mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-15 07:24:56 +03:00
mukul975
105 lines
3.1 KiB
Markdown
105 lines
3.1 KiB
Markdown
# Identity Verification Implementation Plan Template
|
|
|
|
## Project Information
|
|
|
|
| Field | Value |
|
|
|---|---|
|
|
| Project Name | |
|
|
| Organization | |
|
|
| Identity Provider | [Azure AD / Okta / Ping Identity] |
|
|
| User Population | |
|
|
| Target Completion | |
|
|
|
|
## Current State Assessment
|
|
|
|
### Identity Infrastructure
|
|
- **Primary IdP**: |
|
|
- **Secondary IdPs**: |
|
|
- **Local Accounts**: [Count and locations] |
|
|
- **Shared Accounts**: [Count - target for elimination] |
|
|
|
|
### Current MFA State
|
|
| Method | Enabled | Users Enrolled | Phishing-Resistant |
|
|
|---|---|---|---|
|
|
| SMS OTP | | | No |
|
|
| Voice Call | | | No |
|
|
| TOTP App | | | No |
|
|
| Push Notification | | | No |
|
|
| FIDO2 Security Key | | | Yes |
|
|
| Windows Hello | | | Yes |
|
|
| Certificate/PIV | | | Yes |
|
|
|
|
### MFA Enrollment Target
|
|
- Current enrollment rate: ___%
|
|
- Target enrollment rate: 100%
|
|
- Phishing-resistant target: 100%
|
|
|
|
## Phishing-Resistant MFA Rollout Plan
|
|
|
|
### Hardware Key Distribution
|
|
|
|
| User Group | Key Type | Quantity | Distribution Method | Timeline |
|
|
|---|---|---|---|---|
|
|
| Executive Leadership | YubiKey 5 NFC | | In-person | Week 1 |
|
|
| IT Administrators | YubiKey 5C | | IT distribution | Week 2 |
|
|
| All Employees | YubiKey Security Key | | Self-service + mail | Weeks 3-8 |
|
|
|
|
### Enrollment Campaign
|
|
- [ ] Communication sent to all users
|
|
- [ ] Self-service portal configured
|
|
- [ ] Help desk trained on enrollment support
|
|
- [ ] Enrollment deadline set: ____
|
|
- [ ] Escalation path for non-compliant users
|
|
|
|
## Conditional Access Policies
|
|
|
|
| Policy Name | Users | Apps | Conditions | Grant Controls | Session Controls |
|
|
|---|---|---|---|---|---|
|
|
| Block Legacy Auth | All | All | Legacy clients | Block | N/A |
|
|
| Require MFA | All | All | Any | Require MFA | Sign-in freq: 8hr |
|
|
| Require Compliant Device | All | Sensitive Apps | Any | Compliant device | App enforced |
|
|
| Block Risky Sign-In | All | All | High sign-in risk | Block | N/A |
|
|
| Require FIDO2 for Admins | Admin roles | Admin portals | Any | FIDO2 only | 1hr frequency |
|
|
|
|
## Risk-Based Policies
|
|
|
|
| Risk Level | User Risk Response | Sign-In Risk Response |
|
|
|---|---|---|
|
|
| Low | Allow | Allow |
|
|
| Medium | Require MFA step-up | Require MFA step-up |
|
|
| High | Block + alert SOC | Block + alert SOC |
|
|
|
|
## Identity Governance
|
|
|
|
### Lifecycle Automation
|
|
- [ ] HR system integrated for joiner/mover/leaver
|
|
- [ ] Automatic provisioning on hire
|
|
- [ ] Role change triggers access review
|
|
- [ ] Automatic deprovisioning on termination
|
|
- [ ] Contractor access expiration configured
|
|
|
|
### Access Reviews
|
|
- Frequency: Quarterly
|
|
- Scope: All application assignments
|
|
- Reviewers: Direct managers
|
|
- Auto-action on non-response: Revoke access
|
|
|
|
## Monitoring and Detection
|
|
|
|
| Capability | Tool | Status |
|
|
|---|---|---|
|
|
| Sign-in log analysis | SIEM (Splunk/Sentinel) | |
|
|
| Identity threat detection | Entra ID Protection / ThreatInsight | |
|
|
| Impossible travel detection | IdP + UEBA | |
|
|
| Continuous Access Evaluation | CAE/CAEP | |
|
|
| Behavioral analytics | UEBA platform | |
|
|
|
|
## Sign-Off
|
|
|
|
| Stakeholder | Role | Approval | Date |
|
|
|---|---|---|---|
|
|
| | CISO | | |
|
|
| | Identity Team Lead | | |
|
|
| | Help Desk Manager | | |
|
|
| | HR Systems | | |
|