AM-10 Access Management

Privileged / Administrator Access

Privileged access is restricted, justified and attributable.

Domain: Access Management
Control type: Preventive/Detective
Automated / manual: Manual
Frequency: Per event + Quarterly
Framework reference: COBIT DSS05.04; MAS TRM – Access

What good looks like

Admin accounts are limited, approved with justification, individually attributable, and reviewed frequently.

Risk if it fails

Unmonitored superuser activity; undetected fraud.

How Tess tests it

4 tests — each concludes only on cited evidence.

Privileged-access policy and inventory exist

Design

Procedure: Inspect the policy and inventory.
Expected: Defined; inventory maintained.
Sample: 1 (design inspection)
Evidence: Privileged-account inventory, approvals, review evidence.

Each privileged account approved with justification

Operating

Procedure: Inspect approvals.
Expected: Business justification documented for each.
Sample: 2
Evidence: Privileged-account inventory, approvals, review evidence.

Privileged accounts individually attributable

Operating

Procedure: Inspect for shared/admin accounts.
Expected: Named, not shared/generic.
Sample: 2
Evidence: Privileged-account inventory, approvals, review evidence.

Heightened review cadence performed

Operating

Procedure: Inspect privileged-access reviews.
Expected: Reviewed more frequently than standard and on time.
Sample: 2
Evidence: Privileged-account inventory, approvals, review evidence.

Evidence Tess looks for

Privileged-account inventory, approvals, review evidence.

More in Access Management

AM-01 IT Organisation & Segregation AM-02 Password / Authentication Policy AM-03 Multi-Factor Authentication (MFA) AM-04 Centralised Identity / SSO

Want Tess to test AM-10 against your evidence?