DCTR-14

Do you require multifactor authentication for all administrative accounts in your environment?

Explanation

This question is asking whether your organization requires multiple forms of authentication (multifactor authentication or MFA) for administrative accounts that have privileged access to your datacenter environment. Multifactor authentication combines two or more verification methods from different categories: something you know (like a password), something you have (like a mobile device or security key), and something you are (like a fingerprint or facial recognition). Why this is asked in security assessments: 1. Administrative accounts have elevated privileges that can access sensitive systems and data 2. Compromised admin accounts represent one of the highest security risks to an organization 3. Passwords alone are vulnerable to various attacks (phishing, credential stuffing, brute force) 4. MFA significantly reduces the risk of unauthorized access even if passwords are compromised 5. Many compliance frameworks (NIST, PCI DSS, ISO 27001) require MFA for privileged accounts How to best answer: - Be specific about which administrative accounts require MFA - Describe what MFA methods are supported (hardware tokens, mobile apps, biometrics) - Mention any exceptions to the policy and how those exceptions are managed - If you don't require MFA for all admin accounts, explain your compensating controls - Include details about implementation and enforcement mechanisms

Example Responses

Example Response 1

Yes, our organization requires multifactor authentication for all administrative accounts across our datacenter environment We implement this using a combination of password authentication plus a second factor through our enterprise identity provider (Okta) Administrative users must provide their password and either respond to a push notification on their registered mobile device or use a FIDO2 hardware security key This requirement applies to all privileged accounts including system administrators, network administrators, database administrators, and security personnel We enforce this technically through our IAM system, which prevents authentication without the second factor, and we audit compliance monthly We have no exceptions to this policy.

Example Response 2

Yes, we require MFA for all administrative accounts in our datacenter environment Our implementation uses Microsoft Azure AD for identity management with conditional access policies that enforce MFA for all privileged role assignments Administrators must use their password plus either the Microsoft Authenticator app or a company-issued YubiKey hardware token For emergency break-glass accounts, we have a strictly controlled process where two authorized individuals must be physically present to access a secured location containing the credentials and hardware token All authentication attempts are logged and monitored in real-time through our SIEM solution, with automated alerts for any suspicious access patterns.

Example Response 3

No, we currently do not require multifactor authentication for all administrative accounts in our datacenter environment While we have implemented MFA for approximately 70% of our administrative users, we have legacy systems that don't support modern authentication protocols For these systems, we implement compensating controls including IP restrictions, jump servers with enhanced monitoring, privileged access management (PAM) solutions that require checkout procedures, and shorter session timeouts We recognize this as a security gap and have a documented roadmap to migrate all remaining systems to MFA-compatible solutions within the next 6 months, with interim risk acceptance documented and approved by our CISO.

Context

Tab: Infrastructure
Category: Datacenter