11) Are privileged access accounts, and accounts of a sensitive nature, subject to a higher level of authorisation than user accounts before being provisioned?
IT Operations Privileged Access Authorisation
Written by Haydn Brooks
Created on March 18, 2019
Modified on June 7, 2020

Answer yes if your organisation requires privileged user accounts and accounts for sensitive services (such as network administrators) to receive a higher level of authorisation before they are provisioned. Please describe the provisioning process in the notes or provide a supporting document (as a PDF file) as evidence.

Privileged user accounts are accounts that have access to sensitive systems and configurations within your IT network. Privileged accounts are typically required by certain job roles who are involved in the maintenance and health of your IT systems, such as system administrators (sysadmins).

As privileged accounts are by their nature allowed to bypass certain security controls they need to be controlled and only provisioned to people who require them. Therefore, it is important that a high level of authorisation is sought before a privileged account is provisioned. Typically authorisation might be sought from the employees line manager and a second senior manager within their team, and this authorisation is typically only given once the employee has shown that they can be trusted and are capable enough to correctly utilise such access.

The process you go through to provision a privileged account should be documented and the required approvals written into policy (such as your Identity and Access Management policy).

How to implement the control:

You must ensure that the process used to provision privileged access requires a level of approval that suits your organisations risk appetite. This process should be clearly documented and written into policy.

If required, a third party security consultancy can review your Identity and Access Management procedures and either assure, or improve, your provisioning processes.

If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.