IG2 IG3

Establish and Maintain an Inventory of Authentication and Authorization Systems

Control Group: 6. Access Control Management

Asset Type: Users

Security Function: Identify

Description

Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently.

Implementation Checklist

1

Document current state and create baseline inventory

2

Define data fields and attributes to track

3

Assign ownership and responsibilities

4

Establish review cadence and update procedures

5

Select and deploy inventory management tool

6

Populate initial inventory with all known assets

7

Establish process for adding/removing inventory entries

8

Identify systems requiring multi-factor authentication

9

Select and deploy MFA solution

10

Enroll users and distribute authentication factors

11

Test MFA across all identified systems

12

Inventory all third-party service providers

13

Classify third parties by risk level

14

Conduct security assessments of critical vendors

15

Include security requirements in contracts

Tool Recommendations

Microsoft Entra ID Gartner MQ Leader, Access Management 2024

Cloud identity and access management with SSO, MFA, conditional access, and identity governance

Microsoft · Per-user subscription (P1/P2)

Okta Workforce Identity Gartner MQ Leader, Access Management 2024

Cloud identity platform providing SSO, adaptive MFA, lifecycle management, and API access management

Okta · Per-user subscription

Ping Identity Gartner MQ Leader, Access Management 2024

Enterprise identity security platform with SSO, MFA, directory, and API security for workforce and customer identity

Ping Identity (Thales) · Per-user subscription

Threats & Vulnerabilities (CIS RAM)

Threat Scenarios

Undiscovered Authentication System Compromise

Confidentiality

An authentication system not included in the inventory is compromised, but the breach goes undetected because the system is not monitored, patched, or included in security reviews.

Inconsistent Security Policies Across Unknown Auth Systems

Integrity

Authentication systems not tracked in the inventory operate with different security policies, creating weak links that attackers target for initial access.

Vulnerabilities (When Safeguard Absent)

No Inventory of Authentication and Authorization Systems

Without a maintained inventory, the organization does not know all the systems that authenticate or authorize users, leaving some unmanaged and potentially misconfigured.

Unmanaged Identity Providers

Authentication systems not captured in the inventory are excluded from security hardening, monitoring, and incident response processes, creating blind spots in identity security.

Evidence Requirements

Type	Evidence Item	Collection Frequency
Document	Current inventory or catalog documentation	Maintained continuously, reviewed quarterly
Document	Process/procedure documentation for identification activities	Reviewed annually
Technical	Asset/software inventory export with required fields populated	Exported quarterly for review
Record	Inventory review meeting minutes or sign-off	Per review cycle
Record	Third-party risk assessment reports and scorecards	Annually per vendor
Document	Vendor contracts with security requirements	Per contract cycle
Document	Governing policy document (current, approved, communicated)	Reviewed annually

Related Policy Templates

Privileged Access Management Policy

Control 5, Control 6

Related Safeguards in Control 6

6.1 Establish an Access Granting Process

6.2 Establish an Access Revoking Process

6.3 Require MFA for Externally>Exposed Applications

6.4 Require MFA for Remote Network Access

6.5 Require MFA for Administrative Access

6.7 Centralize Access Control

6.8 Define and Maintain Role>Based Access Control