Accounts for privileged users are separate from regular user accounts. If a user needs privileged functionality, a second (privileged) account will be created to keep the privileged and non-privileged activities separated.
Privileged Accounts usage is Just-in-Time, meaning they are only provided when needed and the access revoked after the tasks are completed.
Logging in with privileged accounts on public facing services is prohibited, only local services (with non-internet routable IP’s) may be configured to accept direct logins with privileged accounts.
There are additional protections to change or reset MFA access methods for Privileged Access, that involve validating the identity of the administrator before MFA tokens can be reset.
Specification
For privileged accounts, the second factor must exist on a physical token that is handed out in person.
The password policy is applicable to Personal Privileged Accounts with the following exceptions:
- At least 15 characters
- Password rotation every 3 months
Tooling is used to dynamically perform automated searches of the enterprise for evidence and identification of privileged accounts, such as domain administrators or accounts that directly or indirectly (through inheritance of privileges) have privileged-account-level authority.
The PAM solution has built-in password management functionality and compliance can be enforced automatically. Out-of-compliance accounts are disabled and reported.
ISO 27001 & 27002:2022
A8.2,
A8.5,
A8.15
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
ID.03 Super users