PPPR-13

Do you have process and procedure(s) documented, and currently followed, that require a review and update of the access list(s) for privileged accounts?

Explanation

This question is asking whether your organization has documented processes for reviewing and updating who has privileged access to your systems, and whether you're actually following these processes. Privileged accounts are those with elevated permissions beyond regular users - such as administrator accounts, root access, database admin accounts, or any account that can make system-wide changes. These accounts pose a significant security risk if compromised or misused. The security assessment is asking this because: 1. Privileged account management is a critical security control - these accounts can do the most damage if compromised 2. Access rights tend to accumulate over time ("access creep") when people change roles or leave the organization 3. Regular reviews ensure only appropriate personnel have privileged access 4. Many compliance frameworks (like SOC 2, ISO 27001, NIST) require periodic access reviews To best answer this question: - Describe your documented process for reviewing privileged access - Mention the frequency of reviews (quarterly, semi-annually, etc.) - Explain who is responsible for conducting these reviews - Note how changes are tracked and implemented - Provide evidence that the process is actually being followed (not just documented)

Example Responses

Example Response 1

Yes, we have a documented Privileged Access Management (PAM) procedure that requires quarterly reviews of all privileged accounts Our process involves the IT Security team generating reports of all users with administrative access across our systems, which are then sent to department managers for verification Managers must confirm that each privileged user still requires that access for their current role Any discrepancies are logged in our ticketing system and remediated within 5 business days This process is documented in our Information Security Policy (Section 7.3) and we maintain audit logs of all reviews and subsequent access changes Our most recent review was completed on March 15, 2023, resulting in the removal of privileged access for 3 users who had changed roles.

Example Response 2

Yes, we maintain a formal Privileged Account Review Procedure (document ID: SEC-PAM-003) that outlines our monthly review process for all privileged accounts The procedure includes automated account discovery across all systems, comparison against our approved privileged user database, and escalation of any unauthorized privileged accounts Our Identity and Access Management team conducts these reviews in collaboration with system owners The procedure includes specific workflows for handling different scenarios (role changes, terminations, temporary access, etc.) We use our GRC platform to track completion of these reviews, with automated notifications to management if reviews are overdue Our compliance team performs quarterly audits to verify adherence to this procedure, with results reported to our security steering committee.

Example Response 3

We currently do not have a formally documented process specifically for reviewing privileged account access lists While we do perform ad-hoc reviews when team members leave the company or change roles, and we maintain a general access control policy, we lack a systematic, scheduled review process for privileged accounts We recognize this as a gap in our security controls and are currently developing a formal procedure that will include quarterly reviews of all privileged accounts across our infrastructure We expect to implement this process within the next 60 days, including documentation, workflow approval, and staff training In the interim, we have initiated a one-time comprehensive audit of all privileged accounts to establish a baseline for our new process.

Context

Tab: Organization
Category: Policies, Processes, and Procedures