10) Does your organisation enforce multi-factor authentication on all remotely accessible services (both within your internal IT systems and on third party services)?
IT Operations MFA Multi-Factor Authentication
Written by Haydn Brooks
Created on March 18, 2019
Modified on June 7, 2020

Answer yes if your organisation enforces multi-factor authentication on all public facing services that it uses (this includes third party web based services).

Typically, to gain access to a system you need a unique user ID (a username) and a password. Multi-factor authentication requires you to pass a third barrier that usually involves you presenting something that only you own to the system. For example, by using your phone or a One Time Password generator the system is checking that you have a third recognised factor.

Implementing MFA is a key control that greatly increases the confidentiality of your data. It prevents people who know your password (from finding it out through previous data breaches for example, known as credential surfing) or who can deduce your password (through a brute force attack, trying common passwords that you may use until they find the right one) from easily gaining access to a system.

MFA should be implemented across all of your systems that are accessible from the public internet. MFA should also be enforced on all web based third party services that your employees may use, such as Github.

How to implement the control:

Your IT team must ensure that MFA is implemented on all services that your IT systems expose to the public web. This is particularly important if your employees can remotely connect to your corporate network.

Your IT team must also ensure that all third party tools that are used have the ability to enforce MFA and that this feature is enabled.

When implementing MFA, app based MFA (using an app such as Google Authenticator) is more secure than SMS based MFA (receiving the second factor code by text message).

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.