How can ManageEngine support Brazil’s financial institutions in meeting these standards?
With ManageEngine AD360 (IAM), banks and other financial institutions can start aligning with the principles of BACEN 4,893/2021. See the key clauses and how our solutions help in the table below.
Chapter II, Section I - Art. 3 (II) The procedures and controls adopted to reduce the institution's vulnerability to incidents and to address other cyber security objectives
Compliance actions Reports and evidences How AD360 can help
- Quarterly automated vulnerability scans on all systems
- Prioritized patch management with severity-based timelines
- Security-reviewed change management for production
- Continuous IDS/IPS for threat blocking, updated IT asset inventory
- Smart Card Enabled Users
- Bitlocker Enabled Computers
- Bitlocker Disabled Computers
- MFA Enrolled Users Report
- MFA Usage Audit Report
- MFA Failures Report
- Password Policy Enforcer enforces strong, compliant passwords, blocking weak and compromised credentials during reset and creation processes
- Context-based multi-factor authentication (MFA) with 20+ authentication factors secures endpoint, application, and VPN logins by verifying user identities using adaptive techniques
- Identity risk assessment analyzes AD and Microsoft 365 for vulnerabilities, computing risk scores and remediation
- Risk exposure management maps attack paths, prioritizes vulnerabilities, and enables proactive remediation of high-risk objects
Chapter II, Section I - Art. 3 (III) The specific controls, including those directed at information traceability, aiming to ensure the security of sensitive information
Compliance actions Reports and evidences How AD360 can help
- Centralized logging for DB access/files/admin to tamper-proof repo
- UAM to record user actions with timestamps/ID
- RBAC with permission matrices and reviews
- Data classification for encryption/logging
- Quarterly access reviews to revoke outdated rights
- Permissions for Folders (NTFS Reports)
- Folders Accessible by Accounts (NTFS Reports)
- Security Permission Entitlements - AD Objects Accessible by Accounts
- Security Permission Entitlements - Servers Accessible by Account
- Reset Password Audit Report
- Change Password Audit Report
- User Attempts Audit Report
- Application Access Audit Report
- JIT Provisioning Audit Report
- Exchange online auditing tracks mailbox access, delegations, permission changes
- Non-owner mailbox access detection identifies potential email data theft
- Azure AD auditing monitors user modifications and permission changes
- SharePoint/OneDrive tracking monitors file operations and sharing changes
- Teams activity logging captures messages, channels, and member modifications
- Search across multiple mailboxes and attachments with condition or pattern filters, automated schedules, and alerts for compliance and threat detection
- Workflow notification rules track all administrative changes with audit chain
- Provides audit trail documents workflow execution with approvals and confirmations
- Backup audit trail records all backup operations with status and details
- Recovery history tracks restored objects, timing, source, and responsible admin
Chapter II, Section I - Art. 3 (IV) The record of incidents relevant to the institution's activities, as well as the analysis of their cause and impact and the control of their effects
Compliance actions Reports and evidences How AD360 can help
- Centralized incident logging with date/time/systems/severity
- Formal RCA for vulnerabilities and patterns
- Timeline/impact docs (disruption, exposure, costs)
- Track control enhancements post-incident
- Quarterly trend reports for leadership
- Admin Audit Report
- Help Desk Audit Report
- Recent Logon Failures
- User Attempts Audit Report
- MFA Failures Report
- Agent Installation Failures Report
- Backup versions enable recovery to pre-incident states with documentation
- Attribute-level restoration enables precise recovery of compromised objects
- Recovery testing validates backup validity and recovery procedure effectiveness
- Roll-back restores systems to pre-incident state from known-good backup
- Multi-point-in-time backups enable recovery to latest pre-compromise state
Chapter II, Section I - Art. 3 (Paragraph 1) When defining the cyber security objectives mentioned in item I, the institution must consider its capacity to prevent, detect and reduce the vulnerability to cyber incidents
Compliance actions Reports and evidences How AD360 can help
- Assess and document maturity, infrastructure, and resources
- Define targeted objectives based on risk and regulations
- Set measurable KPIs like MTTD, MTTR, and vulnerability remediation rates
- Allocate resources and secure board approval
- Establish governance with clear accountability and monthly reporting
- Password Policy
- Account Lockout Policy
- Users with Password Never Expires
- Users with Cannot Change Password
- Disabled Users
- Locked-out Users
- MFA Non-Enrolled Users Report
- Blocked Users Report
PREVENTION
