PAM in place for privileged accounts
Demonstrate that privileged accounts are managed through a dedicated PAM platform that enforces credential vaulting, access workflows, session monitoring, and automated rotation policies.
Description
What this control does
Privileged Access Management (PAM) solutions centralize authentication, authorization, session monitoring, and auditing of privileged credentials used to administer critical systems, databases, and infrastructure. PAM enforces just-in-time credential provisioning, session recording, multi-factor authentication for elevation, and automated password rotation for privileged accounts. This control reduces the attack surface associated with standing administrative privileges and enables forensic reconstruction of privileged user activity, addressing both insider threats and credential compromise scenarios.
Control objective
What auditing this proves
Demonstrate that privileged accounts are managed through a dedicated PAM platform that enforces credential vaulting, access workflows, session monitoring, and automated rotation policies.
Associated risks
Risks this control addresses
- Attackers exploit static, shared, or embedded privileged credentials to gain persistent administrative access across multiple systems
- Lateral movement and privilege escalation following initial compromise due to over-provisioned or unmonitored administrative accounts
- Insider threats misuse standing privileged access to exfiltrate data, alter audit logs, or sabotage systems without detection
- Lack of accountability when multiple administrators share generic or service accounts, preventing attribution of malicious or erroneous actions
- Credential stuffing or brute-force attacks succeed against privileged accounts lacking multi-factor authentication or rate limiting
- Compliance violations due to inability to produce session recordings or access logs for privileged activity during incident investigations or audits
- Password sprawl and manual rotation failures expose credentials in configuration files, scripts, or documentation accessible to unauthorized users
Testing procedure
How an auditor verifies this control
- Obtain and review the organization's PAM platform architecture documentation, including integration points with directory services, target systems, and SIEM platforms.
- Export the current inventory of privileged accounts managed within the PAM solution, including system administrators, database administrators, application service accounts, and emergency access accounts.
- Select a representative sample of at least 15 privileged accounts spanning Windows, Linux, database, network device, and cloud infrastructure tiers.
- Verify each sampled account is vaulted in PAM with enforced check-out workflows, approval requirements, and time-limited session grants by reviewing access policies and workflow configurations.
- Inspect session recording and keystroke logging settings for privileged sessions, then retrieve and play back at least three recent session recordings to confirm capture completeness and retention.
- Review automated password rotation policies and execution logs, confirming rotation frequency meets organizational policy (typically 30-90 days) and recent successful rotation events for sampled accounts.
- Test multi-factor authentication enforcement by attempting to access a privileged account without MFA and verifying access is denied, then documenting MFA enrollment status for all privileged users.
- Examine PAM audit logs and SIEM integration to confirm privileged access events, credential check-outs, session terminations, and policy violations are logged centrally with timestamps and user attribution.
Where this control is tested