To determine the extra measures required,
a technical risk assessment evaluates the systems.
This happens using [HMG Information Assurance Standard No. 1 \& 2][hmgias2] for systems undergoing their accreditation process. The systems are also subject to a Business Impact Assessment (BIA).
Not all systems and products undergo formal 'accreditation'.
Where additional checks are implemented on the login of a particular account consider the use of contextual parameters to decide when MFA may be required. E.g. time of login, location, if the IP address has been used previously, are multiple logins allowed.
https://github.com/ministryofjustice/itpolicycontent/blob/master/content/confluence/enterprise/password-standard.md
To determine the extra measures required, a technical risk assessment evaluates the systems. This happens using [HMG Information Assurance Standard No. 1 \& 2][hmgias2] for systems undergoing their accreditation process. The systems are also subject to a Business Impact Assessment (BIA).
Not all systems and products undergo formal 'accreditation'. Where additional checks are implemented on the login of a particular account consider the use of contextual parameters to decide when MFA may be required. E.g. time of login, location, if the IP address has been used previously, are multiple logins allowed.