Your Privileged Access

Management Checklist

Privileged Access Management (PAM) continues to be a top priority for

many organizations throughout the world. It is one of the most important
tools to help organizations reduce the risks from cyberattacks that target
their privileged accounts.

A compromised privileged account enablers an attacker to move around

the network undetected, download malicious payloads, stage compromised
servers and cause significant financial losses to their victims.
[Company Name] Privileged Access Management Checklist

YOUR PRIVILEGED ACCESS MANAGEMENT (PAM) CHECKLIST

Delinea has created this checklist to help you build on a strong foundation as you move
forward on your PAM journey.
Start by asking yourself two important questions:

1. What are the risks if my privileged accounts aren’t protected?

Which risks are you prioritizing to protect your business? Start by ranking your concerns
in order of their importance to your organization.
Malware
Financial fraud
Ransomware
Compliance failure
Data breach
Data poisoning
Insider threats
Service / application downtime
Revenue loss / brand damage
Other (please specify here _________________________________)

Some organizations have relied on password managers to help employees manage and
secure passwords. However, these solutions depend on employees choosing and
managing those passwords properly. Organizations must move beyond basic password
security and manage passwords more efficiently by deploying a strong privileged
access management solution. This will not only improve password hygiene but also
strengthen security overall.
[Company Name] Privileged Access Management Checklist

2. Which common causes of security incidents and data

breaches worry me the most?
It’s important to have a good understanding of which security controls are already in
place and which ones have room for improvement.

Poor access management

Insecure applications and APIs
Misconfigured cloud storage
Distributed Denial of Service (DDOS) attacks
Overprivileged users
Shared credentials
Password-only security controls
Securing third-party access and remote employees
Shadow IT
Other (please specify here _________________________________)
[Company Name] Privileged Access Management Checklist

Types of Privileged Accounts

Most organizations assume privileged access means the Domain Administrator account
or any user that is a member of the Domain Admin group. Privileged access, however,
is so much more than just the Domain Admin. While the DA is an extremely important
privileged account, many more exist throughout the organization, posing significant risk
of compromise. When an attacker gains access to a privileged account, it only takes
them a few steps to elevate privileges and get the credentials of a full Domain Admin.
Here is a quick look at some types of privileged accounts commonly discovered in
organizations. You can use this list to identify and rank privileged accounts in your
environment:

Types of Privileged Accounts Rank in Priority In Active Use

Local Administrator
Power Users
Unix \ Linux Root Account 2 e.g., Yes
Sudoers
Service Account
Cisco Enable
Domain Administrator 1 e.g., Yes
Application / SaaS Accounts
Accounts Used for Batch Jobs /
Scheduled Tasks/ Cron Jobs
Standard Accounts with Access to Sensitive Data
System Administrator
Emergency Accounts
Enterprise Admins

Use a trusted tool to help automate privilege account discovery in your environment. An
automated discovery tool will give you a reality check of how many privileged accounts
you think you have versus how many truly exist. This is a critical first step in completing
your PAM Checklist
[Company Name] Privileged Access Management Checklist

Privileged Risk and Threat Classification

Once identified, each of your privileged accounts should be evaluated, assigned to a
risk category, and mapped to appropriate security controls. Keep in mind that not all
privileged accounts are equal, some likely have much more risk than others. It’s
important to know which accounts have greater impact on your business if
compromised. Assessing risk enables you to prioritize which accounts to manage with
the corresponding level of privileged access security.
You may develop your own threat classification or risk ranking system to determine the
level of risks to your business operations. We have included the sample system below
as a guideline.
The "CIA Triad" (Confidentiality, Integrity, and Availability) is a framework for risk
classification that helps prioritize the level of security required. CIA is as follows:
Confidentiality – Unauthorized access to systems, including privileged account
compromise. The more confidential the data or the more important the systems are
to the business, the higher the potential impact.
Integrity – Data poisoning, including leveraging a privileged account to corrupt or
modify data. The more sensitive the data, the higher the potential impact.
Availability – Impact on the availability or proper functioning of services, such as
Distributed Denial of Service (DDoS) or ransomware. This includes use of privileged
accounts to make unauthorized changes. The more critical the services are to the
business, the higher the potential impact.
When ranking the level and type of risk, consider the impact of a privileged account
compromise, including those accounts associated with business users, network
administrators, and services or applications. When privileged accounts are involved in a
breach, the level of risk increases exponentially, as does the response required.

