Identity & Securityit.identity_security
P0
IAM, MFA, SSO, EDR/XDR, SIEM/SOC, PAM, DLP/CASB, OT security, IR. Federation pivots largely on identity-tenant decisions taken here.
Questions (21)
| id | prompt | scope | category | priority | artefact |
|---|---|---|---|---|---|
| it.identity_security.q01 | Identity provider(s) in use across the group — Entra ID (Azure AD), Okta, on-prem AD, Google. Tenant model: one tenant for everything, per-holding, per-subsidiary? | G | Identity | P0 | table |
| it.identity_security.q02 | Confirm preferred identity model: extend KSA Entra ID tenant to subsidiaries (and to India GCC) vs. B2B federation across separate tenants. Driver: compliance / license / blast radius. | G | Identity | P0 | text |
| it.identity_security.q03 | MFA coverage % across the group, per subsidiary. Method (authenticator app, FIDO2, SMS — discouraged). Conditional access policies in force? | G | MFA | P0 | table |
| it.identity_security.q04 | SSO coverage — top 20 SaaS apps; which use SSO today, which use local credentials. List the unmanaged ones (security exposure). | G | SSO | P0 | table |
| it.identity_security.q05 | Privileged access management tool in use (CyberArk, Entra PIM, BeyondTrust, none). Admin account count and JIT posture. | G | PAM | P0 | table |
| it.identity_security.q06 | EDR/XDR vendor + coverage % across Windows / macOS / Linux / servers. Managed in-house or via MSSP? | G | EDR / XDR | P0 | text |
| it.identity_security.q07 | SIEM platform (Sentinel, Splunk, QRadar, Chronicle, none). SOC — in-house, MSSP, hybrid. Log sources connected. Avg time-to-detect / time-to-respond if known. | G | SIEM / SOC | P0 | table |
| it.identity_security.q08 | DLP / CASB tooling (Purview, Netskope, Forcepoint, none). Coverage scope (email, endpoint, SaaS, cloud). | G | DLP / CASB | P1 | checklist |
| it.identity_security.q09 | Email security stack — secure email gateway (Mimecast, Proofpoint, Defender for O365), anti-phishing, banner policy, training cadence. | G | Email Security | P0 | file |
| it.identity_security.q10 | Vulnerability scanning tool (Qualys, Tenable, Rapid7, none). Scan cadence. Critical vulnerability backlog. Remediation SLA. | G | Vulnerability Mgmt | P0 | text |
| it.identity_security.q11 | For OT/plant entities: dedicated OT-security stack (Claroty, Nozomi, Dragos, Tenable OT)? Air-gap or controlled DMZ? Last OT pentest. | S | OT Security | P0 | text |
| it.identity_security.q12 | IR runbook and on-call rotation. Last incident (description, impact, lessons-learned). Cyber insurance — carrier and coverage. | G | Incident Response | P0 | file |
| it.identity_security.q13 | Are there any cybersecurity frameworks currently followed by the organisation (NIST CSF, ISO 27001, CIS Controls, SAMA-CSF, sector-specific)? Maturity assessment performed? | G | Security & Compliance | P0 | text |
| it.identity_security.q14 | Are there customer-specific security requirements applicable to operations (specific clients, contract clauses, customer audits)? Top 3 examples. | S | Security & Compliance | P0 | table |
| it.identity_security.q15 | Are there regulatory or compliance obligations applicable to any subsidiaries — PDPL (KSA), India DPDP, GDPR, SAMA-CSF, sector OT regs? Per-subsidiary applicability. | G | Security & Compliance | P0 | table |
| it.identity_security.q16 | How are cybersecurity responsibilities currently managed — dedicated CISO, fractional, MSSP, none? Per-subsidiary or group? | G | Security & Compliance | P0 | text |
| it.identity_security.q17 | Are there existing processes for handling security incidents? IR runbook, last invocation, lessons learned, current SLA. | G | Security & Compliance | P0 | file |
| it.identity_security.q18 | Are backups and recovery procedures documented today — per subsidiary? When was the last successful DR test (date, scope, outcome)? | G | Security & Compliance | P0 | table |
| it.identity_security.q19 | Are there challenges related to user access management or privileged access — joiner/mover/leaver workflow, recertification cadence, orphan accounts? | G | Security & Compliance | P0 | text |
| it.identity_security.q20 | Are there areas where cybersecurity visibility is currently limited — log coverage gaps, unmonitored assets, no SOC for some subsidiaries? | G | Security & Compliance | P0 | text |
| it.identity_security.q21 | Are there operational environments requiring additional isolation or protection — plant networks, project sites, OT systems, regulated data zones? | S | Security & Compliance | P0 | text |
Decisions related to this workstream (3)
| id | title | scope | priority | evidence questions |
|---|---|---|---|---|
| it.decisions.d02 | Group identity tenancy — extend KSA Entra ID vs separate India tenant with B2B federation. | G | P0 | 3 |
| it.decisions.d03 | M365 SKU strategy — E3 + targeted E5 add-ons, or full E5 across the group. | G | P0 | 5 |
| it.decisions.d08 | Group SOC model — extend KSA SOC, MSSP, or net-new India SOC. | G | P0 | 4 |