AM-04 Access Management
Centralised Identity / SSO
Identity lifecycle changes propagate consistently.
- Domain
- Access Management
- Control type
- Preventive
- Automated / manual
- Automated
- Frequency
- Continuous
- Framework reference
- COBIT DSS05.04
What good looks like
A central IdP/SSO governs authentication; de-provisioning cascades (SCIM) to connected apps.
Risk if it fails
Orphaned local accounts bypassing central controls.
How Tess tests it
3 tests — each concludes only on cited evidence.
SSO/IdP integrated for in-scope apps
Design- Procedure
- Inspect the IdP app catalogue.
- Expected
- Critical apps federated to the IdP.
- Sample
- 1 (design inspection)
- Evidence
- IdP app catalogue, SCIM/de-provision logs.
De-provisioning cascades via SCIM
Operating- Procedure
- Test a sampled leaver in downstream apps.
- Expected
- Disabled in connected apps.
- Sample
- 25 (or full config inspection)
- Evidence
- IdP app catalogue, SCIM/de-provision logs.
Local/bypass accounts controlled
Operating- Procedure
- Inspect local/break-glass accounts.
- Expected
- Minimal, justified and monitored.
- Sample
- 25 (or full config inspection)
- Evidence
- IdP app catalogue, SCIM/de-provision logs.
Evidence Tess looks for
IdP app catalogue, SCIM/de-provision logs.
More in Access Management
Want Tess to test AM-04 against your evidence?
Book a demo