Regular end-users do not have privileged access to endpoints continuously, including but not limited to the ability to modify organisationally managed system settings, changes to environment variables, directly modify the registry, modify files in system directories or install programs.
Only users that have a demonstrable need for a local privileged account to perform their work activities can have access to a local privileged account. This access adheres to the privileged access controls, including just-in-time and just-enough admin.
These privileges are registered together with the reason why and the approver.
Specification
- Privileged setting and features cannot be controlled using a non-privileged account.
- Approved business applications are deployed through a centrally managed solution.
- User workstations have protections to prevent them from leaving the organisational domain.
- Privileged settings and features cannot be controlled using a non-privileged account.
ISO 27001 & 27002:2022
A5.2,
A5.3,
A5.15,
A5.16,
A5.17,
A5.18,
A6.5,
A8.2,
A8.3,
A8.4,
A8.5,
A8.15
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
ID.02 Access rights administration
ID.03 Super users