PR.AA-03.200

Has your organization implemented multifactor authentication (MFA) for all user access to systems containing sensitive data?

Explanation

Multifactor authentication requires users to provide two or more verification factors to gain access to a resource, significantly reducing the risk of unauthorized access even if passwords are compromised. Common MFA implementations include combinations of something you know (password), something you have (security token or mobile app), and something you are (biometric verification). Evidence of MFA implementation could include screenshots of MFA configuration settings in your identity management system, a documented MFA policy, user enrollment statistics showing percentage of accounts with MFA enabled, or system logs demonstrating successful MFA challenges.

Implementation Example

Require multifactor authentication

ID: PR.AA-03.200

Context

Function
PR: PROTECT
Category
PR.AA: Identity Management, Authentication, and Access Control
Sub-Category
Users, services, and hardware are authenticated

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron