Privileged accounts, accounts with the ability to manage systems or users, should be reviewed or audited on a regular basis. They should be reviewed to ensure that they are still required, have appropriate access levels, are active, and the owner is still in the same position with the organization.
Privileged accounts have great power over the system or users, and this power can be misused by a malicious user or in the event of account compromise. The number of accounts should be limited, and the privileges associated with each account should be limited to what is required for performing the user’s job. Regular auditing of privileged accounts and the associated privileges helps to minimize the number of accounts and limit the privileges assigned to each.
Policies and procedures requiring regularly scheduled reviews of privileges account may be reviewed. Additional evidence in the form of schedules, calendar items, and technical controls such as account expiration dates may also be reviewed as evidence that the policies are being followed. Other things that may provide evidence of privileged account auditing may include lists, tickets, or even e-mail requesting that accounts be terminated or modified due to findings of an audit.