Security and compliance documentation for executives, insurance reviewers, legal teams, vendor-risk teams, and enterprise buyers. Public statements below; NDA-gated artefacts available on request within five business days.
EFROS operates as a cybersecurity-first managed service provider. Every engagement runs under documented controls aligned to recognised frameworks. Independent attestations and partner-tier letters are reviewed annually and provided under NDA to qualified prospects.
EFROS operates against the certifications, partner programs, and frameworks listed below. Each piece of supporting evidence — Statement of Applicability, attestation report, partner-tier letter, individual engineer credentialing — is released under mutual non-disclosure agreement to qualified clients and their insurance, legal, or audit reviewers.
The following are released to qualified clients and their insurance, legal, or audit reviewers under mutual non-disclosure agreement.
Client data remains in the client's own tenant by default. EFROS engineers operate with the minimum-necessary access required for the engagement. Read-only auditor or global-reader roles are preferred where the task allows; elevated access is time-boxed, logged, and reviewed.
EFROS operates against GDPR, UK GDPR, CCPA / CPRA, HIPAA (where BAA in place), and PIPEDA expectations. Every engagement contract includes confidentiality covenants. Employees are bound by individual confidentiality agreements and trained annually on data-handling procedures.
If an incident affects a client environment, the 24×7 SOC contains first, communicates with the client's designated incident contact, and follows the runbook documented during the engagement onboarding. Severity classification and SLA targets are the canonical P1-P4 matrix below (Section 6a).
Canonical priority bands and response SLAs for incident response under EFROS Fortress SOC engagements. Lower-tier programs (Core IT, Secure Operations) follow the same bands with business-hours-only coverage on P3 and P4.
| Priority | Definition | Acknowledge | Containment status | Mitigation target | Formal notification |
|---|---|---|---|---|---|
| P1 — Critical | Customer-impacting outage or active confirmed incident | 30 minutes | 1 hour | 4 hours | ≤ 24 hours |
| P2 — High | Degraded service or contained security alert | 1 hour | 4 hours | 1 business day | If regulatory clock applies |
| P3 — Medium | Non-urgent issue or standard change request | 4 business hours | n/a | 3 business days | n/a |
| P4 — Low | Informational, scheduled change or maintenance | 1 business day | n/a | 5 business days | n/a |
Regulatory-notification clocks (HIPAA OCR, NYDFS Part 500 §500.17 72-hour, GDPR/UK GDPR 72-hour, state breach statutes) run in parallel with this matrix and are tracked per-incident against jurisdiction. Performance against this matrix is reported quarterly under NDA via the Trust Center.
EFROS carries cyber-liability, professional-indemnity, and commercial-general-liability coverage. Certificates of insurance are provided to qualified prospects under NDA. Carrier-specific attestations available for clients whose own cyber insurance requires vendor-side documentation (Beazley, Chubb, AIG, Travelers, and the major specialty markets).
For procurement reviewers, security questionnaires (SIG, CAIQ, SAQ, custom), and audit requests, route directly to our compliance team. We typically return completed questionnaires within five business days.
Security researchers reporting vulnerabilities in EFROS-operated systems or client environments under our scope are welcomed. We follow a coordinated disclosure model and do not pursue legal action against researchers who act in good faith.
Microsoft Solutions Partner status is verifiable via Microsoft Partner Center. AWS Partner status is verifiable via the AWS Partner Network directory. Cisco Partner status (Cisco 360 Partner Program, 2026) via the Cisco Partner Locator. ISO 27001 and SOC 2 attestations are released under NDA.
Yes. Standardised questionnaires (SIG, CAIQ) are returned within 5 business days. Custom questionnaires within 10 business days. We sign with evidence references, not with claims that exceed our actual controls.
Yes. We sign BAAs with every healthcare client and operate HIPAA-aligned controls as a default. The BAA is signed before any PHI-relevant systems are touched.
In your tenant. EFROS engineers operate against your Microsoft 365, Google Workspace, AWS, Azure, or Google Cloud tenant under read-only or scoped credentials. EFROS does not retain custody of client data outside the agreed retention window for evidence (typically 12 months) and destruction is verifiable.
All documentation, configuration, and runbooks remain in your tenant. EFROS retains evidence files under encryption for the contractually agreed retention period (default 12 months), then destroys them with verifiable sign-off. You can request earlier destruction at any time.
Every EFROS employee with production access undergoes a criminal background screening through a reputable vendor before starting. Renewed for sensitive engagements. References available under NDA.
Anonymized samples drawn from real engagements. Every artifact below is a representation of what an EFROS client receives as part of an assessment, incident-response retainer, or managed service. Not marketing slides — operational outputs.
Recommended: move to p=quarantine within 14 days after a 30-day aggregate-report review, then to p=reject. Owner: IT lead. Effort: 2 hours.
Defender for Endpoint blocks file-encryption pattern, isolates host from network. Initial alert fires in SOC console.
