AM-11 Access Management

Privileged Access Management (PAM)

Privileged sessions are brokered, recorded and just-in-time.

Domain: Access Management
Control type: Preventive/Detective
Automated / manual: Automated
Frequency: Continuous
Framework reference: COBIT DSS05.04; MAS TRM – Access

What good looks like

Privileged access is brokered via PAM with check-out/in, session recording and JIT elevation.

Risk if it fails

Abuse of standing privileged access.

How Tess tests it

4 tests — each concludes only on cited evidence.

PAM deployed and covers in-scope systems

Design

Procedure: Inspect PAM config and coverage.
Expected: Critical systems brokered via PAM.
Sample: 1 (design inspection)
Evidence: PAM config, session logs/recordings, elevation approvals.

No standing credentials (check-out/in)

Operating

Procedure: Inspect PAM logs.
Expected: Credentials vaulted and rotated on check-in.
Sample: 25 (or full config inspection)
Evidence: PAM config, session logs/recordings, elevation approvals.

Privileged sessions recorded

Operating

Procedure: Inspect a sample of recordings.
Expected: Recording enabled and retained.
Sample: 25 (or full config inspection)
Evidence: PAM config, session logs/recordings, elevation approvals.

JIT elevation approved and time-bound

Operating

Procedure: Inspect elevation events.
Expected: Elevation approved and auto-expires.
Sample: 25 (or full config inspection)
Evidence: PAM config, session logs/recordings, elevation approvals.

Evidence Tess looks for

PAM config, session logs/recordings, elevation approvals.

More in Access Management

AM-01 IT Organisation & Segregation AM-02 Password / Authentication Policy AM-03 Multi-Factor Authentication (MFA) AM-04 Centralised Identity / SSO

Want Tess to test AM-11 against your evidence?