A.8.2 Privileged Access Rights would include:
Access Control Policies: Documentation of access control policies that define privileged access rights and the process to grant, review, and revoke such access. This should include procedures for segregation of duties and the principle of least privilege.
-
User Access Logs: Records of privileged user access, including date, time, and the actions performed. These logs should be regularly reviewed to identify any unauthorized or suspicious activities.
-
Privileged User Inventory: A list of all privileged user accounts, including system administrators, database administrators, and other roles with elevated access rights.
-
Role-Based Access Control: Evidence that access rights are assigned based on job roles and responsibilities. Each privileged user should have a clearly defined scope of access.
-
Password Management: Documentation of password policies for privileged accounts, including requirements for complexity, rotation, and use of multi-factor authentication where applicable.
-
Incident Response Procedures: Proof that the organization has established incident response procedures for addressing security incidents involving privileged access accounts.
-
Regular Auditing: Records of regular audits or reviews of privileged access rights to ensure compliance with policies and identify any deviations or unauthorized access.
-
Change Management Process: Evidence that any changes to privileged access rights are controlled and documented through a formal change management process.
-
Employee Training: Documentation of security awareness training provided to employees with privileged access rights, emphasizing the importance of protecting their credentials and recognizing social engineering attempts.
-
Termination Procedures: Procedures for removing privileged access rights when an employee changes roles or leaves the organization. This should be done promptly to prevent unauthorized access.
-
Least Privilege Principle: Verification that the organization follows the principle of least privilege, granting only the minimum necessary access to perform specific job functions.
-
Privileged User Reviews: Records of periodic reviews or assessments of privileged access rights to confirm that they are still required and appropriate.
By examining these pieces of evidence, an auditor can assess whether the organization has implemented effective controls to manage privileged access rights. The goal is to ensure that only authorized personnel have access to critical systems and data, reducing the risk of unauthorized access and potential security breaches.
