Content library
ISO 27001 (2013): Full
9.2.3: Management of privileged access rights

How to fill the requirement

ISO 27001 (2013): Full

9.2.3: Management of privileged access rights

Task name
Priority
Status
Theme
Policy
Other requirements
Rules and formal management process for admin rights
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
requirements

Task is fulfilling also these other security requirements

9.2.3: Management of privileged access rights
ISO27 Full
TEK-04.4: Hallintayhteydet - henkilökohtaiset tunnukset
Julkri
8.2: Privileged access rights
ISO27k1 Full
CC6.1b: Logical access control for protected information assets
SOC 2
CC6.3: Management of access to data based on roles and responsibilities
SOC 2
1. Task description

Admin rights are managed through a formal process aimed at limiting the allocation of admin rights and controlling their use.

Regarding admin rights:

  • expiration requirements are defined
  • admin rights are granted only to usernames not used for normal everyday use
  • normal day-to-day use may not be performed with an admin account
Use of dedicated admin accounts in critical data systems
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
requirements

Task is fulfilling also these other security requirements

9.2.3: Management of privileged access rights
ISO27 Full
UAC-05: Administrative account usage
Cyber Essentials
TEK-07.2: Pääsyoikeuksien hallinnointi - pääsyoikeuksien rajaaminen
Julkri
8.2: Privileged access rights
ISO27k1 Full
CC6.3: Management of access to data based on roles and responsibilities
SOC 2
1. Task description

Especially in the main identity management systems (e.g. Microsoft 365, Google), administrator accounts have very significant rights. These accounts are often the target of scammers and attacks because of their value. For this reason, it is useful to dedicate administrator accounts to administrative use only, and to not use these accounts for everyday use or, for example, when registering with other online services.

Using multi-factor authentication for admins
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
System management
Access control and authentication
requirements

Task is fulfilling also these other security requirements

9.2.3: Management of privileged access rights
ISO27 Full
9.1.1: Access control policy
ISO27 Full
UAC-04: Two factor authentication
Cyber Essentials
PR.AC-7: User, device, and other asset authentication
NIST
TEK-04.1: Hallintayhteydet - vahva tunnistaminen julkisessa verkossa
Julkri
1. Task description

Multi-factor authentication (MFA) is required for administrators in the organization's key data systems.

For example, when first logging in with a password, a one-time identification code can also be sent to the user as a text message. In this case, he has been identified by two factors (knowing the password and ownership of the phone).

Biometric identifiers (e.g. fingerprints) and other devices can also be used for multi-stage authentication. However, it is worth considering the costs and implications for privacy.

No items found.