AM-16 Access Management
Operating System / Server Access
OS-level access is restricted and approved.
- Domain
- Access Management
- Control type
- Preventive
- Automated / manual
- Manual
- Frequency
- Per event
- Framework reference
- COBIT DSS05.04
What good looks like
Server/OS access (incl. root) is restricted to authorised admins and approved.
Risk if it fails
OS-level compromise.
How Tess tests it
3 tests — each concludes only on cited evidence.
Server-access request process defined
Design- Procedure
- Inspect the process.
- Expected
- Approval required for server access.
- Sample
- 1 (design inspection)
- Evidence
- Server access inventory, approvals.
Server admin list authorised
Operating- Procedure
- Reconcile to approvals.
- Expected
- Matches authorised personnel.
- Sample
- Judgmental, by population (e.g. 10–25)
- Evidence
- Server access inventory, approvals.
Root/local-admin restricted
Operating- Procedure
- Inspect privileged OS access.
- Expected
- Limited and justified.
- Sample
- Judgmental, by population (e.g. 10–25)
- Evidence
- Server access inventory, approvals.
Evidence Tess looks for
Server access inventory, approvals.
More in Access Management
Want Tess to test AM-16 against your evidence?
Book a demo