Security

SEC-05

Identity Posture & Attack-Surface Management (ISPM)

This control asks one thing: How does the organization discover, prioritize, and remediate identity misconfigurations and exposures (dormant accounts, MFA coverage gaps, risky IdP/directory settings, and identity attack paths) before they are exploited?

Low Maturity

What Failure Looks Like

The documented failure mode at level 0 (Absent) on the 0 to 4 maturity scale:

Attackers enumerate what defenders never look at: stale accounts, legacy auth endpoints, and misconfigured trust relationships persist for years.

High Maturity

What Good Looks Like

The business value the methodology documents at level 4 (Optimized):

Posture becomes a controlled variable rather than accumulated debt, the strongest possible position for insurance and regulatory conversations.

Next Step

A Typical Next Move

For programs sitting around level 0 (Absent), the methodology recommends this as the next rational step:

Run a one-time posture baseline: dormant accounts, MFA coverage by population, privileged accounts outside PAM, legacy authentication usage.

What reaching level 2 (Developing) unlocks

Data-driven identity hardening roadmap.

Evidence

Evidence Assessors Ask For

A sample of the artifacts an assessor expects to see around level 2 (Developing):

  • Automated posture findings with severity ranking
  • Trend reporting: exposure counts declining across cycles
  • Coverage includes SaaS/IdP config, not only the directory

Breach Radar

Seen in Real Breaches

These teardowns of public incidents cite SEC-05 as one of the controls that failed. Each one reconstructs the attack chain from public disclosures.

Compliance

Compliance Frameworks That Cite This Control

The bank's regulatory mapping for SEC-05 resolves to 5 frameworks with a researched compliance threshold. Weakness here shows up in audits, not only in incidents.

Where Does Your Program Land on SEC-05?

This page is the teaser layer. The full rubric behind SEC-05 defines 5 scored maturity levels, 0 to 4, each with its own operating model, evidence expectations, and regulatory citations. That rubric is the scoring instrument, so it ships inside the assessment rather than on a marketing page. Running the assessment takes about 20 minutes and no signup is required to start.