Admin access comes with great power, great responsibility, and a lot of headaches (source: Tugboat Logic blog)

Security Controls, Explained: Admin Access

Control of the Week #6: Administrative Access

This week’s control is on risk assessments. Jose Costa (CISO at Tugboat Logic), Harpreet Shergill (Senior Manager, IS Risk & Compliance at Tugboat Logic), and Chika Nwajagu (Senior Security Analyst at Tugboat Logic) explain why administrative access is important and how to conduct them in five steps.

Why this control is important

“AC3.9 – Administrative/Privilege Access: Access to a generic administrator or privileged accounts on the databases and servers supporting the application is restricted to authorized personnel based on a role-based access scheme.”

To keep up with previous analogies, this control deals with the people who have the master keys to your organization’s data, systems, and other assets. Auditors especially focus on administrator accounts and question the appropriateness of such accounts.


Admin accounts have the potential to do the most damage if they’re in the hands of those who shouldn’t have access, or are unqualified to use those accounts. Admins typically have the power to grant access to other individuals, which means the risk to your data increases greatly if accounts aren’t carefully monitored.

How to implement this control for your audits

At risk of stating the obvious, admin account access should be granted to users based on their position in the organization. More specifically, you should only give access to those with roles that require it (typically limited to IT teams and specific administrators). And, make sure monitoring is in place to determine who’s allowed to access the data, who used the accounts, who logged in, and that each authorized user has a unique account (shared accounts open up additional risk faster than a can of Goya beans!).

In short, these accounts should be monitored periodically to verify:

  • Who has access to these accounts
  • What type of access they have
  • What activities are performed through such access

TL;DR: Privileged accounts should only be given to authorized people, which includes:

  • Domain admin accounts
  • Emergency accounts
  • Database accounts
  • Server root accounts
  • Service accounts
  • Application accounts

Last, but certainly not least, think about:

  • Password management tools – a great way to use technology as a means to control access (check out our recommendations)
  • Conducting an access review – auditors like to see you do this periodically
  • Avoiding automatic or hard-coded access to things such as APIs

Related Articles

Security Awareness Training: Montage Optional

Security Awareness Training: Montage Optional

Creating a plan for Security Awareness Training is only half the battle. Implementing and ensuring that your employees follow that plan regularly is the key to implementing this control. Also, investing in training and security awareness programs is vital for sustainable business growth and success.

read more
Employee Training Plan: Good Plans Go A Long Way

Employee Training Plan: Good Plans Go A Long Way

How you train your employees will largely determine their effectiveness and adherence to company policies. While many practices can be common sense and their skills catered specifically to the job they were hired to perform, a training plan can go a long way to ensure that elements of your organization stay safe, secure and run as smoothly as possible.

read more


Submit a Comment

Pin It on Pinterest

Share This