Maturity Report

Assessment 2026 v0.15 - 18/03/2026

Export PDF

3.12

Overall Score (0-5)

25

Assessed Controls

16

Identified Gaps

2

Critical Gaps

Maturity by Domain
Compliance by Framework
Compliance = Level ≥ 3
Maturity Distribution
Maturity Gaps (Current Level < 4)
Control Domain Current Target Gap Priority
PAM-005
2 monitored Emergency (Break Glass) accounts, clou... 		Privileged Access (PAM) 1 4 3 levels Critical
MON-001
Centralize Audit/Sign-in Logs in a SIEM. Retention... 		Monitoring (MON) 1 4 3 levels Critical
AUTH-001
Enforce Phishing-resistant MFA (FIDO2/CBA) for all... 		Authentication 2 4 2 levels High
AUTH-005
Block interactive login and rotate Service Account... 		Authentication 2 4 2 levels High
PAM-001
Eliminate permanent privileges (Zero Standing Priv... 		Privileged Access (PAM) 2 4 2 levels High
MON-002
Automatic blocking based on Risk (User/Sign-in Ris... 		Monitoring (MON) 2 4 2 levels High
AUTH-002
Enforce MFA for all users with Number Matching to ... 		Authentication 3 4 1 levels Medium
AUTH-004
Real-time checking of banned passwords against glo... 		Authentication 3 4 1 levels Medium
AUTH-006
Enforce re-authentication for critical actions (e.... 		Authentication 3 4 1 levels Medium
AUTH-007
Disable legacy protocols (Basic Auth: POP3, IMAP, ... 		Authentication 3 4 1 levels Medium
JML-003
Automate exit 'Kill Switch': Blocking and revocati... 		Identity Lifecycle (JML) 3 4 1 levels Medium
PAM-002
Separate accounts: adm-user (no email/web) for man... 		Privileged Access (PAM) 3 4 1 levels Medium
PAM-004
Implement a Tiered Model (Tiering/Red Forest): Tie... 		Privileged Access (PAM) 3 4 1 levels Medium
MON-003
Alert on unverified illicit or high-privilege OAut... 		Monitoring (MON) 3 4 1 levels Medium
MON-004
P1 alerts for changes to Tier 0 groups (Global/Dom... 		Monitoring (MON) 3 4 1 levels Medium
MON-005
Monitor anomalies in Service Principals (read volu... 		Monitoring (MON) 3 4 1 levels Medium
Recommendations Roadmap
PAM-005 Critical

2 monitored Emergency (Break Glass) accounts, cloud-only, excluded from MFA and ...

1 2

Action: 1 conta (uso diário se precisar).

MON-001 Critical

Centralize Audit/Sign-in Logs in a SIEM. Retention: 90 days (hot) / 365 days (co...

1 2

Action: Logs no portal (30 dias).

AUTH-001 High

Enforce Phishing-resistant MFA (FIDO2/CBA) for all administrative accounts, bloc...

2 3

Action: App Authenticator (Push) obrigatório.

AUTH-005 High

Block interactive login and rotate Service Account secrets every 90 days (or use...

2 3

Action: Rotação manual periódica (Planilha de controle).

PAM-001 High

Eliminate permanent privileges (Zero Standing Privileges). Admin access only Jus...

2 3

Action: JIT Manual (Ticket aprovado à mão).

MON-002 High

Automatic blocking based on Risk (User/Sign-in Risk) for high-risk events....

2 3

Action: Alerta por e-mail (Investigação humana).

AUTH-002 Medium

Enforce MFA for all users with Number Matching to mitigate MFA fatigue....

3 4

Action: 100% + Number Matching + Bloqueio SMS.

AUTH-004 Medium

Real-time checking of banned passwords against global (pwned) lists and company ...

3 4

Action: Integração com listas globais (pwned).

AUTH-006 Medium

Enforce re-authentication for critical actions (e.g., viewing sensitive data) re...

3 4

Action: Re-autenticação para todas as ações sensíveis.

AUTH-007 Medium

Disable legacy protocols (Basic Auth: POP3, IMAP, SMTP) globally....

3 4

Action: Bloqueio Global com exceções monitoradas.

JML-003 Medium

Automate exit 'Kill Switch': Blocking and revocation of tokens in <15 min after ...

3 4

Action: Scriptado (Batch noturno).

PAM-002 Medium

Separate accounts: adm-user (no email/web) for management and user for daily use...

3 4

Action: Contas Cloud-Only, MFA forte.