Privileged CIA Business Audit Security

Controls
Account Type Category Impact Level Level

Local Administrator C Medium Event log Password Rotate 90

Domain Admin C, I, A High Event log Password PCI/Rotate 30

Password
Service Account C, I, A Medium None None
No login
3rd Party DA Account C, I, A High Event log Password Rotate 90
[Company Name] Privileged Access Management Checklist

Privileged Risk Register and Map

A helpful technique to manage privileged account risks is to create a risk register for
each type of privileged account used within your organization, and then improve your
existing security controls to the highest level possible. This is a continuous process that
automatically discovers, or provisions privileged accounts and assigns a risk where it
has a policy associated.

Figure 1 Example of a PAM Risk Register Technique.

[Company Name] Privileged Access Management Checklist

Privileged Access Policies and Definition

Your PAM Checklist requires a standard company policy that defines what a privileged
account is and who is responsible. The definition should include why privileges are
needed, who is accountable for privileges, where they are located, and how they
should be secured. Your checklist should also provide clear ownership of privileges. For
example, some organizations might have a dedicated Identity and Access Management
(IAM) team responsible for identities, including privileges. Make sure your corporate IT
policy specifically defines privileged access and policies around privileged usage.
Identity and Access Management

• Privileged Access Management (PAM) - Secure Usage of Privileged Accounts and

Privileged Data
• Privileged Accounts (Objects) - Secure Vaulting of Privileged Credentials
• Privileged Data (Target) - Secure Access to Privileged Data

In Place
Definition and Policies or
Planned
Are privileged access and privileged accounts clearly defined? In Place

Is privileged access and privileged accounts included in your IT policy? In Place

Do privileged accounts have an assigned owner? Planned

Do you have a central team who manages identities?

Do you have a separate policy for privileged access?

Are privileged accounts part of your incident response plan?

Do you have dedicated privileged accounts for incident response?

Do you have a privileged access provisioning policy?

[Company Name] Privileged Access Management Checklist

Privileged Usage, why and how?

Your PAM Checklist should go beyond ticking boxes to provide an understanding of
what privileged accounts are being used for. Discovering and defining privileged usage
is an important step on the path to applying the Principle of Least Privilege. Least
privilege cybersecurity is designed to eliminate overprivileged access for users,
applications, and services so you can reduce the risk of exploitation without impacting
user productivity. One mistake made by System Administrators is using privileged
accounts for day-to-day standard operations such as logging on to a system
interactively or using a Domain Admin account for a service account or automated
backup task that runs with highly privileged access. In almost all instances, once these
practices are put in place, they are quickly forgotten, leaving a potential vulnerability that
attackers could easily exploit to escalate privileges.

Audit and document what privileged accounts are being used for in your PAM Checklist.
Make sure that you go through this process carefully to identify opportunities to apply
the Principle of Least Privilege:

Type of Account
Risk Use
Privileged Account Usage
Domain Admin Administrative Tasks High Interactive Logons
Configuration Changes Application UI
Create Users Application UI
Modify Users Application UI
Delete Users Application UI
Local Admin Install Software Medium Remote Desktop
Access Applications Browser
Access Data Application UI
Backup Systems and Data Scheduled Task
Update Software DevOps
Security Patches Remote Access
Interactive Logon SSH
Access Cloud Applications Browsers
Services Automated
Automation APIs
[Company Name] Privileged Access Management Checklist

Use this process to help identity the top risks of overprivileged access and determine if
it’s possible to remove overprivileged users and reduce those risks.
 [Company Name] Privileged Access Management Checklist

