IAM-09: Segregation of Privileged Access Roles

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Define, implement and evaluate processes, procedures and technical measures for the segregation of privileged access roles such that administrative access to data, encryption and key management capabilities and logging capabilities are distinct and separated.

Implementation Guidance

Processes and procedures should be communicated within the organization for adherence and enforcement and regularly reviewed (at least annually). Separation of duties should be established and implemented between development/test and production environments. With this control, a developer may use an administrator-level account with elevated privileges in the development environment and a separate account with user-level access to the production environment. In addition, appropriate levels of logs should be gathered from the production systems for further monitoring and analysis via security operations. These operations should be managed using split knowledge and dual control where key management operations are used.

Auditing Guidance

  1. Determine if processes, procedures and technical measures for the separation of privileged access are defined and include requirements for separation of administrative access to data, encryption, key management and logging capabilities.
  2. Evaluate if established processes, procedures and technical measures for the separation of privileged access are implemented and followed in practice.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.