Maturity Report
Assessment 2025 v0.4 - 17/12/2025
3.28
Overall Score (0-5)
25
Assessed Controls
15
Identified Gaps
0
Critical Gaps
| Control | Domain | Current | Target | Gap | Priority |
|---|---|---|---|---|---|
|
AUTH-005
Block interactive login and rotate Service Account... |
Authentication | 2 | 4 | 2 levels | High |
|
MON-004
P1 alerts for changes to Tier 0 groups (Global/Dom... |
Monitoring (MON) | 2 | 4 | 2 levels | High |
|
JML-004
Quarterly Access Certification campaigns with auto... |
Identity Lifecycle (JML) | 2 | 4 | 2 levels | High |
|
AUTH-003
Configure Smart Lockout: block the threat actor (I... |
Authentication | 3 | 4 | 1 levels | Medium |
|
JML-002
Review trigger on transfers: a change of role in H... |
Identity Lifecycle (JML) | 3 | 4 | 1 levels | Medium |
|
JML-006
Strict expiration (TTL) for guest (B2B) accounts, ... |
Identity Lifecycle (JML) | 3 | 4 | 1 levels | Medium |
|
MON-002
Automatic blocking based on Risk (User/Sign-in Ris... |
Monitoring (MON) | 3 | 4 | 1 levels | Medium |
|
PAM-002
Separate accounts: adm-user (no email/web) for man... |
Privileged Access (PAM) | 3 | 4 | 1 levels | Medium |
|
PAM-003
Remove local administrator account and use LAPS fo... |
Privileged Access (PAM) | 3 | 4 | 1 levels | Medium |
|
PAM-005
2 monitored Emergency (Break Glass) accounts, clou... |
Privileged Access (PAM) | 3 | 4 | 1 levels | Medium |
|
AUTH-004
Real-time checking of banned passwords against glo... |
Authentication | 3 | 4 | 1 levels | Medium |
|
AUTH-007
Disable legacy protocols (Basic Auth: POP3, IMAP, ... |
Authentication | 3 | 4 | 1 levels | Medium |
|
JML-003
Automate exit 'Kill Switch': Blocking and revocati... |
Identity Lifecycle (JML) | 3 | 4 | 1 levels | Medium |
|
MON-001
Centralize Audit/Sign-in Logs in a SIEM. Retention... |
Monitoring (MON) | 3 | 4 | 1 levels | Medium |
|
PAM-006
Require dedicated Privileged Access Workstations (... |
Privileged Access (PAM) | 3 | 4 | 1 levels | Medium |
Block interactive login and rotate Service Account secrets every 90 days (or use...
Action: Rotação manual periódica (Planilha de controle).
P1 alerts for changes to Tier 0 groups (Global/Domain Admins) with out-of-band n...
Action: Relatório diário de mudanças.
Quarterly Access Certification campaigns with automatic revocation if there is n...
Action: Anual (Todos) via Planilha Excel.
Configure Smart Lockout: block the threat actor (IP), not the user account (AD),...
Action: Smart Lockout em modo Audit (Log only).
Review trigger on transfers: a change of role in HR initiates access recertifica...
Action: Gatilho automático gera tarefa de revisão.
Strict expiration (TTL) for guest (B2B) accounts, requiring sponsor renewal....
Action: TTL automático (90 dias) com renovação.
Automatic blocking based on Risk (User/Sign-in Risk) for high-risk events....
Action: Alerta integrado ao Ticket (SOAR).
Separate accounts: adm-user (no email/web) for management and user for daily use...
Action: Contas Cloud-Only, MFA forte.
Remove local administrator account and use LAPS for unique, per-workstation rota...
Action: LAPS em 100% com auditoria de uso.
2 monitored Emergency (Break Glass) accounts, cloud-only, excluded from MFA and ...
Action: 2 contas cloud-only, alertas configurados.
Real-time checking of banned passwords against global (pwned) lists and company ...
Action: Integração com listas globais (pwned).
Disable legacy protocols (Basic Auth: POP3, IMAP, SMTP) globally....
Action: Bloqueio Global com exceções monitoradas.