A.8.2 — Are privileged access rights restricted, just-in-time, and audited?
Demonstrate that privileged access is granted based on business need, provisioned temporarily with defined time limits, and all privileged activities are logged and monitored for anomalous behavior.
Description
What this control does
This control restricts privileged access rights to the minimum necessary personnel through role-based assignment, implements just-in-time (JIT) provisioning that grants elevated permissions only for limited time windows when needed, and maintains comprehensive audit logs of all privileged actions. Organizations deploy privileged access management (PAM) solutions or equivalent mechanisms to enforce time-bound sessions, approval workflows, and automated de-provisioning. This prevents standing administrative access that expands attack surface and reduces the window of opportunity for credential theft or insider misuse.
Control objective
What auditing this proves
Demonstrate that privileged access is granted based on business need, provisioned temporarily with defined time limits, and all privileged activities are logged and monitored for anomalous behavior.
Associated risks
Risks this control addresses
- Unauthorized lateral movement using compromised privileged credentials with persistent access
- Insider threat actors exploiting standing administrative rights to exfiltrate sensitive data over extended periods
- Credential stuffing or pass-the-hash attacks leveraging long-lived privileged sessions
- Insufficient forensic evidence during incident investigations due to missing privileged activity logs
- Compliance violations from unaudited privileged access to regulated data environments
- Privilege creep resulting in excessive users retaining administrative rights beyond their operational need
- Delayed detection of malicious privileged actions due to lack of real-time monitoring and alerting
Testing procedure
How an auditor verifies this control
- Obtain the current inventory of privileged accounts and roles, including domain administrators, database administrators, cloud service accounts, and service principals.
- Review privileged access management policies and procedures to identify documented criteria for granting, approving, and revoking elevated permissions.
- Examine PAM system configurations to verify time-bound session settings, maximum session durations, and automatic revocation mechanisms.
- Select a sample of 10-15 privileged access requests from the past quarter and verify approval records, business justification, and time-limited grants.
- Review audit logs from PAM solution, SIEM, or directory services for a two-week period to confirm all privileged logons, commands, and administrative actions are captured.
- Test whether privileged sessions automatically expire by reviewing session timeout configurations and examining log evidence of forced disconnections after time limits.
- Interview system administrators to validate they do not possess persistent administrative credentials and must request JIT access for operational tasks.
- Verify that privileged activity logs are forwarded to a centralized logging system with alerts configured for high-risk actions such as credential changes or permission escalations.