APPL-14

Do you have a fully implemented policy or procedure that details how your employees obtain administrator access to institutional instance of the application?

Explanation

This question is asking whether your organization has a formal, documented policy or procedure that specifically outlines how your employees can obtain administrator-level access to a customer's (institution's) instance of your application. Administrator access represents the highest level of privileges within an application, allowing users to make system-wide changes, modify security settings, access sensitive data, and potentially override controls. Because of these powerful capabilities, the process for granting such access should be carefully controlled. The security assessment is asking this question because improper administrator access management is a common source of security incidents. Without proper controls, there's risk of: 1. Unauthorized access to customer data 2. Accidental or malicious system changes 3. Compliance violations 4. Inability to properly track who made critical system changes A good answer should describe your formal, documented process that covers: - Who can request administrator access to customer instances - Who approves such requests - What justification is required - How access is provisioned - Time limitations on access (temporary vs. permanent) - Documentation and audit trail requirements - How access is revoked when no longer needed The policy should demonstrate that administrator access to customer environments follows the principle of least privilege and is properly controlled, documented, and audited.

Example Responses

Example Response 1

Yes, we have a fully implemented 'Customer Instance Administrator Access Policy' that governs how our employees obtain administrator access to institutional instances The policy requires that all administrator access requests be submitted through our ServiceNow ticketing system by a manager or director Each request must include the business justification, scope of work to be performed, and timeframe needed All requests are reviewed and approved by both the Security Operations team and the Customer Success Manager assigned to that institution By default, access is granted on a temporary basis (24-72 hours) with automatic revocation For any access beyond 72 hours, VP-level approval is required All administrator actions within customer instances are logged in our SIEM solution, and access reports are reviewed weekly by our security team This policy is audited annually and was last updated in January 2023.

Example Response 2

Yes, we maintain a comprehensive 'Client Environment Access Control Procedure' that strictly governs administrator access to institutional instances Our procedure implements a just-in-time access model where employees must use our privileged access management (PAM) system to request temporary elevated access The request workflow requires documentation of the specific task, expected duration, and reference to an approved change request or support ticket All requests are routed to our Security Operations Center for approval, and customers can optionally enable a setting requiring their explicit approval as well Once approved, the PAM system provisions temporary credentials valid for a maximum of 4 hours All sessions are recorded, logged, and subject to real-time monitoring The procedure includes emergency break-glass provisions that allow immediate access in critical situations but trigger automatic notifications to security personnel and the customer's designated contacts.

Example Response 3

No, we don't currently have a fully implemented policy specifically for administrator access to institutional instances While we do have general access control practices, our approach to administrator access is handled case-by-case through our support team When administrator access is needed, a support engineer typically coordinates directly with the customer via email or phone to explain the need and obtain verbal approval We're aware this is a gap in our formal documentation and are currently developing a comprehensive policy that will standardize this process, implement proper approval workflows, and ensure consistent logging of all administrator activities We expect to have this policy finalized and implemented within the next 90 days as part of our security program maturation efforts.

Context

Tab
Infrastructure
Category
Application/Service Security

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Signature
Neil Cameron
Founder, ResponseHub
Neil Cameron