AM-03 Access Management
Multi-Factor Authentication (MFA)
Sensitive/exposed surfaces require more than a password.
- Domain
- Access Management
- Control type
- Preventive
- Automated / manual
- Automated
- Frequency
- Continuous
- Framework reference
- MAS Cyber Hygiene; MAS TRM – Access
What good looks like
MFA enforced for remote, admin, critical/internet-facing systems and cloud consoles.
Risk if it fails
Account takeover from stolen passwords.
How Tess tests it
5 tests — each concludes only on cited evidence.
MFA policy defines required surfaces
Design- Procedure
- Inspect the MFA/conditional-access policy.
- Expected
- Remote/admin/critical/cloud in scope.
- Sample
- 1 (design inspection)
- Evidence
- MFA enrolment report, conditional-access policy, console settings.
MFA enforced for all administrators
Operating- Procedure
- Inspect enrolment/enforcement.
- Expected
- 100% of admins covered.
- Sample
- 25 (or full config inspection)
- Evidence
- MFA enrolment report, conditional-access policy, console settings.
MFA enforced for remote access/VPN
Operating- Procedure
- Inspect VPN config.
- Expected
- MFA required for remote access.
- Sample
- 25 (or full config inspection)
- Evidence
- MFA enrolment report, conditional-access policy, console settings.
MFA enforced on cloud (GCP) console
Operating- Procedure
- Inspect cloud auth.
- Expected
- MFA required for console/IAM.
- Sample
- 25 (or full config inspection)
- Evidence
- MFA enrolment report, conditional-access policy, console settings.
Exemptions approved and minimal
Operating- Procedure
- Inspect any exemption list.
- Expected
- Exemptions justified, approved and minimal.
- Sample
- 25 (or full config inspection)
- Evidence
- MFA enrolment report, conditional-access policy, console settings.
Evidence Tess looks for
MFA enrolment report, conditional-access policy, console settings.
More in Access Management
Want Tess to test AM-03 against your evidence?
Book a demo