Report: Assessment 2025 v0.7 - IAM Security Assessment

Maturity Report

Assessment 2025 v0.7 - 17/12/2025

Export PDF

3.36

Overall Score (0-5)

25

Assessed Controls

14

Identified Gaps

0

Critical Gaps

Maturity by Domain

Compliance by Framework

Compliance = Level ≥ 3

Maturity Distribution

Maturity Gaps (Current Level < 4)

Control	Domain	Current	Target	Gap	Priority
AUTH-007 Disable legacy protocols (Basic Auth: POP3, IMAP, ...	Authentication	2	4	2 levels	High
MON-006 User feedback ('Not me') in MFA generates an immed...	Monitoring (MON)	2	4	2 levels	High
AUTH-001 Enforce Phishing-resistant MFA (FIDO2/CBA) for all...	Authentication	3	4	1 levels	Medium
AUTH-004 Real-time checking of banned passwords against glo...	Authentication	3	4	1 levels	Medium
AUTH-005 Block interactive login and rotate Service Account...	Authentication	3	4	1 levels	Medium
JML-001 Automate 'Birthright' provisioning via HR, creatin...	Identity Lifecycle (JML)	3	4	1 levels	Medium
JML-006 Strict expiration (TTL) for guest (B2B) accounts, ...	Identity Lifecycle (JML)	3	4	1 levels	Medium
PAM-003 Remove local administrator account and use LAPS fo...	Privileged Access (PAM)	3	4	1 levels	Medium
MON-002 Automatic blocking based on Risk (User/Sign-in Ris...	Monitoring (MON)	3	4	1 levels	Medium
MON-004 P1 alerts for changes to Tier 0 groups (Global/Dom...	Monitoring (MON)	3	4	1 levels	Medium
JML-004 Quarterly Access Certification campaigns with auto...	Identity Lifecycle (JML)	3	4	1 levels	Medium
PAM-001 Eliminate permanent privileges (Zero Standing Priv...	Privileged Access (PAM)	3	4	1 levels	Medium
PAM-005 2 monitored Emergency (Break Glass) accounts, clou...	Privileged Access (PAM)	3	4	1 levels	Medium
PAM-006 Require dedicated Privileged Access Workstations (...	Privileged Access (PAM)	3	4	1 levels	Medium

Recommendations Roadmap

AUTH-007 High

Disable legacy protocols (Basic Auth: POP3, IMAP, SMTP) globally....

2 3

Action: Bloqueio parcial ou por exceção manual.

MON-006 High

User feedback ('Not me') in MFA generates an immediate security incident in the ...

2 3

Action: Feedback gera log para revisão.

AUTH-001 Medium

Enforce Phishing-resistant MFA (FIDO2/CBA) for all administrative accounts, bloc...

3 4

Action: App + Number Matching obrigatório.

AUTH-004 Medium

Real-time checking of banned passwords against global (pwned) lists and company ...

3 4

Action: Integração com listas globais (pwned).

AUTH-005 Medium

Block interactive login and rotate Service Account secrets every 90 days (or use...

3 4

Action: Rotação automatizada via Scripts/DevOps.

JML-001 Medium

Automate 'Birthright' provisioning via HR, creating accounts disabled until the ...

3 4

Action: Scriptado (Powershell) disparado por ticket.

JML-006 Medium

Strict expiration (TTL) for guest (B2B) accounts, requiring sponsor renewal....

3 4

Action: TTL automático (90 dias) com renovação.

PAM-003 Medium

Remove local administrator account and use LAPS for unique, per-workstation rota...

3 4

Action: LAPS em 100% com auditoria de uso.

MON-002 Medium

Automatic blocking based on Risk (User/Sign-in Risk) for high-risk events....

3 4

Action: Alerta integrado ao Ticket (SOAR).

MON-004 Medium

P1 alerts for changes to Tier 0 groups (Global/Domain Admins) with out-of-band n...

3 4

Action: Alerta e-mail (Near real-time).

JML-004 Medium

Quarterly Access Certification campaigns with automatic revocation if there is n...

3 4

Action: Semestral via Ferramenta de IGA.

PAM-001 Medium

Eliminate permanent privileges (Zero Standing Privileges). Admin access only Jus...

3 4

Action: JIT via Grupo AD (Adição/Remoção manual).

Maturity Report

3.36

25

14

0

Confirm

Warning

Import Data