IAM-11: CSCs Approval for Agreed Privileged Access Roles

CSF v1.1 References:

PF v1.0 References:

Info icon.

Control is new to this version of the control set.

Control Statement

Define, implement and evaluate processes and procedures for customers to participate, where applicable, in the granting of access for agreed, high risk (as defined by the organizational risk assessment) privileged access roles.

Implementation Guidance

Processes and procedures should include the following:

  • Access to privileged user IDs should be restricted to least privilege and business need to know.
  • Require documented approval by authorized parties specifying required privileges.
  • All actions taken by any individual with root or administrative privileges should be logged.
  • Use of and changes to privileged accounts, including elevation of privileges should be monitored for suspicious activity such as logon failures or attempts to escalate permissions using a SIEM solution.

Auditing Guidance

  1. Determine if processes and procedures for customers to participate, where applicable, in the granting of access for agreed, high risk (as defined by the organizational risk assessment) privileged access roles are defined, implemented and consistently followed in practice.

[csf.tools Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.