Back to T5.2.2 - P1 - PRIVILEGE MANAGEMENT
Multi-user systems that require protection against unauthorized access should have the allocation of privileges controlled through a formal authorization process in accordance with the relevant access control policy. The following steps should be considered:
A. Identify privileged access rights associated with each system, e.g. operating system, database and application
B. Privileged access rights should:
- Be allocated to users on a need-to-use basis and on an event-by-event basis in line with the access control policy , i.e. the minimum requirement for their functional role only when needed
- Not be granted until the authorization process is complete
- Be assigned to a different User ID than the User ID used for day to day work. Regular user activities should not be performed from privileged accounts
C. An authorization process and a record of all privileges allocated should be maintained;
D. Requirements for expiry of privileged access rights should be defined
E. The competences of users with privileged access rights should be reviewed regularly in order to verify if they are in line with their duties
F. Specific procedures should be established and maintained in order to avoid the use of generic administration User IDs, according to systems configuration capabilities
G. For generic administration User IDs, the confidentiality of security credentials should be maintained when shared (changing them frequently and as soon as possible when a privileged user leaves or changes job, communicating them among privileged users with appropriate mechanisms)
