You can prove through Firewall Logs and Connectors that mail flow is secured via a spam filter is locked down via IP Address
Backups
You can report the status of your backup jobs for the last year
You can prove backup notifications are monitored and acted on in case of failure
Disaster Recovery
You have performed a yearly DR test and have the findings from this test
Ticketing
You can list all request for change tickets ( RFC ) in the last year
You can list all tickets for the year
Security
You have had a penertraiton test and have proof of resolution of all the findings
Windows
Admin level privileges on Windows Server, confirm the appropriateness of membership these membership groups:
Group Policy Creator Owners
Schema Admins
Administrators ( Local to Domain Controllers )
Domain Admins
Enterprise Admins
Group Policy Creator Owners
Once confirmed , document Purpose, Who has Access and If it is a generic account, is the password stored in a tool/vault?
Check password expirty setting configuration in Active Directory and check if it is inherited from the Windows AD GPO (Group policy) settings
You can prove who has console access to servers in your enviroment
SQL
Confirm SQL Local account appropriateness i.e. the access privileges assigned to each account is appropriate for the user's job responsibilities. For generic accounts, please confirm the appropriateness by providing the purpose of the account and the business need to provide such access to the account.
SQL Users account does not have windows password policies or expiration policy set, can you please provide any suitable justification/ business rationale for that? (If it is a service account can you please provide an evidence that the password to the account is stored in a tool? Also provide the users that have access to the password. )