Highest-leverage account hygiene control in K-12. School year transitions create huge JML volume — automated provisioning catches what manual processes miss.
Departed-employee accounts are one of the top cyber insurance claim categories. Good = same-day for involuntary terminations, ≤7 days for voluntary.
Cadence of formal access reviews, plus the date of the last completed review. Stale if last review > cadence + 90 days.
MFA is the single most effective control against credential phishing — and credential phishing is the #1 cause of K-12 ransomware events. Delivery method matters: SSO-backed MFA actually gets enforced.
Anchored to 100% as the only acceptable answer. This is the most consequential single field in the entire IAM sub-domain — 100% privileged MFA or it's a finding.
Hard finding · Privileged MFA below 100%
Service accounts, break-glass admins, and inherited admin assignments are the common gaps even at well-run districts. Cyber insurance carriers (Beazley, Coalition) require 100% privileged MFA — anything less is an underwriting concern.
How students sign in. SSO-backed reduces password reuse risk; grade-band MFA is increasingly common in 9–12.
A documented list of every privileged account — domain admins, M365 Global Admins, Google Super Admins, application admins, service accounts with admin rights. Feeds the playbook's "credentials to revoke first" decision during an incident.
Daily-use accounts handle email and browsing. Separate admin accounts handle elevated tasks. Same person, two accounts — limits blast radius if the daily-use account is phished.
Vendors and MSPs with admin access to district systems. Cross-references Endpoint F13 (OT vendor remote access).
Service accounts often have elevated privileges and rarely get rotated. Shared credentials (front-desk login, lab account) bypass accountability entirely.
Detection capabilities for compromised accounts. Each addresses a specific attacker technique that bypasses MFA or escalates privilege.