Privileged Access Management (PAM)

🔑Privileged Access Management (PAM)

🧭 Planning:
Reviewed the management of elevated/administrative accounts as part of the ITGC audit. Special focus was placed on access governance, monitoring, and control over critical accounts across infrastructure and application layers.

🎯 Objectives:

• Verify that privileged accounts are approved, documented, and reviewed regularly

• Assess segregation of duties and role-based restrictions for elevated access

• Evaluate logging, monitoring, and alerting mechanisms

• Confirm use of vaults or PAM tools where applicable

📌 Procedures:

• Identified all active privileged accounts across in-scope systems

• Reviewed approval and provisioning workflows for admin accounts

• Sampled logs for privileged activity and session audits

• Examined access recertification reports and remediation steps

• Assessed segregation between user and admin roles

📑 Working Papers:

• WP-ITGC-PAM001: Elevated access management analysis

• Admin account lists, activity logs, privilege review reports

📊 Findings:

• ❗ 2 active admin accounts were found with no documented approval

• ❗ No centralized logging of privileged session activity

• ⚠️ Admins used the same credentials for standard and elevated accounts

• ⚠️ No quarterly review performed on privileged accounts

🧰 Tools Used:

Active Directory, privileged account inventory, Excel, log monitoring tools

✅ Recommendations:

• Implement a formal Privileged Access Management (PAM) system or vault

• Enforce separation between standard and privileged accounts

• Enable session logging and review for all privileged activities

• Conduct quarterly access reviews focused on privileged roles

• Introduce just-in-time (JIT) access provisioning for temporary elevated roles