Many organizations are realizing the benefits of placing identity at the center of their cybersecurity program with Identity and Access Management (IAM) being a security imperative.
Question 1 of 6
Not Defined. No defined processes or standards
Reactive. Common structures defined, differing processes.
Purposeful. Unified identity data structures, effective identity controls exists.
Aware. Unreliable, inconsistent data and entry points.
Adaptive. Usable data with transformation, account and identity correlations.
Question 2 of 6
Question 3 of 6
Not Defined. No defined authentication policies or central infrastructure.
Reactive. Stanardized approach to credentials, tactical 2FA.
Purposeful. Enterprise MFA, SaaS SSO, and enterprise directories IAM.
Aware. Authentication policies or central infrastructure.
Adaptive. Directories being leveraged, centralized, standardized tech.
Predictive. Risk-based authentication mechanims, enterprise SSO.
Not Defined. Decentralized, no governance or awareness.
Reactive. Entitlements and profiles reviewed centrally but not manually.
Purposeful. Integrated with identityu administration controls and processes.
Aware. Entitlements and profiles reviewed informally and in an ad-hoc manner.
Adaptive. Technologyu controls in place to support centralized processes.
Predictive. Risk-based entitlement model controls access review certificates.
Question 4 of 6
Not Defined. No defined processes or policies.
Reactive. Standard, documented processes, varying controls.
Purposeful. Centralized infrastructure with maturing automation.
Aware. Decentalized, informal manual processes in an ad-hoc manner.
Adaptive. Centralized workflow, consistent data and processes.
Predictive. Risk-based workflow and controls, automated for enterprise.
Question 5 of 6
Reactive. Initiation of SIEMs, PW-protected databases for credentials.
Purposeful. Maturing technology controls, one-time passwords.
Aware. Informal processes, admins managing as they see fit.
Adaptive. Initial vaulting, integrated logs, and policy-based activities.
Predictive. Risk-based privileged credential and session management.
Question 6 of 6
Not Defined. Data lifecycle and locations are unknown/not defined.
Reactive. Classification policies exist, defined data location and owners.
Purposeful. Policies and technology in place to prevent unauthorized access.
Aware. Data is managed in decentralized, ad-hoc way.
Adaptive. Supporting technology to classify and manage access to data.
Your organization is significantly behind in implementing modern identity and access management processes and technologies. Start with identifying critical assets, identifying and prioritizing needs based on security requirements.
Approximately 35% of enterprises are operating at this level. Your organization is operating very reactively and tactically to identity and access management needs, fixing issues as they arise, and potentially in a decentralized way. Start by gaining consensus on strategic roadmap priorities and implementing centralized services with an opt-in model.
Approximately 10% of enterprises are operating at this level. Your organization supports identity and access management initiatives in a thoughtful, centralized way, allowing your business to be enabled, while mitigating risks effectively. Start by evaluating your technology components for gaps in capabilities and security, while continuously examining your business model against your programmatic features.
Approximately 25% of enterprises are operating at this level.
Your organization is approaching modern identity and access management processes and technologies in a very tactical, decentralized manner. Start by educating stakeholders and gaining consensus on strategic roadmap priorities.
Approximately 20% of enterprises are operating at this level. Your organization adapts to identity and access management needs in a centralized way, however changes may still be done tactically.
Start by assessing current processes and technology and evaluating gaps against best practices, audit findings, and business enablement.
Approximately 5% of enterprises are operating at this level. Your organization is operating at the highest level of maturity for an IAM program. Consider taking it to the next level with an identity centric approach to security that integrates existing cyber security technologies with your IAM infrastructure to improve security and reduce the risk of a breach.