Security

SEC-02

Identity Resilience & Disaster Recovery

This control asks one thing: How does the organization ensure continuity of authentication, authorization, and identity governance during catastrophic failures of the primary Identity Provider (IdP)?

Low Maturity

What Failure Looks Like

The documented failure mode at level 0 (Absent) on the 0 to 4 maturity scale:

Total business paralysis during IdP outage. Users cannot authenticate, admins cannot respond, and recovery actions are blocked.

High Maturity

What Good Looks Like

The business value the methodology documents at level 4 (Optimized):

Turns identity outages from existential threats into non-events.

Next Step

A Typical Next Move

For programs sitting around level 0 (Absent), the methodology recommends this as the next rational step:

Define identity as critical infrastructure and document recovery scenarios, roles, and access paths.

What reaching level 2 (Developing) unlocks

Predictable recovery timelines.

Evidence

Evidence Assessors Ask For

A sample of the artifacts an assessor expects to see around level 2 (Developing):

  • Regular backups of identity configuration and directories
  • Documented restore procedures
  • Defined identity RTO/RPO targets

Breach Radar

Seen in Real Breaches

These teardowns of public incidents cite SEC-02 as one of the controls that failed. Each one reconstructs the attack chain from public disclosures.

Compliance

Compliance Frameworks That Cite This Control

The bank's regulatory mapping for SEC-02 resolves to 5 frameworks with a researched compliance threshold. Weakness here shows up in audits, not only in incidents.

Where Does Your Program Land on SEC-02?

This page is the teaser layer. The full rubric behind SEC-02 defines 5 scored maturity levels, 0 to 4, each with its own operating model, evidence expectations, and regulatory citations. That rubric is the scoring instrument, so it ships inside the assessment rather than on a marketing page. Running the assessment takes about 20 minutes and no signup is required to start.