Privileged Access involves all user access that exposes more functionality than regular users have on any layer of the IT service infrastructure. Authorisations for privileged access are required to follow Least Privilege (just-enough admin).
Privileged Access is just-in-time, meaning it is only used for when needed and regular user actions are not performed using the privileged account.
Privileged access is demonstrably limited to authorised personnel, an authorisation matrix is available for this access.
Templates and references
Specification
Authorisation is based on separation of duties and least privilege. Applications must apply separation of duties. Roles are defined based on tasks, responsibilities and privileges. Extra attention must be paid to accounts with the highest privileges.
Privileged assets are managed using a PAM tool. Changes are administered using a CMS/ITIL tool.
ISO 27001 & 27002:2022
A8.2,
A8.5,
A8.15
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
ID.03 Super users