ACCESS-003 critical Security Requirements

Production access holders meet security requirements

Question to ask

"Is everyone with prod access actually using MFA?"

What to check

  • Security requirements documentation exists
  • Device security (encryption, MDM, endpoint protection)
  • Account security (MFA, hardware keys, password manager)
  • Access security (VPN/Zero Trust, logging, periodic review)

Pass criteria

  • Security requirements for prod access are documented
  • Requirements are enforced (not just written down)
  • Compliance is verified periodically
  • Clear process for revoking access if requirements not met

Fail criteria

  • No documented security requirements
  • Requirements exist but not enforced
  • No verification process
  • Prod access granted without security vetting

Related items

ACCESS-001 Tiered access model documented and approved ACCESS-002 Production access is minimal ENV-004 Staging runs in production mode

Verification guide

Severity: Critical

Check automatically:

  1. Check for documented security requirements:

    # Look for security policy / access requirements docs
find . -type f -name "*.md" | xargs grep -liE "security.*(posture|requirement|standard)|prod.*access.*require|access.*policy" 2>/dev/null

  2. Check for security tooling enforcement (MDM, endpoint protection):

    # Look for references to security tools in docs
grep -riE "jamf|kandji|intune|crowdstrike|sentinel|mdm|endpoint.*(protection|security)" . 2>/dev/null

This is primarily manual verification. Ask user:

"For each person with production access, verify the following security requirements:

Device Security:

  • Device has full-disk encryption enabled
  • Device has MDM/endpoint management (Jamf, Kandji, Intune, etc.)
  • Device has endpoint protection (CrowdStrike, SentinelOne, etc.)
  • Device auto-locks after inactivity

Account Security:

  • MFA enabled on all accounts (cloud console, VPN, etc.)
  • Hardware key (YubiKey) preferred over SMS/TOTP
  • Password manager in use (no reused passwords)

Access Security:

  • VPN or Zero Trust required for prod access
  • Access logged and auditable
  • Access reviewed periodically (quarterly minimum)

Please confirm:

  1. Are these requirements documented?
  2. Who verifies compliance?
  3. When was the last verification?
  4. What happens if someone fails verification?"

Cross-reference with:

  • ACCESS-001 (Access documented and approved)
  • ACCESS-002 (Minimal prod access)
  • ENV-004 (Environment protection - Zero Trust)

Pass criteria:

  • Security requirements for prod access are documented
  • Requirements are enforced (not just written down)
  • Compliance is verified periodically
  • Clear process for revoking access if requirements not met

Fail criteria:

  • No documented security requirements
  • Requirements exist but not enforced
  • No verification process
  • Prod access granted without security vetting

Evidence to capture:

  • Security requirements document location
  • Enforcement mechanism (MDM, manual checks, etc.)
  • Last compliance verification date
  • Who is responsible for verification
  • List of prod access holders and their compliance status

Section

11. Access Control

Deployment & Operations

← Previous

ACCESS-002

Production access is minimal

 Next →

MON-001

Infrastructure metrics collection