IAM-10: Management of Privileged Access Roles

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Define and implement an access process to ensure privileged access roles and rights are granted for a time limited period, and implement procedures to prevent the culmination of segregated privileged access.

Implementation Guidance

Administrators should be allowed to log in as themselves and elevate privilege by systematically requesting a new role assignment to obtain the rights they need to perform tasks. This can be accomplished by establishing temporary, time-bound privileged access for both on-premises and cloud-based infrastructure. The duration of approval validity should be automatically limited. Only authorized users/roles should be pre-approved to request elevation of privileged access. The privileged access roles and rights should be reviewed periodically. Additionally, all the privilege access rights should be assigned based on multiple approval approaches (i.e., system owner, manager of user, etc.). All privileged accounts and elevation of privileges should be monitored for suspicious activity, such as login failures or attempts to escalate permissions using a security information and event management (SIEM) solution.

Auditing Guidance

  1. Determine if an access process, that includes requirements for limiting the time period of privileged access roles and rights, is defined.
  2. Determine if procedures address the prevention of culmination of segregated privileged access.
  3. Evaluate if an access process, that includes requirements for limiting the time period of privileged access roles and rights, is implemented and consistently followed in practice.
  4. Evaluate if procedures that address the prevention of culmination of segregated privileged access is implemented and consistently followed in practice.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.