|Security Control - Privileged Access Management Governance|
|Description||Provide compliance overview of accounts designated as privileged|
|Components and Required Capabilities||
Privileged Access Management
|Best Practice Recommendation||
Where additional identities are required, for certain privileged roles (e.g. DBA), or test accounts, a Privileged Access Management solution should be implemented to ensure the integrity and security of this access.
For certifications, when using entitlements only, consider direct manager capability allowing a manager to reviews subordinates at one time, for the period of the certification. Highly restricted applications, privileged access, etc may require 90 day reviews, whereas all other access could be yearly.
Once roles are deployed for provisioning, they can be expanded to be used in certification of access as well. This has a benefit to all end users, but especially to certifying privileged user access that typically comes with large numbers of entitlements to certify. Be sure to certify the composition of the role at least yearly.