Privileged access management (PAM)

Description

What this control does

Control objective

What auditing this proves

Demonstrate that privileged accounts are centrally managed, credentials are securely vaulted and rotated, access is granted on a time-bound and approval-based basis, and privileged sessions are monitored and recorded.

Associated risks

Risks this control addresses

• Credential theft via phishing or malware targeting standing privileged accounts with static passwords
• Lateral movement by attackers who compromise one privileged account and reuse credentials across multiple systems
• Insider abuse of privileged access to exfiltrate sensitive data, manipulate financial records, or sabotage systems without detection
• Shared administrative account usage preventing attribution of privileged actions to specific individuals during forensic investigations
• Unmonitored privileged sessions enabling attackers to execute malicious commands or configuration changes without triggering alerts
• Privilege escalation attacks exploiting orphaned or unmanaged privileged accounts that persist after employee departure
• Ransomware deployment using compromised domain administrator or root credentials to encrypt enterprise-wide systems

Live threat patterns this control mitigates:

Testing procedure

How an auditor verifies this control

1. Obtain and review the current inventory of all privileged accounts across systems, applications, databases, network devices, and cloud platforms from the PAM system or identity management documentation.
2. Verify that privileged credentials are stored in a secure password vault with encryption at rest and access logging enabled by reviewing PAM platform configuration settings.
3. Select a sample of 10-15 privileged accounts spanning critical systems and confirm each account's password is managed by the PAM solution by attempting to retrieve credentials through the vault interface.
4. Review access request and approval workflows by examining PAM system configuration and testing a sample access request to verify multi-level approval requirements and time-bound session grants.
5. Examine session recording functionality by selecting 5 recent privileged sessions from logs and verifying that video recordings, keystroke logs, or command transcripts are retained and accessible.
6. Validate automatic password rotation policies by reviewing PAM configuration for rotation frequency and examining audit logs showing successful password changes after privileged sessions.
7. Test emergency access procedures (break-glass) by reviewing documented processes and verifying that emergency credential usage triggers immediate alerts to security teams and requires post-access justification.
8. Analyze privileged access audit logs for the past 90 days to identify any direct logins bypassing the PAM solution, shared account usage, or violations of least-privilege principles.

Where this control is tested

Audit programs including this control