- Granular permission management enforces least-privilege access preventing unauthorized directory access
- Automated account lifecycle management eliminates dormant accounts used in attacks
- Group Policy distribution enforces security baselines preventing common attack vectors
- Password policy enforcement prevents weak credentials and brute-force attacks
- Delegation management controls administrative rights reducing privilege escalation attack surface
- Risk assessment continuously identifies and scores identity vulnerabilities and risky access
- Risk exposure management visualizes attack paths, prioritizes high-risk entitlements for remediation
- Access certification automates attestation and review of permissions, reducing unauthorized access risks
- Strong password enforcement with breach database integration blocks weak passwords
- 20+ MFA methods including passkeys, biometric, hardware keys prevent credential theft
- Conditional access restricts access by IP, device, time, geolocation
DETECTION
- Zia Insights in AD Explorer provides AI-powered group membership analysis, including anomaly detection, privileged group identification, and peer comparison scores, enabling faster detection of outliers and corrective actions
VULNERABILITY REDUCTION
- Rapid recovery minimizes downtime and system unavailability impact
- Recovery testing ensures preparedness for rapid execution during incidents
- Automated compliance reporting demonstrates security posture, reducing vulnerability windows
- Multi-layer authorization workflows reduce the likelihood of unauthorized changes
- Change tracking and rollback capability enables rapid restoration of secure configurations
- Access certification automates periodic review and attestation of user permissions, ensuring removal of excessive or stale access to minimize attack surface and compliance risk
Chapter II, Section I - Art. 3 (Paragraph 2) The procedures and controls mentioned in item II must comprise, at least, authentication, cryptography, prevention and detection of intrusions, prevention of information leaking, performance of periodic tests and scanning to detect vulnerabilities, protection against malicious software, implementation of traceability mechanisms, control of access and segmentation of the computer network, as well as maintenance of data and information backups
Compliance actions Reports and evidences How AD360 can help
- MFA on all systems (password + biometrics/token)
- AES-256 encryption + TLS 1.2+ for data
- Enterprise IDS/IPS for real-time monitoring/blocking
- DLP for outgoing data scanning
- Automated vuln scans/pen tests with remediation
- Smart Card Enabled Users
- Bitlocker Enabled Computers
- Bitlocker Disabled Computers
- Computers Trusted for Delegation
- GPO Reports (All GPOs and Linked AD Objects)
- Admin Audit Report
- MFA Enrolled Users Report
- MFA Usage Audit Report
- FIDO Passkeys Report
- MFA Trusted Browser Report
- MFA Trusted Machines Report
- MFA Failures Report
AUTHENTICATION
- Enforces MFA during system, VPN, and app logins to block unauthorized access even if passwords are compromised
- Supports diverse MFA methods like OTP, push, biometrics, and security keys for stronger identity verification
- Applies conditional MFA based on user, device, or location to ensure access control aligns with risk levels
- Extends MFA to self-service and VPN access, preventing misuse of account recovery and remote logins
- Provides audit logs and MFA reports to track authentication activities and support compliance verification
- Enforces strong password policies to prevent weak or reused credentials and strengthen account security
VULNERABILITY SCANNING
- Identity risk assessment assesses potential vulnerabilities in AD and Microsoft 365, providing detailed reports and actionable insights
TRACEBILITY
- Exchange auditing and tracks mailbox activities with identification
- Azure AD auditing records user activities with source and timestamp
- SharePoint/OneDrive tracking monitors file operations with user identification
- Teams logging records activities, enabling collaboration traceability
- Backup audit trails record operations creating execution evidence
- Recovery logs document operations enabling accountability for restoration
- Admin audit reports provide detailed logs of all help desk and administrative activities for accountability and compliance
- MFA failure reports detect repeated authentication failures, alerting on potential unauthorized access attempts
ACCESS CONTROLS
- OU/group policies enable organization-specific configuration by user type
- Authenticator enforcement varies authentication requirements by user role
- Context policies require stronger authentication for suspicious contexts
- Privilege-based control varies authentication intensity by operation risk
- Delegation enables secure role-based task assignment with tracked, auditable administrative actions
- Approval workflow automates request validation, enforcing policy-compliant access and change controls
- Access certification enforces periodic entitlement reviews, ensuring continuous least privilege adherence
