Baseline controls
- 2FA everywhere, strong passwords, SSO where possible.
- Least‑privilege roles and change approvals.
- Backups with restore drills; checksums for evidence.
App hardening
- Headers (CSP, HSTS, Referrer‑Policy), secure cookies, no mixed content.
- Static‑first deploys, signed audit trail.
- Log review patterns and incident runbook outline.
Proof
Export a short evidence pack: controls list, dates, owners, and test results.