Controls

Terug naar overzicht
Version

SB.13.005 Separate Accounts for Privileged Access

High
High
High
Privileged Access Management
System Owner
v2.0 (Q1 2024)

Description

Accounts for privileged users are separate from regular user accounts. If a user needs privileged functionality, a second (privileged) account will be created to keep the privileged and non-privileged activities separated.

Privileged Accounts usage is Just-in-Time, meaning they are only provided when needed and the access revoked after the tasks are completed.

Logging in with privileged accounts on public facing services is prohibited, only local services (with non-internet routable IP’s) may be configured to accept direct logins with privileged accounts.

There are additional protections to change or reset MFA access methods for Privileged Access, that involve validating the identity of the administrator before MFA tokens can be reset.

Specification

For privileged accounts, the second factor must exist on a physical token that is handed out in person.

The password policy is applicable to Personal Privileged Accounts with the following exceptions:

  • At least 15 characters
  • Password rotation every 3 months

Tooling is used to dynamically perform automated searches of the enterprise for evidence and identification of privileged accounts, such as domain administrators or accounts that directly or indirectly (through inheritance of privileges) have privileged-account-level authority.

The PAM solution has built-in password management functionality and compliance can be enforced automatically. Out-of-compliance accounts are disabled and reported.