Identity, lateral-movement, and persistence indicators pulled from SIEM. Two additional endpoints flagged with matching IOCs.
Compromised user revoked, sign-in sessions terminated. All three endpoints isolated. Lateral targets pre-emptively isolated.
Notification per pre-agreed SLA. Bridge opened with client lead, EFROS IR lead, and SOC on the line. Initial scope and impact statement delivered.
Memory image, disk snapshot, and log preservation. TTPs matched against known affiliate. Initial-access vector identified (phished M365 account, no MFA).
Confirmed-clean baseline images deployed to a quarantine VLAN. Patient zero credential rotated, app-password reset across affected services.
Three-2-1 backup restored to clean infrastructure. Hash integrity verified, AV scan clean. User-facing systems back online on a watched VLAN.
Written report delivered: TTPs, IOCs, what worked, what didn't, mandatory hardening (MFA, Conditional Access, log retention). Lessons documented for tabletop.
| Status | Area | Control | Note |
|---|---|---|---|
| Implemented | Identity MFA enforced for all licensed users Conditional Access policy 'Require MFA for all users' active | ||
| Partial | Identity Privileged accounts on FIDO2 or Authenticator with number-match 3 of 5 Global Admins still on SMS — schedule cutover | ||
| Implemented | Identity Conditional Access blocks legacy authentication Policy active; 0 legacy-auth sign-ins last 30 days | ||
| Missing | Identity Risk-based sign-in policy and user-risk policy enabled Entra ID P2 features available but not configured | ||
| Partial | Email security SPF / DKIM / DMARC at p=reject with aggregate reporting DMARC at p=quarantine; ready to move to p=reject in 30 days | ||
| Implemented | Email security Anti-phishing impersonation protection (Defender for Office 365) Mailbox-intelligence on; 4 executives in protected-users list | ||
| Implemented | Email security Safe Links and Safe Attachments policies tuned Dynamic delivery on; click-time URL rewriting active | ||
| Missing | Email security External-sender warning banner on inbound mail Transport rule not deployed — recommended for BEC defense | ||
| Implemented | Endpoint Defender for Endpoint or third-party EDR on all devices Defender P2; 248 of 248 devices reporting | ||
| Partial | Endpoint Intune compliance policy gates Conditional Access Windows compliant; macOS and iOS compliance policies pending | ||
| Missing | Endpoint Attack Surface Reduction rules in audit-then-block mode ASR rules not enabled — high-leverage hardening | ||
| Missing | Data Sensitivity labels with auto-classification on top 3 categories Purview unlicensed or unconfigured | ||
| Partial | Data DLP policies for credit-card / SSN / health data DLP on email only — extend to Teams, SharePoint, OneDrive | ||
| Implemented | Audit Unified audit log enabled and retention extended to 1 year+ Audit log on; retention at default 180 days — extend to 365 | ||
| Missing | Audit Alert policies routed to SOC or 24×7 monitoring Alerts firing into a shared inbox no one watches at 2 AM |
| Status | Rule | Detail | Evidence |
|---|---|---|---|
| Pass | 3 copies of every protected workload Production + on-prem repo + cloud repo for tier-1 systems Evidence: Veeam job report: 100% of tier-1 systems with 3 copies | ||
| Pass | 2 different storage media Disk-based repo + object-storage cloud tier Evidence: Wasabi S3 immutable tier + local ReFS volume | ||
| Pass | 1 copy off-site, geographically separated Cloud copy in a region >300 km from primary site Evidence: Cloud copy in EU-Central, primary in EU-West | ||
| Warn | 1 copy immutable (object-lock or air-gap) Hardened repository or S3 Object Lock with retention period Evidence: Object Lock at 14 days — recommended minimum is 30 days | ||
| Fail | 0 backup verification errors SureBackup or recovery-verification job passes on every restore point Evidence: 4 of 12 tier-1 jobs without verification configured | ||
| Warn | Quarterly full-restore test, written record A complete restore-to-clean-infrastructure dry-run with documented timing Evidence: Last test 11 months ago — overdue per policy | ||
| Pass | RTO target documented per workload tier Recovery Time Objective per system, agreed with the business Evidence: Tier-1: 4 hr · Tier-2: 24 hr · Tier-3: 72 hr (signed off) | ||
| Pass | RPO target documented per workload tier Recovery Point Objective expressed in minutes/hours of data loss Evidence: Tier-1: 15 min · Tier-2: 4 hr · Tier-3: 24 hr | ||
| Fail | Backup credentials separated from production AD A compromised domain admin must not be able to delete backups Evidence: Veeam service account is a domain admin — high-risk finding | ||
| Pass | Backup repository monitored by SOC Alerts route to a 24×7 watched queue, not a shared inbox Evidence: Veeam ONE → Wazuh → SOC ticketing pipeline live |
For vendor-risk reviewers, audit teams, or enterprise procurement. We typically return completed questionnaires within 5 business days.