Question: Are administrative privileges and endpoint access rights controlled and periodically reviewed?
Why This Matters
Uncontrolled admin rights allow attackers to escalate privileges rapidly. Least-privilege enforcement and periodic reviews restrict the blast radius of compromise and support accountability.
Maturity
0 — Unaware
All users have local admin rights; no access control policy.
All users have local admin rights; no access control policy.
1 — Ad Hoc
IT manually sets rights; limited understanding of privilege scope.
IT manually sets rights; limited understanding of privilege scope.
2 — Defined
Access control policy created; roles differentiated (admin / user / guest).
Access control policy created; roles differentiated (admin / user / guest).
3 — Managed
Privileged accounts tracked; quarterly reviews conducted.
Privileged accounts tracked; quarterly reviews conducted.
4 — Integrated
Privilege elevation requires approval or MFA; audit logs retained.
Privilege elevation requires approval or MFA; audit logs retained.
5 — Optimized
Just-in-time and just-enough-access automated via PAM tooling.
Just-in-time and just-enough-access automated via PAM tooling.
How to Level Up
| From → To | Actions |
|---|---|
| 0 → 1 | Remove admin rights from standard accounts; maintain an admin list. |
| 1 → 2 | Document access control policy and apply role-based permissions. |
| 2 → 3 | Implement quarterly privilege reviews with evidence capture. |
| 3 → 4 | Add MFA and approval workflow for elevation; retain audit logs 1 year+. |
| 4 → 5 | Adopt automated PAM / JIT access solutions with reporting. |
Enablers
- People: IT admin, security officer, line manager reviewers.
- Process: Access review schedule, approval workflow, revocation procedure.
- Technology: AD / Entra ID, PAM, MFA, log collectors.
Evidence
- Access review records and approval emails.
- Admin account list with justification.
- Logs showing privilege elevation requests.
KPIs
- Percentage of admin accounts reviewed per quarter.
- Number of privilege violations detected.
- Mean time to revoke unused admin rights.
Low-Cost / Open-Source Options (MSME)
| Purpose | Tool | Notes |
|---|---|---|
| Access reviews | OpenAudit / custom scripts | Export AD groups for review. |
| MFA | Authy / Microsoft Authenticator | Free MFA for admin elevation. |
| Logging | Wazuh / OSQuery | Track privilege escalations. |
Common Pitfalls
- Shared admin credentials.
- Reviews skipped due to workload.
- No linkage between HR exit and access revocation.
Compliance Mapping
| Standard | Clauses / Notes |
|---|---|
| ISO/IEC 27001:2022 | A.5.18 Access Rights Management |
| CERT-In 2022 | Section 8 (Access Controls) |
| DPDP Act 2023 | Sec 10 (Accountability and Access) |
| NIST CSF 2.0 | PR.AC-1 to PR.AC-6 |
| NIRMATA Mapping | EP-Q05 anchors for IAM alignment (Level ≥ 3). |