Security

SEC-03

User Behavioral Analytics (UBA)

This control asks one thing: How does the organization detect, assess, and respond to anomalous or malicious identity behavior after authentication has succeeded?

Low Maturity

What Failure Looks Like

The documented failure mode at level 0 (Absent) on the 0 to 4 maturity scale:

Attackers operate undetected using valid credentials. Lateral movement and data access continue until damage is discovered externally.

High Maturity

What Good Looks Like

The business value the methodology documents at level 4 (Optimized):

Transforms identity security from reactive defense to adaptive protection.

Next Step

A Typical Next Move

For programs sitting around level 0 (Absent), the methodology recommends this as the next rational step:

Begin collecting and retaining identity activity telemetry beyond authentication events.

What reaching level 2 (Developing) unlocks

Proactive identity threat detection.

Evidence

Evidence Assessors Ask For

A sample of the artifacts an assessor expects to see around level 2 (Developing):

  • User or peer-group baselines defined
  • Risk scores generated per session or activity
  • Correlation across identity, device, and application logs

Compliance

Compliance Frameworks That Cite This Control

The bank's regulatory mapping for SEC-03 resolves to 4 frameworks with a researched compliance threshold. Weakness here shows up in audits, not only in incidents.

Where Does Your Program Land on SEC-03?

This page is the teaser layer. The full rubric behind SEC-03 defines 5 scored maturity levels, 0 to 4, each with its own operating model, evidence expectations, and regulatory citations. That rubric is the scoring instrument, so it ships inside the assessment rather than on a marketing page. Running the assessment takes about 20 minutes and no signup is required to start.