Evidence kitevidence-folder-template/_filled-example/01-mfa-enforcement.md
Filled example

MFA enforcement (filled example)

All human access to Acme's identity provider (Google Workspace) requires 2-Step Verification, enforced at the org level. Enforcement is policy-level, not opt-in.

Illustrative example for a fictional company. See the blank template at ../01-access-controls/mfa-enforcement.md.

All human access to Acme's identity provider (Google Workspace) requires 2-Step Verification, enforced at the org level. Enforcement is policy-level, not opt-in.

Evidence on file

Artifact What it shows
mfa-policy-2026-06-12.json Workspace 2SV enforcement policy export (Enforced = true)
mfa-status-export-2026-06-12.csv Per-user 2SV status for all 47 accounts
mfa-exceptions-2026-06-12.md The two exception accounts + compensating controls

Gathered from

Google Workspace Admin → Security → 2-Step Verification → Enforcement (policy export), and Reports → Audit → Login filtered for is_2sv = false.

Buyer questions answered

"Are all employees MFA-enabled?"

Yes. 45 of 47 accounts enforce 2SV via hardware/phone. See mfa-status-export-2026-06-12.csv.

"Are there exceptions?"

Two: one break-glass super-admin account and one CI service account. Both are documented in mfa-exceptions-2026-06-12.md. Compensating controls: the break-glass credential is stored in a sealed 1Password vault with access logging; the CI account uses a short-lived OIDC token, not a password, and cannot log into the console.

Refresh

Quarterly. Last refreshed 2026-06-12 by A. Okada. Next due 2026-09-12 (calendar event set).

Book fit call