- Automated offboarding streamlines timely removal of access and accounts upon employee termination
- Notification rules ensure interested parties aware of changes
BACKUPS
- Complete AD backup preserves all directory data for disaster recovery
- Full backups with incremental reduce storage consumption maintaining recovery points
- Automated scheduling during off-hours minimizes production system impact
- Retention policies optimize storage by automatically removing old backups
- Granular restoration enables precise recovery of objects or attributes
- Exchange Online backup preserves email data for recovery
- Microsoft 365 backup preserves Teams, OneDrive, and SharePoint data
- Google Workspace backup preserves email and cloud storage data
- Multiple storage options enable backup redundancy across physical locations
- Restart-free recovery maintains domain availability during restoration
- Password recovery restores accounts with security relationships intact
- Version management enables recovery to optimal pre-incident state
- Multi-tenant support enables centralized management of multiple cloud tenants
- Recovery testing validates backup validity and procedure effectiveness
Chapter II, Section III - Art. 6 The institutions mentioned in art. 1 must establish a plan of action and response to incidents, aiming at the implementation of the cyber security policy
Compliance actions Reports and evidences How AD360 can help
- Multidisciplinary response team with defined roles
- Detailed playbooks/escalation for incident types
- BC/DR procedures with RTO/RPO targets
- Communication templates/escalation chains
- Annual tabletop exercises with lessons learned
- Admin Audit Report
- Help Desk Audit Report
- Account Lockout Policy
- User Attempts Audit Report
- MFA Failures Report
- Agent Installation Failures Report
- Rapid recovery enables system restoration from backup to pre-incident state
- Restoration triggers containment and recovery response procedures
- Workflows define required incident response steps and approval requirements
- Assignment routes tasks to designated incident response team members
- Notifications ensure incident response teams are aware of incident requirements
- Audit trails document actions showing the results of what is taken, by who, and when
Chapter III - Art. 11 The institutions mentioned in art. 1 must ensure that their policies, strategies and structures for risk management established in regulation in force, specifically regarding to the criteria for decision on the outsourcing of services, include the contracting of relevant data processing, data storage and cloud computing services, in the country or abroad
Compliance actions Reports and evidences How AD360 can help
- Pre-contract vendor security due diligence
- Contractual cybersecurity clauses (controls, notifications, audits)
- Require ISO 27001/SOC 2 certifications with annual reports
- Quarterly oversight, audits, vuln scans
- On-demand audit rights and incident notification provisions
- Google Workspace Users Report
- Active Users Report
- Suspended Users Report
- Users without Mailbox
- Mailbox Enabled Users
- Licensed Users Report
- Application Access Audit Report
DATA PROCESS MONITORING
- Service monitoring tracks Microsoft 365 data processing within requirements
- Compliance reporting verifies contracted cloud services comply with requirements
- Cloud backup storage enables recovery strategy for cloud-based data
- Multi-tenant support enables management across multiple cloud providers
- Cross-cloud backup supports recovery from one cloud to another
- Cloud data backup preserves Microsoft 365 and Workspace data
BACKUP AND RECOVERY
- Cloud backup protects contracted services data from outages
- Multiple options enable backup redundancy and geographic distribution
- Recovery enables rapid restoration of cloud services if outages occur
- Cloud restoration enables recovery from BACEN-controlled backups independently
- Multi-provider support enables vendor flexibility across cloud landscape
- Cross-cloud restoration enables recovery between cloud providers
Conclusion
Now that you’ve explored how BACEN Resolution 4,893/2021 strengthens cybersecurity standards in Brazil’s financial sector and how AD360 helps you meet every clause, it’s time to take the next step.
Whether it’s identity governance, audit logging, threat detection, or building a compliance-ready audit trail, we’re here to guide you through it. Start a 30-day free trial to experience our solutions in your own environment, or contact us to schedule a one-on-one consultation.
Disclaimer: The information provided on this page is for general knowledge and awareness purposes only. It is not intended to serve as professional, legal, or regulatory advice. Compliance with BACEN Resolution 4,893/2021 depends on your organization’s specific environment, processes, and risk profile.
To accurately assess your compliance posture, we strongly recommend engaging a qualified consultant, compliance agency, or referring directly to the official BACEN documentation and guidelines.