Inventory of privileged accounts maintained
Demonstrate that the organization maintains a complete, accurate, and current inventory of all privileged accounts with documented ownership, access scope, and business justification.
Description
What this control does
This control requires organizations to establish and maintain a comprehensive, up-to-date inventory of all privileged accounts across systems, applications, databases, cloud platforms, and network devices. The inventory must include account attributes such as account name, system/application location, access level, account owner, business justification, last review date, and account status (active/inactive). Maintaining this inventory enables visibility into the organization's privileged access landscape, supports regular access reviews, facilitates incident response, and ensures privileged accounts do not proliferate unchecked.
Control objective
What auditing this proves
Demonstrate that the organization maintains a complete, accurate, and current inventory of all privileged accounts with documented ownership, access scope, and business justification.
Associated risks
Risks this control addresses
- Undetected orphaned privileged accounts remain active after employee termination or role change, providing persistent unauthorized access paths
- Shadow privileged accounts created outside formal provisioning processes accumulate without oversight, expanding the attack surface invisibly
- Incident response teams cannot rapidly identify and disable compromised privileged accounts due to incomplete visibility during active breaches
- Privileged account proliferation occurs unchecked as duplicate or unnecessary accounts are created without awareness of existing entitlements
- Compliance violations result from inability to demonstrate privileged access governance or produce evidence during regulatory audits
- Lateral movement by threat actors exploits undocumented service accounts or administrative credentials that evade monitoring
- Access certification and recertification processes fail because reviewers lack complete visibility into privileged account populations
Testing procedure
How an auditor verifies this control
- Obtain the organization's current privileged account inventory documentation, including the inventory database, spreadsheet, or identity governance system repository
- Review the inventory schema to verify it captures required attributes: account identifier, system/application, privilege level, account type, owner/custodian, business justification, creation date, last access date, and review date
- Select a representative sample of 15-25 systems spanning Windows Active Directory, Linux/Unix servers, databases, cloud platforms (AWS/Azure/GCP), network devices, and enterprise applications
- For each sampled system, independently enumerate privileged accounts using native tools (Active Directory Users and Computers for domain admins, 'getent passwd' for Unix root-equivalent accounts, IAM console for cloud admin roles, database privilege queries)
- Compare the independently enumerated privileged accounts against the inventory to identify discrepancies, missing entries, or accounts present in the inventory but no longer existing in systems
- Interview account owners or system administrators for 5-7 privileged accounts to confirm business justification, verify ownership assignment accuracy, and validate last review dates documented in the inventory
- Review inventory update procedures and examine change management records or provisioning tickets from the past 90 days to verify newly created privileged accounts were added to the inventory within documented timeframes
- Validate the inventory includes non-human privileged accounts such as service accounts, API keys, and automation credentials by sampling application configuration files and service definitions