Do you have process and procedure(s) documented, and currently followed, that require a review and update of the access list(s) for privileged accounts?
Explanation
Privileged access reviews sit at the center of this requirement, which probes whether you have documented processes for revisiting who holds elevated rights and whether you actually follow them.
Privileged accounts are those with elevated permissions beyond regular users - such as administrator accounts, root access, database admin accounts, or any account that can make system-wide changes. These accounts pose a significant security risk if compromised or misused.
The security assessment is asking this because:
- Privileged account management is a critical security control - these accounts can do the most damage if compromised
- Access rights tend to accumulate over time ("access creep") when people change roles or leave the organization
- Regular reviews ensure only appropriate personnel have privileged access
- Many compliance frameworks (like SOC 2, ISO 27001, NIST) require periodic access reviews
To best answer this question:
- Describe your documented process for reviewing privileged access
- Mention the frequency of reviews (quarterly, semi-annually, etc.)
- Explain who is responsible for conducting these reviews
- Note how changes are tracked and implemented
- Provide evidence that the process is actually being followed (not just documented)
Example Responses
Example Response 1
Yes, we have a documented Privileged Access Management (PAM) procedure that requires quarterly reviews of all privileged accounts Our process involves the IT Security team generating reports of all users with administrative access across our systems, which are then sent to department managers for verification Managers must confirm that each privileged user still requires that access for their current role Any discrepancies are logged in our ticketing system and remediated within 5 business days This process is documented in our Information Security Policy (Section 7.3) and we maintain audit logs of all reviews and subsequent access changes Our most recent review was completed on March 15, 2023, resulting in the removal of privileged access for 3 users who had changed roles.
Example Response 2
Yes, we maintain a formal Privileged Account Review Procedure (document ID: SEC-PAM-003) that outlines our monthly review process for all privileged accounts The procedure includes automated account discovery across all systems, comparison against our approved privileged user database, and escalation of any unauthorized privileged accounts Our Identity and Access Management team conducts these reviews in collaboration with system owners The procedure includes specific workflows for handling different scenarios (role changes, terminations, temporary access, etc.) We use our GRC platform to track completion of these reviews, with automated notifications to management if reviews are overdue Our compliance team performs quarterly audits to verify adherence to this procedure, with results reported to our security steering committee.
Example Response 3
We currently do not have a formally documented process specifically for reviewing privileged account access lists While we do perform ad-hoc reviews when team members leave the company or change roles, and we maintain a general access control policy, we lack a systematic, scheduled review process for privileged accounts We recognize this as a gap in our security controls and are currently developing a formal procedure that will include quarterly reviews of all privileged accounts across our infrastructure We expect to implement this process within the next 60 days, including documentation, workflow approval, and staff training In the interim, we have initiated a one-time comprehensive audit of all privileged accounts to establish a baseline for our new process.
Context
- Tab
- Organization
- Category
- Policies, Processes, and Procedures
Related questions
- Do you have a documented patch management process?
- Can your organization comply with institutional policies on privacy and data protection with regard to users of institutional systems, if required?
- Is your company subject to the institution's geographic region's laws and regulations?
- Can you accommodate encryption requirements using open standards?
- Do you have a documented systems development life cycle (SDLC)?
- Do you perform background screenings or multi-state background checks on all employees prior to their first day of work?

