AC-2(7) Privileged User Accounts
Description
Privileged roles are organization-defined roles assigned to individuals that allow those individuals to perform certain security-relevant functions that ordinary users are not authorized to perform. Privileged roles include key management, account management, database administration, system and network administration, and web administration. A role-based access scheme organizes permitted system access and privileges into roles. In contrast, an attribute-based access scheme specifies allowed system access and privileges based on attributes.
Applicability
The information resource owner, or designee, is responsible for ensuring that the risk mitigation measures described in this Control are implemented.
The intended audience for this Control includes, but is not limited to, all information resources owners and custodians.
Implementation
- Establish and administer privileged user accounts in accordance with a role-based access scheme;
- Monitor privileged role or attribute assignments;
- Monitor changes to roles or attributes; and
- Revoke access when privileged role or attribute assignments are no longer appropriate.
- Ensure users with privileged (also known as administrative or special access) accounts are aware of the extraordinary responsibilities associated with the use of privileged accounts.
Revision History
Last Updated: February 21, 2025
Previous Versions:
- June 29, 2023
- May 31, 2022
- March 25, 2021
- September 16, 2019