Skip to main content
โ† All controls
IA-12 / A.9.2.1 / NIST 800-63 IAL2 NIST SP 800-63-3

Executive accounts verified (blue badge / equivalent)

Demonstrate that all executive-level accounts have undergone verified identity proofing using authoritative credentials equivalent to government-issued identification and that this verification status is documented and maintained.

Description

What this control does

This control requires that executive-level user accounts, which typically have elevated privileges or access to sensitive information, be authenticated using verified identity credentials such as government-issued photo identification (blue badge) or equivalent enterprise-grade identity proofing. The verification process ensures a trusted binding between the individual's real-world identity and their digital account, typically performed through in-person or remote identity proofing that meets NIST IAL2 or higher standards. This control is critical because executive accounts are high-value targets for social engineering, account takeover, and insider threats, and their compromise can result in catastrophic business impact including unauthorized financial transactions, strategic data exfiltration, and regulatory violations.

Control objective

What auditing this proves

Demonstrate that all executive-level accounts have undergone verified identity proofing using authoritative credentials equivalent to government-issued identification and that this verification status is documented and maintained.

Associated risks

Risks this control addresses

  • Unauthorized individuals impersonate executives to gain access to privileged accounts through social engineering or fraudulent account creation requests
  • Compromised executive accounts enable attackers to authorize fraudulent financial transactions or approve unauthorized access requests
  • Attackers leverage unverified executive accounts to exfiltrate strategic business data, merger and acquisition information, or board-level communications
  • Malicious insiders create shadow executive accounts without proper identity verification to bypass monitoring and attribution controls
  • Account takeover of executive credentials results in business email compromise (BEC) attacks targeting finance, legal, or vendor payment processes
  • Regulatory violations occur due to inability to demonstrate strong identity assurance for accounts accessing personally identifiable information or financial systems
  • Lack of verified identity binding prevents effective forensic attribution during insider threat or data breach investigations

Testing procedure

How an auditor verifies this control

  1. Obtain the current organizational chart or roster identifying all individuals classified as executives, C-level officers, board members, or equivalent senior leadership roles.
  2. Request from Identity and Access Management (IAM) a complete list of all user accounts associated with executive-level users, including primary accounts, administrative accounts, and any service accounts under their authorization.
  3. Pull identity proofing records for each executive account from the identity verification system, HR onboarding records, or badge issuance system showing the verification method, date, verifying official, and credential type used.
  4. Review account provisioning workflows and change management tickets for the most recent 12 months to verify that identity verification was completed before account activation for any newly onboarded executives.
  5. Select a sample of 10-15 executive accounts and cross-reference the identity proofing documentation against the physical badge database or equivalent authoritative identity system to confirm credential authenticity and current validity.
  6. Interview the Identity Governance team or Security Operations to confirm the process for periodic re-verification of executive identities, especially following role changes, terminations, or credential reissuance events.
  7. Examine exception or waiver logs to identify any executive accounts granted provisional access without completed identity verification and validate that compensating controls were applied and exceptions were time-limited.
  8. Test a sample of three executive accounts by requesting their full identity proofing packet and verifying it contains photo identification copy, verification timestamp, approver signature, and tie to the authoritative HR record.
Evidence required Identity proofing documentation packets containing copies of government-issued identification, badge issuance records with photographs and verification timestamps, and IAM system exports showing account-to-identity mappings with verification status flags. HR onboarding checklists or identity governance system reports demonstrating completion of identity verification steps prior to account activation. Audit logs or workflow tickets from the past 12 months showing identity verification checkpoints for executive account provisioning and modification events.
Pass criteria All active executive accounts are associated with identity records that include verified government-issued photo identification or equivalent authoritative credentials, documented within the identity management system with verification dates and approver attribution, and no unresolved exceptions exist beyond approved time-limited waivers with compensating controls.

Where this control is tested

Audit programs including this control

Executive Impersonation & Account Takeover Defence

CEO / CFO LinkedIn clones, executive deepfakes and impersonation accounts targeting your customers and staff. Detect and respond.

6 controls ยท v1.0