Identity and Access Management (IAM) focuses on managing digital identities and controlling user access to systems, applications, and sensitive data. This involves enforcing access policies, implementing multi-factor authentication (MFA), and using role-based access control (RBAC) to ensure only authorised users can access critical resources. Effective IAM practices help organisations maintain secure access, reduce the risk of unauthorised access, and comply with regulatory requirements for data security.

———————————————————————————————————

Level 1 Certification

———————————————————————————————————

Measure 8.1: Implement Basic Role-Based Access Control (RBAC)

Does your enterprise use role-based access control (RBAC) to restrict access to systems and data based on user roles?
Example: Implement a simple RBAC system where employees are granted access to systems and resources based on their job functions, ensuring they only have the necessary permissions to perform their tasks.

Measure 8.2: Enable Multi-Factor Authentication (MFA) for Critical Accounts

Does your enterprise use multi-factor authentication (MFA) for access to sensitive systems or data?
Example: Require MFA for all critical accounts, such as email and accounting software, to add an extra layer of security by requiring users to verify their identity through something they know like a password and something they have for example an authentication app or SMS code.

Measure 8.3: Regularly Review User Access Permissions

Does your enterprise regularly review user access permissions to ensure employees have appropriate access?
Example: Conduct quarterly reviews to verify that employees only have access to the systems and data necessary for their roles. Remove access immediately when an employee leaves the company or changes roles.

Measure 8.4: Monitor User Activity for Unusual Behaviour

Does your enterprise monitor user activity to detect any signs of unusual or unauthorised access?
Example: Use a basic monitoring tool or platform to track login attempts, access logs, and system usage to identify abnormal patterns or potential security risks.

———————————————————————————————————

Level 2 Certificaton

To achieve Level 2: Level 1 must also be achieved.

———————————————————————————————————

Measure 8.5: Implement Granular Role-Based Access Control (RBAC) with Least Privilege

Does your enterprise implement granular role-based access control (RBAC) to ensure users only have the minimum access necessary for their roles?
Example: Define clear roles (e.g., manager, administrator, employee) with specific access levels to systems and applications, and enforce the principle of least privilege by limiting access to sensitive data or systems unless absolutely necessary for the user’s role. Employees may have multiple accouts one for privelaged account use and one for everyday use.

Measure 8.6: Require MFA for All Employees

Does your enterprise require multi-factor authentication (MFA) for all employees accessing company systems and applications?
Example: Enforce MFA across the entire organisation for systems such as email, file-sharing platforms, and HR tools to enhance security and prevent unauthorised access.

Measure 8.7: Use Centralised Identity Management System

Does your enterprise use a centralised identity management system to streamline user access and account management?
Example: Use an identity and access management solution like Okta or Microsoft Azure AD to centrally manage user identities, enforce policies, and provide seamless access to systems while ensuring that security protocols are consistently applied.

Measure 8.8: Implement Automated User Account Provisioning and Deactivation

Does your enterprise automate the provisioning and deactivation of user accounts to ensure timely access management?
Example: Use an automated IAM tool to create new accounts when employees join, and ensure accounts are deactivated automatically when employees leave or change roles within the company.

———————————————————————————————————

Level 3 Certificaton

To achieve Level 3: Level 2 and Level 1 must also be achieved.

———————————————————————————————————

Measure 8.9: Implement Advanced IAM Technologies and Adaptive Authentication

Does your enterprise use advanced IAM technologies such as adaptive authentication or biometric authentication?
Example: Implement adaptive authentication that adjusts security requirements based on factors such as the user’s location, device, and activity. This could include biometrics (fingerprint, facial recognition) for privileged accounts to strengthen security further.

Measure 8.10: Enforce Single Sign-On (SSO) Across the Enterprise

Does your enterprise use Single Sign-On (SSO) to simplify and secure user authentication across multiple systems?
Example: Implement an SSO solution that allows employees to use one set of credentials to securely access all internal systems, reducing the risk of password fatigue and enhancing overall security management.

Measure 8.11: Implement Identity Governance and Administration (IGA)

Does your enterprise use Identity Governance and Administration (IGA) tools to manage access policies, ensure compliance, and conduct periodic audits?
Example: Implement IGA solutions such as SailPoint to manage user identities, enforce access policies, automate compliance reporting, and ensure that users have the appropriate access throughout their employment lifecycle.

Measure 8.12: Regularly Audit Access and User Permissions

Does your enterprise regularly conduct access audits to ensure that users retain only the access they need for their roles?
Example: Conduct annual or quarterly audits to review user access and permissions, ensuring that users’ access is still relevant to their current roles and responsibilities.

Measure 8.13: Enforce Zero Trust Access Policies

Does your enterprise enforce a Zero Trust model to secure user access to systems and data?
Example: Implement a Zero Trust approach where all users, both internal and external, must be verified and authenticated before accessing any system, with continuous monitoring to ensure compliance and mitigate the risk of lateral movement in the network.

———————————————————————————————————