Why, Who, Where, and How

Privileged Access Management Matrix
Types of
Why Are Privileged Who Uses Where Are How Are How Are Risks If
They Needed Accounts Them They Found They Used They Secured Compromised
• Config • Domain • IT Admins • Servers • Interactive • Passwords • Malware
Changes • Local • Security • Endpoints Logons • 2FA • Financial
• Administrati Accounts Teams • Operating • API’s • MFA Fraud
ve Tasks • Root • Helpdesk Systems • Services • Ransomware
• Keys
• Create/ • Privileged • 3RD Party • Virtual • Applications • Compliance
Modify/ • Access
Users Contractors • Software • Automation Workflows Failure
Delete
Users • Emergency • Application • Cloud • DevOps • Session • Data Breach
Accounts Owners Recordings • Data
• Install • Databases • SSH
Software • System • DBA's • Launching Poisoning
Admin • Services • RDP
• Access Data • Applications • Behavioral • Inside Threats
• Service • Programs • VPN
• Backup • O.S Analytics • Service/
Accounts • Browsers Application
Data • Developers
• Applications Downtime
• Update • Hardware
Patches • Batch Jobs • Revenue/
• IoT Brand Loss
• Interactively • Human/
Non-Human
• Standard
Accounts
Access to
Privileged
Data

Figure 2 PAM Matrix

[Company Name] Privileged Access Management Checklist

Privileged Users, Groups and Owners

Clearly defining who uses privileged accounts and who owns each account helps your
organization ensure defined policies are applied, and risk is mitigated. As part of your
PAM Checklist make sure that privileged users, groups, and owners are clearly defined.
This will also help apply the right role and scope during a PAM solution implementation.

Type of Privileged Privileged User/ Privileged Owners/

Account Group Business Unit
Domain Admin IT Admin Director of IT
Security Team CISO
Helpdesk Support
Third-Party Contractors Application Owners
Applications Application Owners
DBA/SA Databases Application Owners
Operating Systems Admins Director of IT
Local Admin Developers Head of Engineering
Built-in Accounts Hardware Director of IT
Built-in Accounts IoT Director of IT
[Company Name] Privileged Access Management Checklist

Privileges, where are they found?

Privileged accounts are everywhere in the IT environment. They give IT the building
blocks for managing vast networks of hardware and software that power our information
driven world. Yet for most people they are invisible.
You must make sure you know where your privileged accounts reside throughout your
IT environment. While this can be done during the automated discovery process, you
should take it a step further and conduct an audit to properly identify the location of
privileges:

Privileged Account Type Privileged Location

Servers
Endpoints
Operating Systems
Virtual Environment
Software A
Software B
Cloud Service A
Cloud Service B
Databases
Services
Application A
[Company Name] Privileged Access Management Checklist

Privileged Security and Audit

You will want to improve security and auditing capabilities for privileged access. Going
beyond relying on passwords to protect the critical assets and data should be a priority.
That means identifying what security controls are in place and plotting a path forward to
increase your PAM maturity by applying the optimum security controls for your
business.

Privileged Current Privileged Planned Privileged

Account Type Security Security
Password Behavior Analytics
Two Factor Authentication Password Rotation
Multi Factor Authentication Full Audit
SSH Key
Access Workflow
Session Recording
Session Launching
Peer Review
[Company Name] Privileged Access Management Checklist

The next step on your PAM Checklist:

Privileged Account Discovery Tool for

Windows
Download Now
Identifies signs of account misconfiguration, such as shared
accounts, aged passwords, unexpected admin accounts, and
expired accounts, that increase the likelihood of intrusion and
abuse.

Least Privilege Discovery Tool

Download Now
Indicates which accounts may be overprivileged, and therefore
vulnerable to insider threats and malware attacks.

About Delinea

Delinea is a leading provider of privileged access management (PAM) solutions for the
modern, hybrid enterprise. We make privileged access more accessible by eliminating
complexity and defining the boundaries of access to reduce risk, ensure compliance,
and simplify security. Delinea empowers thousands of customers worldwide, including
over half the Fortune 100. Our customers include the world’s largest financial
institutions, intelligence agencies, and critical infrastructure companies. delinea.com