Do you enforce MFA on non-privliged accounts?
Do you have a Multi-Factor Authentication solution?
Do you enforce MFA for privileged accounts?
Do you have a revocation policy and procedure in place?
Do you have it documented?
Do you enforce password policy that includes complicated and strong passwords, password expiration and account lockouts?
Do you have a mechanism to enforce password change on first logon?
Are there defined roles in the system that enforce authorization rules based on least privileges and the need to know?
Do you revalidate all system users and administrators periodically?
Do you review and revalidate administrative job functions and access periodically?