Are privileged accounts limited, monitored, with separate IDs and reviewed monthly?
Demonstrate that privileged accounts are restricted to necessary personnel only, assigned unique identifiers without sharing, subject to continuous monitoring with logging enabled, and reviewed through documented monthly access recertification processes.
Description
What this control does
This control requires organizations to limit the number of privileged accounts, assign unique individual identifiers to each privileged user (no shared credentials), continuously monitor privileged account activity through logging and alerting mechanisms, and conduct formal access reviews at least monthly to validate necessity and appropriateness. Privileged accounts include domain administrators, database administrators, security administrators, and any accounts with elevated system, application, or data access rights. This practice reduces attack surface, enables accountability, and ensures timely detection of unauthorized or anomalous privileged activity.
Control objective
What auditing this proves
Demonstrate that privileged accounts are restricted to necessary personnel only, assigned unique identifiers without sharing, subject to continuous monitoring with logging enabled, and reviewed through documented monthly access recertification processes.
Associated risks
Risks this control addresses
- Unauthorized privilege escalation by attackers exploiting excessive administrative account provisioning
- Insider threats leveraging shared privileged credentials to perform malicious actions with plausible deniability
- Delayed detection of compromised privileged accounts due to inadequate monitoring or alerting
- Privilege creep where users accumulate unnecessary administrative rights that persist beyond business need
- Lateral movement and persistent access by threat actors using dormant or orphaned privileged accounts
- Audit trail gaps caused by shared accounts preventing attribution of privileged actions to specific individuals
- Regulatory non-compliance and failed audits due to inability to demonstrate least privilege and periodic reviews
Testing procedure
How an auditor verifies this control
- Obtain a complete inventory of all privileged accounts from identity management systems, directory services (Active Directory, LDAP), database management systems, cloud IAM platforms, and application administration interfaces.
- Review the organization's privileged access policy and procedures to confirm documented requirements for account limitation, unique IDs, monitoring, and monthly reviews.
- Select a sample of 15-25 privileged accounts across different systems and verify each has a unique user identifier mapped to a single named individual with no evidence of credential sharing.
- Examine access control configurations and role assignments to assess whether privileged accounts follow least privilege principles and are limited to personnel with documented business justification.
- Review privileged account monitoring configurations including SIEM rules, privileged access management (PAM) system logs, audit logging settings, and alerting thresholds to confirm continuous monitoring is active.
- Obtain and inspect monthly access review documentation for the past three months, verifying reviews include privileged account rosters, approver sign-offs, dates performed, and documented remediation of identified issues.
- Test a sample of 5-10 logged privileged activities to confirm events are captured with sufficient detail (user ID, timestamp, action performed, system affected) and correlate to monitoring dashboards or reports.
- Interview privileged account owners and IT security personnel to validate understanding of review processes, monitoring alert response procedures, and accountability for the monthly recertification cycle.