Skip to main content

Pro audit program · v1.0

Privileged Access Snapshot

A 6-question snapshot of privileged-account hygiene: shared admins, breakglass, vaulting, JIT, session recording.

  • General target area
  • NIST CSF framework
  • 7 controls in this program
  • Cyentrix Cyentrix Trusted Author
Sign in to run → Back to library

About this program

A 6-question snapshot of privileged-account hygiene: shared admins, breakglass, vaulting, JIT, session recording.

Risks addressed

  • Critical A compromised admin account allows full-environment takeover
  • High Shared admin credentials prevent attribution
  • High Standing privileged access expands the attack window
  • Medium No audit trail of privileged actions

Controls (7)

  1. Inventory of privileged accounts maintained

    High

    Inventory of privileged accounts maintained

    How to test + evidence

    Testing procedure: Request the privileged account inventory; spot-check 5 accounts against directory roles.

    Evidence to collect: Privileged account inventory (CSV).

  2. No shared admin credentials

    Critical

    No shared admin credentials

    How to test + evidence

    Testing procedure: Interview admins; review whether any role is shared. Check vault for shared secrets.

    Evidence to collect: Vault audit log; admin role membership.

  3. Break-glass accounts protected

    High

    Break-glass accounts protected

    How to test + evidence

    Testing procedure: Verify break-glass accounts exist, credentials are sealed, alerts fire on use.

    Evidence to collect: Sealed-envelope register + alert config screenshot.

  4. Privileged access vaulted (PAM)

    High

    Privileged access vaulted (PAM)

    How to test + evidence

    Testing procedure: Confirm admin passwords/keys are in a PAM solution; passwords rotated after checkout.

    Evidence to collect: PAM tool config; rotation log.

  5. Just-In-Time elevation in use

    Medium

    Just-In-Time elevation in use

    How to test + evidence

    Testing procedure: Verify admins request elevation; standing access is the exception, not the default.

    Evidence to collect: PIM/Approval workflow export.

  6. Privileged session activity logged

    High

    Privileged session activity logged

    How to test + evidence

    Testing procedure: Confirm privileged actions are logged centrally and reviewed monthly.

    Evidence to collect: SIEM query + reviewer sign-off.

  7. Quarterly access recertification of admins

    Medium

    Quarterly access recertification of admins

    How to test + evidence

    Testing procedure: Pull the most recent privileged access recert; verify owners signed off within SLA.

    Evidence to collect: Recert report with attestations.