← Back to article
Identity Exposure Review Worksheet
Free worksheet from our identity-based ransomware guide
Assess your organization's identity attack surface across privileged accounts, session controls, recovery workflows, and incident response readiness.
Check your inbox! We sent you a link to the PDF version.
Instructions
Use this worksheet before your next ransomware tabletop exercise. For each section, document your current state and identify gaps. The goal is to understand your identity exposure before attackers do.
1. High-Impact Identity Inventory
List the identities that would cause the most damage if compromised.
| Identity / Role | Access Scope | MFA Method | Session Lifetime | Risk Level |
|---|---|---|---|---|
| Global admins | ||||
| Cloud/infra admins | ||||
| Help desk operators | ||||
| Finance approvers | ||||
| Developers with prod access | ||||
| Third-party/vendor accounts | ||||
2. Authentication Strength Assessment
- All privileged users require phishing-resistant MFA (passkeys, FIDO2 keys)
- SMS and voice MFA disabled for high-risk accounts
- Conditional access enforced based on device, location, and risk signals
- Legacy authentication protocols blocked
- Step-up authentication required for sensitive actions (MFA changes, exports, admin operations)
- Break-glass accounts exist, are documented, and are excluded only where absolutely necessary
3. Session and Token Controls
- Session lifetimes appropriate by role (admin: 4h, finance: 8h, standard: 12h or less)
- Token replay detection or device-bound tokens enabled where supported
- Suspicious session reuse monitored (multiple IPs, user agents in short windows)
- OAuth app consent and token grants reviewed regularly
- Inbox rule and mail forwarding changes monitored
4. Recovery and Help Desk Security
- Help desk identity verification requires manager callback or verified HR attribute
- Password and MFA resets for privileged accounts have additional controls
- MFA method additions after risky sign-ins are detected and investigated
- Recovery workflows do not accept caller ID, email address, or employee ID alone
- Support teams trained on social engineering patterns targeting identity workflows
5. Detection and Monitoring
- Unfamiliar sign-in properties (new device + new network + sensitive app) generate alerts
- MFA method changes within hours of risky sign-ins are flagged
- Inbox rules created after suspicious sessions are monitored
- Impossible travel and anomalous token use detections are tuned and active
- Identity logs centralized and correlated with endpoint and SaaS telemetry
6. Incident Response Readiness
- Account lockout and session revocation can be executed within minutes
- Password reset and MFA re-enrollment process documented for compromised accounts
- OAuth consent and app token review is part of identity incident playbook
- Admin action audit trail available for forensic review
- Business continuity tested under identity disruption scenario
- Cross-team (identity, cloud, endpoint, support) coordination rehearsed
Exposure Summary
| Area | Strongest Control | Biggest Gap | Priority (H/M/L) | Owner |
|---|---|---|---|---|
| High-Impact Identities | ||||
| Authentication Strength | ||||
| Session & Token Controls | ||||
| Recovery & Help Desk | ||||
| Detection & Monitoring | ||||
| Incident Response |
Found this useful? Read the full article:
Read: Why Ransomware Is Becoming an Identity Problem →