operating systems must be licensed, supported, and within vendor-supported lifecycle (e.g., Microsoft, Apple, Linux).
Must have automatic updates enabled, or approved patch-management process aligned with agreed patching cycles.
Microsoft 365 tenants and Azure environments must be licensed under supported SKUs (e.g., Business Premium, E3/E5, Defender plan).
3rd-party applications must be licensed, up-to-date, and included in a patch management scope if support is required.

3. Network and Connectivity

Stable and secure internet connectivity to support monitoring, remote support, and security agents.
Unless managed by Us, the Client must maintain firewall, DNS filtering, or secure web gateway capable of enforcing security policies.
VPN, remote access, or secure connectivity must be available for management and monitoring purposes.
Appropriate network segmentation for critical assets, domain controllers, and cloud or on-prem infrastructure.

4. Security Baseline Requirements

Multi-Factor Authentication enabled for all privileged and remote access accounts, and ideally for all users.
Active and supported Endpoint Detection & Response or equivalent antivirus/antimalware solution.
Unified Identity Management using Azure AD, Okta, or equivalent.
Critical assets and admin accounts must be hardened in line with industry standards (e.g., CIS, MS Best Practice).
Unless managed by Us, backups must be stored securely with encryption, retention policies, and offsite or cloud redundancy.
Minimum Security Awareness Training and Acceptable Use Policies implemented for all staff.

5. Cloud, Email, and Data Protection

Microsoft 365, Google Workspace, or cloud services must have:
- SPF, DKIM, and DMARC (at least in "Monitor" or "Quarantine") for email security.
- Conditional Access or Zero Trust controls where supported.
- Licensing required to enable Defender/M365 E5 or equivalent email/cloud threat protection.
- Backup and retention policies for email, SharePoint, OneDrive, Teams or critical systems.

6. Access, Monitoring, and Visibility

Client must allow monitoring agents, logging, and alerting to be installed on relevant systems.
Logs (including firewall, endpoint, cloud, AD, email) must be accessible for correlation and threat response.
Client must maintain admin access where needed to implement remediation or respond to threats quickly.
Provide access to cloud tenant, M365 Security & Compliance Center, Azure portal, or SIEM environment as applicable.

7. Policy, Compliance, and User Preparedness

Must maintain reasonable internal policies, including:
- IT Security Policy
- Backup & Recovery Policy
- Access Control Policy / Acceptable Use
- Incident Response and Reporting process
- All users should complete baseline cybersecurity awareness training and phishing simulation (if included in the service).

8. Responsibilities and Exclusions

We cannot be held responsible for security incidents or service degradation caused by non-compliance with these standards.
If non-compliance is found, We may recommend remediation, pause certain services, or provide a separate proposal for upgrading Your environment.

Last updated:8 December 2025

Current Version: 1.0