How AD360 can support CSA Requirements
Find the applicable CSA principles mapped to the AD360 reporting capabilities and expectations for technical evidence that help demonstrate those controls.
A1 — Governance Establish and enforce cybersecurity governance with traceable administrative authority and policy enforcement.
Enforcement of cybersecurity governance and administrative controls
Policies enforced through access configuration, administrative changes, and privilege assignments
- Privileged Group Modification Reports
- Administrator Activity Reports
- GPO Modification Reports
- Audit Policy Changes
Description:
AD360 provides audit logs and reports that capture directory administrative actions, policy changes, and privilege modifications, which can be used as evidence of governance enforcement.
A2 — Risk management Identify and treat identity-related risks as part of the organization’s broader risk approach.
Identify and monitor identity risk indicators
Risk registers, documented mitigation plans supported by observable risk signals
- Privileged access review reports
- Dormant and inactive account reports
- Excessive permission analysis
- Authentication policy violation logs
Description:
AD360’s identity risk indicators serve as supporting evidence for risk identification and monitoring, which can feed the formal risk register and treatment plans used in CSA assessments.
A3 — Asset management Maintain a comprehensive inventory of identity assets and their classification.
Identification and inventory of identity assets
Asset inventory, classification documentation
- Inactive user reports
- Inactive computer reports
- Service account inventories
Description:
AD360 inventory reports provide reliable lists of identity objects that can be classified and maintained as part of the CSA asset inventory.
B2 — Identity and access management Enforce controlled authentication, authorization, and life cycle management.
Authentication and authorization controls
User provisioning/deprovisioning logs, access reviews, role assignments
- Identity life cycle reports
- Privileged access review reports
- MFA enforcement logs
Description:
AD360’s identity life cycle and access certification reports provide evidence of how access is granted, reviewed, and controlled.
B3 — Data security Demonstrate controlled access to sensitive assets within directory scope.
Permissions and access control logs
Directory permission assignments and access audit records
- Access audit reports (e.g., non-expiring passwords, excessive privileges)
Description:
AD360’s audit reports show identity and directory permission configurations as evidence for data access controls at the directory level.
C1 — Security monitoring Continuous monitoring of authentication and authorization events.
Logs showing continuous monitoring of authentication and change events
Authentication logs, change audit trails
- Authentication activity logs
- Change audit trail reports
Description:
AD360 captures ongoing identity event data that can show continuous monitoring of identity use and modifications.
D1 — Incident response and recovery Support incident handling and identity evidence reconstruction.
Identity event sequencing and incident-related activity
Authentication and change logs mapped to incident timelines
- Time-aligned authentication logs
- Privilege change history
Description:
When used with broader incident evidence (e.g., SIEM logs), AD360 logs provide ordered identity events for incident reconstruction.
Summary
AD360 generates system logs and audit reports that align with multiple CSA requirements related to identity governance, access control, authentication, and monitoring. These reports can provide objective evidence during ANAC CSA assessments.
Disclaimer: The information provided on this page is for general knowledge and awareness purposes only. It is not intended to serve as professional, legal, or regulatory advice. Compliance with ANAC CSA depends on your organization’s specific environment, processes, and risk profile.
To accurately assess your compliance posture, we strongly recommend engaging a qualified consultant, compliance agency, or referring directly to the official ANAC CSA documentation and guidelines.