Skip to content

SFC - Identity & Accounts

Revision 1.0 · Updated 2026-04-17 · Changelog

The SEAL Framework Checklist (SFC) for Identity & Accounts provides guidelines for managing organizational accounts (social media, email, SSO, registrar, SaaS, privileged platforms) such that account compromise cannot redirect users, funds, or trust.

Scope: This is a horizontal cert covering the cross-cutting account-management pattern that applies to multiple surfaces (domains, code, custody, social media). Other certs reference it for account-control concerns while retaining their domain-specific substance (e.g., SFC - DNS Registrar handles DNSSEC and registry locks; this cert handles registrar account hygiene).

For more details on certifications or self-assessments, refer to the Certification Guidelines.

Print

Section 1: Governance & Inventory

0/2
ida-1.1.1 · Organizational Account Security Owner
Is there a clearly designated person or team accountable for organizational account security?
Baseline Requirements
  • Accountability scope covers account inventory, authentication and credential standards, access reviews, monitoring, and incident escalation
ida-1.1.2 · Organizational Account Inventory
Do you maintain an inventory of organizational accounts with defined ownership?
Baseline Requirements
  • Inventory covers social media and public-facing accounts, email domains and admin accounts, SSO/identity provider, domain registrar, custody platforms, code repository admin accounts, cloud console root/admin, and critical SaaS services
  • Each account has a documented owner (individual or role)
  • Updated within 24 hours for security-critical changes (new accounts, ownership transfers), 7 days for routine changes
  • Reviewed at least annually for completeness

Section 2: Authentication & Credentials

0/3
ida-2.1.1 · Phishing-Resistant Multi-Factor Authentication
Do you enforce phishing-resistant multi-factor authentication on organizational accounts?
Baseline Requirements
  • Hardware security keys (FIDO2/WebAuthn) required for high-privilege accounts: social media admin, domain registrar, custody platforms, cloud console root, SSO/IdP, repository admin, email admin
  • MFA required on all organizational accounts at minimum
  • SMS and voice-call MFA not used as the primary factor for high-privilege accounts
  • Backup MFA methods configured using independent factors
ida-2.1.2 · Credential Management and Individual Accountability
Do you enforce credential management standards with individual accountability?
Baseline Requirements
  • Password manager required for all personnel; no passwords stored in plain text, documents, or browsers
  • Unique, strong passwords per account
  • Individual accounts required; no shared logins for organizational accounts. Where shared access is technically unavoidable, it is mediated through the password manager with per-person audit trails
  • Credentials transmitted only through encrypted channels (password manager sharing, not email or chat)
ida-2.1.3 · Recovery Methods Restricted to Organizational Channels
Do you restrict account recovery methods to organizational channels?
Baseline Requirements
  • Recovery email addresses use organizational domains, not personal email
  • Recovery phone numbers use organizational numbers where supported, not personal numbers
  • Backup and recovery codes stored in the password manager or comparable secure storage (not in personal email, notes, or cloud docs)
  • Recovery options reviewed when personnel change and at least annually

Section 3: Access & Lifecycle

0/1
ida-3.1.1 · Account Lifecycle Management
Do you manage the full lifecycle of organizational accounts, including provisioning, changes, offboarding, and periodic access review?
Baseline Requirements
  • Account creation requires documented approval and is provisioned with least privilege
  • Role changes trigger prompt permission adjustments
  • Offboarding revokes access across all organizational accounts within 24 hours of departure, including social media, SaaS, SSO, and shared tools
  • Credentials for shared systems the departing person accessed are rotated
  • Access reviews conducted at least annually; quarterly for high-privilege accounts
  • Service account and bot account ownership reviewed alongside human accounts

Section 4: Monitoring & Third-Party

0/2
ida-4.1.1 · Organizational Account Takeover Monitoring
Do you monitor organizational accounts for takeover, unauthorized activity, and credential exposure?
Baseline Requirements
  • Authentication-event monitoring for privileged accounts (unusual logins, new device enrollments, session anomalies, repeated auth failures)
  • Public-facing account monitoring for unauthorized posts or configuration changes (social media, status pages, external websites)
  • Credential exposure detection including dark web, breach databases, and secret scanning in code
  • Alerting and escalation paths documented; critical alerts trigger immediate investigation
  • Response coordinated with the Incident Response plan
ida-4.1.2 · Third-Party Access Management
Do you manage third-party access to organizational accounts with time-limited, purpose-specific permissions?
Baseline Requirements
  • Third-party access documented with scope, purpose, and expiry
  • Access limited to minimum necessary systems and time window
  • Audit trail maintained for third-party access
  • Access revoked at expiry or project completion
  • Third-party identity verified before access is granted