Identity & Access Management Assessment SOP¶
Sub-procedure for Operate pillar managed services - IAM posture evaluation
Service Pillar: Operate Service Category: Identity & Access Management Parent SOP: Cloud Operations SOP Engagement Type: Assessment / Annual Review
Overview¶
Comprehensive assessment of an organization's identity and access management posture across cloud and on-premises environments. This assessment evaluates authentication mechanisms, authorization policies, privileged access controls, identity lifecycle management, and compliance with identity security best practices.
Scope¶
Pillar: Operate (Managed Services) Service Area: Identity & Access Management Assessment
In Scope¶
- Identity provider configuration (Azure AD, Okta, etc.)
- Authentication mechanisms (MFA, SSO, passwordless)
- Authorization and RBAC policies
- Privileged access management
- Identity lifecycle processes
- Access certification/reviews
- Service account management
- Federation and B2B/B2C identity
Out of Scope¶
- Application-level authorization (app-specific)
- Physical access controls
- Network access control (NAC)
- Full compliance audit (though findings map to frameworks)
Business Justification¶
| Metric | Value | Source |
|---|---|---|
| Breaches involving stolen credentials | 86% | Verizon DBIR 2024 |
| Average cost of identity-related breach | $4.62M | IBM Cost of Data Breach 2024 |
| Organizations with MFA fully deployed | 28% | Okta State of Zero Trust 2024 |
| Privileged access abuse in breaches | 74% | CyberArk Privileged Access Report 2024 |
Prerequisites¶
- Identity provider administrative access (or read-only)
- HR system access for user lifecycle review
- Directory services access (AD, LDAP)
- List of critical applications and access requirements
- Current IAM policies and procedures
- Stakeholder availability (IT, HR, Security)
- Compliance requirements documentation
Procedure¶
Step 1: Identity Infrastructure Discovery¶
Objective: Map the organization's identity ecosystem
Activities: 1. Identify all identity providers and directories 2. Document federation relationships 3. Map SSO integrations 4. Inventory identity-related systems 5. Document identity data flows 6. Identify hybrid identity configurations
Discovery Checklist: | Component | Details to Capture | |-----------|-------------------| | Primary IdP | Type, version, licensing | | Secondary directories | AD, LDAP, others | | Federation | Partners, protocols | | SSO applications | Count, integration type | | Cloud identity | Azure AD, Google, AWS IAM |
Duration: 3-4 hours
Step 2: Authentication Assessment¶
Objective: Evaluate authentication security and user experience
Activities: 1. Assess MFA deployment and coverage 2. Review password policies 3. Evaluate SSO configuration 4. Assess legacy authentication status 5. Review passwordless adoption 6. Evaluate conditional/risk-based authentication
Assessment Criteria: | Control | Target State | Risk if Gap | |---------|-------------|-------------| | MFA coverage | 100% users | Critical | | Admin MFA | Hardware token/phishing-resistant | Critical | | Legacy auth | Blocked | High | | Password policy | 12+ chars, breach checking | Medium | | SSO adoption | >90% applications | Medium |
Authentication Methods Review: - [ ] Password-only accounts identified - [ ] MFA methods documented (SMS, app, hardware) - [ ] Phishing-resistant MFA for privileged users - [ ] Self-service password reset configuration - [ ] Account lockout policies
Duration: 3-4 hours
Step 3: Authorization & Access Control Review¶
Objective: Evaluate access control policies and implementation
Activities: 1. Review RBAC implementation 2. Assess group-based access management 3. Evaluate access request/approval workflows 4. Review cross-application permissions 5. Assess least privilege implementation 6. Check for excessive permissions
Role Analysis: | Role Type | Assessment Focus | |-----------|-----------------| | Administrative | Scope, justification, monitoring | | Power user | Business need, segregation | | Standard user | Default permissions, exceptions | | Guest/external | Restrictions, expiration |
Access Sprawl Indicators: - [ ] Users with multiple admin roles - [ ] Orphaned accounts (terminated users) - [ ] Unused permissions - [ ] Group membership bloat - [ ] Standing vs. just-in-time access
Duration: 4-6 hours
Step 4: Privileged Access Assessment¶
Objective: Evaluate controls for high-risk privileged accounts
Activities: 1. Inventory privileged accounts 2. Assess PAM solution deployment 3. Review privileged session management 4. Evaluate emergency/break-glass accounts 5. Check service account controls 6. Review privileged access workflows
Privileged Account Categories: | Category | Expected Controls | |----------|------------------| | Domain Admin | PIM, session recording, MFA | | Cloud Admin | JIT access, approval workflow | | Database Admin | Privileged session mgmt | | Application Admin | Role-based, audited | | Service Accounts | Managed identity, rotation |
PAM Capability Assessment: - [ ] Privileged password vault - [ ] Session recording - [ ] Just-in-time access - [ ] Approval workflows - [ ] Credential rotation - [ ] Emergency access procedures
Duration: 4-6 hours
Step 5: Identity Lifecycle Assessment¶
Objective: Evaluate joiner/mover/leaver processes
Activities: 1. Review provisioning processes 2. Assess HR-IT integration 3. Evaluate access modification workflows 4. Check termination procedures 5. Review access recertification 6. Assess contractor/vendor lifecycle
Lifecycle Process Review: | Process | Assessment Points | |---------|------------------| | Joiner | Automation, timeliness, default access | | Mover | Role change triggers, access adjustment | | Leaver | Timeliness, completeness, audit | | Contractor | Onboarding, expiration, review |
Timeliness Metrics: - [ ] Time to provision (target: <24 hours) - [ ] Time to modify (target: <48 hours) - [ ] Time to revoke (target: <4 hours) - [ ] Certification frequency (target: quarterly)
Duration: 3-4 hours
Step 6: Findings Documentation & Risk Rating¶
Objective: Compile findings into actionable report
Activities: 1. Categorize findings by domain 2. Rate findings by risk severity 3. Map to compliance frameworks (SOC 2, ISO 27001) 4. Develop remediation recommendations 5. Create prioritized roadmap 6. Prepare executive summary
Risk Rating Matrix: | Finding | Likelihood | Impact | Priority | |---------|------------|--------|----------| | No MFA on admin accounts | High | Critical | P1 | | Orphaned privileged accounts | Medium | High | P1 | | No access certification | High | High | P2 | | Manual provisioning | Medium | Medium | P3 |
Duration: 6-8 hours
Deliverables¶
| Deliverable | Format | Owner |
|---|---|---|
| IAM Assessment Report | PDF/Word | Lead Consultant |
| Identity Infrastructure Diagram | Visio/Draw.io | Technical Analyst |
| Access Control Gap Analysis | Excel | Lead Consultant |
| Privileged Account Inventory | Excel | Technical Analyst |
| Remediation Roadmap | Excel/Project | Engagement Manager |
| Executive Summary | PDF (2-page) | Engagement Manager |
Quality Gates¶
- All identity systems in scope have been assessed
- Authentication posture fully evaluated
- Privileged access inventory complete
- Lifecycle processes documented and gap-analyzed
- Findings mapped to compliance requirements
- Recommendations prioritized with effort estimates
- Report reviewed by senior consultant
- Client stakeholder review scheduled
Related Documents¶
Last Updated: February 2026