1. Document Control

• Document Title: Multi-Factor Authentication Implementation Procedure

• Document Identifier: PRC-IT-002

• Version Number: v1.0

• Approval Date: <23 June 2025>

• Effective Date: <23 June 2025>

• Review Date: <23 June 2026>

• Document Owner: <IT Security Manager>

• Approved By: <Chief Information Security Officer>

2. Purpose

The purpose of this procedure is to define the implementation, enforcement, and maintenance of Multi-Factor Authentication (MFA) across 's systems and services. MFA provides an essential security control that mitigates the risk of unauthorized access, credential theft, and account compromise.

This procedure supports compliance with SOC 2 Trust Criteria CC6.1 and CC6.2, which mandate controlled logical access and authentication safeguards, and aligns with ISO/IEC 27001:2022 Controls A.5.15–A.5.17 concerning access control policy, user access management, and authentication requirements.

3. Scope

This procedure applies to:

• All employees, contractors, and third-party users accessing systems

• All internal and external systems supporting authentication

• All access to cloud services, VPN, administrative interfaces, and sensitive data environments

MFA is required for both on-site and remote access regardless of user location or role.

4. Procedure Overview

4.1 MFA Enrollment

1. System Identification

   • The IT Security Team maintains a current inventory of systems requiring MFA, including VPN, email, cloud platforms, and administrative consoles.

2. User Enrollment

   • All users must enroll at least one approved second factor (e.g., authenticator app, hardware token, biometric device) before account activation.

   • Enrollment is completed during onboarding or upon first login to a protected system.

3. Authentication Methods

   • At least two of the following categories are required:

     • Something you know: Password or passphrase

     • Something you have: Mobile token, security key (e.g., YubiKey)

     • Something you are: Biometric (e.g., fingerprint, facial recognition)

4.2 MFA Enforcement

1. Configuration Settings

   • MFA is enforced at the Identity Provider (IdP), VPN gateway, or system-level login based on role and sensitivity of access.

2. System Coverage

   • Mandatory MFA applies to:

     • VPN and remote desktop services

     • Cloud platforms (e.g., AWS, Azure, M365, GCP)

     • Privileged and administrative accounts

     • SaaS platforms with access to regulated or customer data

     • Git repositories and CI/CD pipelines

3. Access Denial

   • Users unable to complete MFA will be denied access until re-enrolled or verified through approved IT processes.

4.3 Exceptions and Failover

1. Break-Glass Accounts

   • Emergency accounts without MFA are permitted only under exceptional circumstances, require CISO approval, and must be monitored and rotated.

2. Temporary Bypass

   • Temporary MFA exemptions may be granted for up to 24 hours by the IT Security Manager and must be logged with a justification and expiration.

5. Roles and Responsibilities

6. Safeguards and Controls

7. Compliance and Exceptions

MFA enforcement is verified through:

• Access reviews

• Configuration scans

• Audit of IdP or SSO settings

Any exceptions must be formally documented, reviewed by the CISO, and contain compensating controls and expiration dates. Exception logs are reviewed quarterly.

8. Related Policies/Documents

• POL-ALL-003: Access Control Policy

• POL-HR-001: Employee Onboarding and Offboarding Policy

• POL-HR-002: Security Awareness and Training Policy

• PRC-IT-001: User Access Provisioning and Deprovisioning Procedure

• SOC 2 Trust Criteria: CC6.1, CC6.2

• ISO/IEC 27001:2022 Controls: A.5.15–A.5.17

9. Review and Maintenance

This procedure shall be reviewed annually or upon significant changes to authentication platforms or threat intelligence. The IT Security Manager is responsible for initiating the review and ensuring system configurations are consistent with policy. Updates must be documented and communicated to relevant stakeholders.