Title Page
-
Site conducted
-
Conducted on
-
Prepared by
Data Collection Phase
-
List Privileged Accounts: Compile a list of all privileged accounts, both human and non-human (e.g., service accounts).
-
What was the issues?
-
Upload List of Privileged Accounts in ControlMap
-
Upload List of Privileged Accounts in ControlMap
-
Current Permission Sets: Identify the scope and depth of each privileged user's access rights.
-
What was the issues?
-
Credential Management: Review how credentials for these accounts are stored, managed, and rotated.
-
What was the issues?
Analysis Phase
-
Need for Privilege: Confirm if the current level of privilege is necessary for the assigned roles.
-
Why not?
-
Inactive Accounts: Identify any privileged accounts that are dormant but still have high-level access.
-
What inactive accounts still had access?
-
Separation of Duties: Confirm that duties and access are appropriately separated to prevent conflicts of interest or fraud.
-
What were the issues and what was done about it?
Review Phase
-
Technical Validation: Have IT security validate the appropriateness of the access levels.
-
Were any issues found?
-
What was found?
-
Business Validation: Get sign-off from senior managers or business owners for the current level of privileged access.
Remediation Phase
-
De-Provision: Remove unnecessary privileged accounts or downgrade to lower access levels.
-
Why?
-
What account was De-Provision?
-
Adjust Permissions: Correct over-permissions or under-permissions based on the review findings.
-
What permissions were adjusted?
-
Why
-
User Training: Re-train users who will continue to have privileged access about the responsibilities and risks involved.
-
Why not needed?
-
What users were Re-train?
-
Credential Updates: Update or rotate credentials for remaining privileged accounts.
-
Why were not credentials updated?
-
What credentials were updated?
