SFC: Identity & Accounts | Security Alliance — Security Checklist

Organizational account inventory, phishing-resistant MFA, credential management, account lifecycle, and takeover monitoring.
Org:
Owner:
Date:

1. Governance & Inventory

  • Organizational Account Security Owner
    Is there a clearly designated person or team accountable for organizational account security?
  • Organizational Account Inventory
    Do you maintain an inventory of organizational accounts with defined ownership?
Notes:

2. Authentication & Credentials

  • Phishing-Resistant Multi-Factor Authentication
    Do you enforce phishing-resistant multi-factor authentication on organizational accounts?
  • Credential Management and Individual Accountability
    Do you enforce credential management standards with individual accountability?
  • Recovery Methods Restricted to Organizational Channels
    Do you restrict account recovery methods to organizational channels?
Notes:

3. Access & Lifecycle

  • Account Lifecycle Management
    Do you manage the full lifecycle of organizational accounts, including provisioning, changes, offboarding, and periodic access review?
Notes:

4. Monitoring & Third-Party

  • Organizational Account Takeover Monitoring
    Do you monitor organizational accounts for takeover, unauthorized activity, and credential exposure?
  • Third-Party Access Management
    Do you manage third-party access to organizational accounts with time-limited, purpose-specific permissions?
Notes: