Maturity Report
Assessment 2025 v0.1 - 17/12/2025
1.0
Overall Score (0-5)
25
Assessed Controls
25
Identified Gaps
25
Critical Gaps
| Control | Domain | Current | Target | Gap | Priority |
|---|---|---|---|---|---|
|
AUTH-001
Enforce Phishing-resistant MFA (FIDO2/CBA) for all... |
Authentication | 1 | 4 | 3 levels | Critical |
|
AUTH-002
Enforce MFA for all users with Number Matching to ... |
Authentication | 1 | 4 | 3 levels | Critical |
|
AUTH-003
Configure Smart Lockout: block the threat actor (I... |
Authentication | 1 | 4 | 3 levels | Critical |
|
AUTH-004
Real-time checking of banned passwords against glo... |
Authentication | 1 | 4 | 3 levels | Critical |
|
AUTH-005
Block interactive login and rotate Service Account... |
Authentication | 1 | 4 | 3 levels | Critical |
|
AUTH-006
Enforce re-authentication for critical actions (e.... |
Authentication | 1 | 4 | 3 levels | Critical |
|
AUTH-007
Disable legacy protocols (Basic Auth: POP3, IMAP, ... |
Authentication | 1 | 4 | 3 levels | Critical |
|
JML-001
Automate 'Birthright' provisioning via HR, creatin... |
Identity Lifecycle (JML) | 1 | 4 | 3 levels | Critical |
|
JML-002
Review trigger on transfers: a change of role in H... |
Identity Lifecycle (JML) | 1 | 4 | 3 levels | Critical |
|
JML-003
Automate exit 'Kill Switch': Blocking and revocati... |
Identity Lifecycle (JML) | 1 | 4 | 3 levels | Critical |
|
JML-004
Quarterly Access Certification campaigns with auto... |
Identity Lifecycle (JML) | 1 | 4 | 3 levels | Critical |
|
JML-005
Detection of orphan accounts (Reconciliation): Com... |
Identity Lifecycle (JML) | 1 | 4 | 3 levels | Critical |
|
JML-006
Strict expiration (TTL) for guest (B2B) accounts, ... |
Identity Lifecycle (JML) | 1 | 4 | 3 levels | Critical |
|
MON-001
Centralize Audit/Sign-in Logs in a SIEM. Retention... |
Monitoring (MON) | 1 | 4 | 3 levels | Critical |
|
MON-002
Automatic blocking based on Risk (User/Sign-in Ris... |
Monitoring (MON) | 1 | 4 | 3 levels | Critical |
|
MON-003
Alert on unverified illicit or high-privilege OAut... |
Monitoring (MON) | 1 | 4 | 3 levels | Critical |
|
MON-004
P1 alerts for changes to Tier 0 groups (Global/Dom... |
Monitoring (MON) | 1 | 4 | 3 levels | Critical |
|
MON-005
Monitor anomalies in Service Principals (read volu... |
Monitoring (MON) | 1 | 4 | 3 levels | Critical |
|
MON-006
User feedback ('Not me') in MFA generates an immed... |
Monitoring (MON) | 1 | 4 | 3 levels | Critical |
|
PAM-001
Eliminate permanent privileges (Zero Standing Priv... |
Privileged Access (PAM) | 1 | 4 | 3 levels | Critical |
|
PAM-002
Separate accounts: adm-user (no email/web) for man... |
Privileged Access (PAM) | 1 | 4 | 3 levels | Critical |
|
PAM-003
Remove local administrator account and use LAPS fo... |
Privileged Access (PAM) | 1 | 4 | 3 levels | Critical |
|
PAM-004
Implement a Tiered Model (Tiering/Red Forest): Tie... |
Privileged Access (PAM) | 1 | 4 | 3 levels | Critical |
|
PAM-005
2 monitored Emergency (Break Glass) accounts, clou... |
Privileged Access (PAM) | 1 | 4 | 3 levels | Critical |
|
PAM-006
Require dedicated Privileged Access Workstations (... |
Privileged Access (PAM) | 1 | 4 | 3 levels | Critical |
Enforce Phishing-resistant MFA (FIDO2/CBA) for all administrative accounts, bloc...
Action: MFA obrigatório, mas permite SMS/Voz.
Enforce MFA for all users with Number Matching to mitigate MFA fatigue....
Action: 100% de cobertura, permite SMS.
Configure Smart Lockout: block the threat actor (IP), not the user account (AD),...
Action: Política de bloqueio definida, desbloqueio manual.
Real-time checking of banned passwords against global (pwned) lists and company ...
Action: Política de complexidade básica.
Block interactive login and rotate Service Account secrets every 90 days (or use...
Action: Rotação manual ad-hoc (quando quebra).
Enforce re-authentication for critical actions (e.g., viewing sensitive data) re...
Action: Re-autenticação apenas para reset de senha.
Disable legacy protocols (Basic Auth: POP3, IMAP, SMTP) globally....
Action: Bloqueio apenas para novos usuários.
Automate 'Birthright' provisioning via HR, creating accounts disabled until the ...
Action: Formulário padrão (E-mail), execução manual.
Review trigger on transfers: a change of role in HR initiates access recertifica...
Action: Revisão manual ad-hoc pelo gestor.
Automate exit 'Kill Switch': Blocking and revocation of tokens in <15 min after ...
Action: Manual (No mesmo dia - Best effort).
Quarterly Access Certification campaigns with automatic revocation if there is n...
Action: Revisão apenas de Admins (Manual).
Detection of orphan accounts (Reconciliation): Compare AD vs HR weekly to find o...
Action: Verificação manual anual.