Report: Assessment 2025 v0.3 - IAM Security Assessment

Maturity Report

Assessment 2025 v0.3 - 17/12/2025

Export PDF

2.56

Overall Score (0-5)

25

Assessed Controls

22

Identified Gaps

2

Critical Gaps

Maturity by Domain

Compliance by Framework

Compliance = Level ≥ 3

Maturity Distribution

Maturity Gaps (Current Level < 4)

Control	Domain	Current	Target	Gap	Priority
AUTH-004 Real-time checking of banned passwords against glo...	Authentication	1	4	3 levels	Critical
PAM-006 Require dedicated Privileged Access Workstations (...	Privileged Access (PAM)	1	4	3 levels	Critical
AUTH-001 Enforce Phishing-resistant MFA (FIDO2/CBA) for all...	Authentication	2	4	2 levels	High
AUTH-005 Block interactive login and rotate Service Account...	Authentication	2	4	2 levels	High
AUTH-007 Disable legacy protocols (Basic Auth: POP3, IMAP, ...	Authentication	2	4	2 levels	High
JML-003 Automate exit 'Kill Switch': Blocking and revocati...	Identity Lifecycle (JML)	2	4	2 levels	High
JML-005 Detection of orphan accounts (Reconciliation): Com...	Identity Lifecycle (JML)	2	4	2 levels	High
MON-001 Centralize Audit/Sign-in Logs in a SIEM. Retention...	Monitoring (MON)	2	4	2 levels	High
MON-004 P1 alerts for changes to Tier 0 groups (Global/Dom...	Monitoring (MON)	2	4	2 levels	High
MON-006 User feedback ('Not me') in MFA generates an immed...	Monitoring (MON)	2	4	2 levels	High
PAM-004 Implement a Tiered Model (Tiering/Red Forest): Tie...	Privileged Access (PAM)	2	4	2 levels	High
JML-004 Quarterly Access Certification campaigns with auto...	Identity Lifecycle (JML)	2	4	2 levels	High
AUTH-002 Enforce MFA for all users with Number Matching to ...	Authentication	3	4	1 levels	Medium
AUTH-003 Configure Smart Lockout: block the threat actor (I...	Authentication	3	4	1 levels	Medium
JML-002 Review trigger on transfers: a change of role in H...	Identity Lifecycle (JML)	3	4	1 levels	Medium
JML-006 Strict expiration (TTL) for guest (B2B) accounts, ...	Identity Lifecycle (JML)	3	4	1 levels	Medium
MON-002 Automatic blocking based on Risk (User/Sign-in Ris...	Monitoring (MON)	3	4	1 levels	Medium
MON-003 Alert on unverified illicit or high-privilege OAut...	Monitoring (MON)	3	4	1 levels	Medium
PAM-001 Eliminate permanent privileges (Zero Standing Priv...	Privileged Access (PAM)	3	4	1 levels	Medium
PAM-002 Separate accounts: adm-user (no email/web) for man...	Privileged Access (PAM)	3	4	1 levels	Medium
PAM-003 Remove local administrator account and use LAPS fo...	Privileged Access (PAM)	3	4	1 levels	Medium
PAM-005 2 monitored Emergency (Break Glass) accounts, clou...	Privileged Access (PAM)	3	4	1 levels	Medium

Recommendations Roadmap

AUTH-004 Critical

Real-time checking of banned passwords against global (pwned) lists and company ...

1 2

Action: Política de complexidade básica.

PAM-006 Critical

Require dedicated Privileged Access Workstations (PAW) to access management cons...

1 2

Action: PC padrão com usuário separado.

AUTH-001 High

Enforce Phishing-resistant MFA (FIDO2/CBA) for all administrative accounts, bloc...

2 3

Action: App Authenticator (Push) obrigatório.

AUTH-005 High

Block interactive login and rotate Service Account secrets every 90 days (or use...

2 3

Action: Rotação manual periódica (Planilha de controle).

AUTH-007 High

Disable legacy protocols (Basic Auth: POP3, IMAP, SMTP) globally....

2 3

Action: Bloqueio parcial ou por exceção manual.

JML-003 High

Automate exit 'Kill Switch': Blocking and revocation of tokens in <15 min after ...

2 3

Action: Manual (No mesmo dia - Obrigatório).

JML-005 High

Detection of orphan accounts (Reconciliation): Compare AD vs HR weekly to find o...

2 3

Action: Comparação manual mensal (Vlookup).

MON-001 High

Centralize Audit/Sign-in Logs in a SIEM. Retention: 90 days (hot) / 365 days (co...

2 3

Action: Backup manual esporádico para Storage.

MON-004 High

P1 alerts for changes to Tier 0 groups (Global/Domain Admins) with out-of-band n...

2 3

Action: Relatório diário de mudanças.

MON-006 High

User feedback ('Not me') in MFA generates an immediate security incident in the ...

2 3

Action: Feedback gera log para revisão.

PAM-004 High

Implement a Tiered Model (Tiering/Red Forest): Tier 0 admins never log on to Tie...

2 3

Action: Política escrita e auditada manualmente.

JML-004 High

Quarterly Access Certification campaigns with automatic revocation if there is n...

2 3

Action: Anual (Todos) via Planilha Excel.

Maturity Report

2.56

25

22

2

Confirm

Warning

Import Data