Files
T

2.2 KiB

Privileged Account Access Review - Standards Reference

Regulatory Requirements

SOC 2 Type II - CC6.1, CC6.2, CC6.3

  • CC6.1: Logical and physical access controls restrict access to information assets
  • CC6.2: Prior to issuing system credentials, the entity registers and authorizes new users
  • CC6.3: The entity authorizes, modifies, or removes access in a timely manner
  • Quarterly privileged access reviews required for audit evidence

PCI DSS v4.0 - Requirement 7

  • 7.1: Processes and mechanisms for restricting access are defined and understood
  • 7.2: Access to system components and data is appropriately defined and assigned
  • 7.2.4: All user accounts and related access privileges are reviewed at least every six months
  • 7.2.5: All application and system accounts and privileges are reviewed at least every six months

HIPAA Security Rule - 164.312(a)(1)

  • Access control standard requiring unique user identification
  • Emergency access procedure (break-glass accounts)
  • Automatic logoff and encryption/decryption
  • Periodic review and modification of access rights

SOX Section 404

  • Internal controls over financial reporting
  • Segregation of duties enforcement
  • Access to financial systems must be reviewed quarterly
  • Evidence of review decisions must be retained

NIST SP 800-53 Rev 5 - Access Control Family

  • AC-2: Account Management (review periodically)
  • AC-2(3): Disable Accounts (within defined time period)
  • AC-2(4): Automated Audit Actions
  • AC-2(12): Account Monitoring for Atypical Usage
  • AC-6: Least Privilege
  • AC-6(7): Review of User Privileges

Industry Frameworks

CIS Controls v8

  • Control 5.1: Establish and maintain an inventory of accounts
  • Control 5.2: Use unique passwords
  • Control 5.3: Disable dormant accounts
  • Control 5.4: Restrict administrator privileges to dedicated administrator accounts
  • Control 5.5: Establish and maintain an inventory of service accounts

NIST Cybersecurity Framework 2.0

  • PR.AA-01: Identities and credentials for authorized users are managed
  • PR.AA-02: Identities are proofed and bound to credentials
  • PR.AA-03: Users, services, and hardware are authenticated
  • PR.AA-05: Access permissions, entitlements, and authorizations are defined