Skip to main content

Security Controls, Explained: Admin Access

Control of the Week #6: Administrative Access

This week’s control is on risk assessments. Jose Costa (CISO at Tugboat Logic), Harpreet Shergill (Senior Manager, IS Risk & Compliance at Tugboat Logic), and Chika Nwajagu (Senior Security Analyst at Tugboat Logic) explain why administrative access is important and how to conduct them in five steps.

Why this control is important

“AC3.9 – Administrative/Privilege Access: Access to a generic administrator or privileged accounts on the databases and servers supporting the application is restricted to authorized personnel based on a role-based access scheme.”

To keep up with previous analogies, this control deals with the people who have the master keys to your organization’s data, systems, and other assets. Auditors especially focus on administrator accounts and question the appropriateness of such accounts.


Admin accounts have the potential to do the most damage if they’re in the hands of those who shouldn’t have access, or are unqualified to use those accounts. Admins typically have the power to grant access to other individuals, which means the risk to your data increases greatly if accounts aren’t carefully monitored.

How to implement this control for your audits

At risk of stating the obvious, admin account access should be granted to users based on their position in the organization. More specifically, you should only give access to those with roles that require it (typically limited to IT teams and specific administrators). And, make sure monitoring is in place to determine who’s allowed to access the data, who used the accounts, who logged in, and that each authorized user has a unique account (shared accounts open up additional risk faster than a can of Goya beans!).

In short, these accounts should be monitored periodically to verify:

  • Who has access to these accounts
  • What type of access they have
  • What activities are performed through such access

TL;DR: Privileged accounts should only be given to authorized people, which includes:

  • Domain admin accounts
  • Emergency accounts
  • Database accounts
  • Server root accounts
  • Service accounts
  • Application accounts

Last, but certainly not least, think about:

  • Password management tools – a great way to use technology as a means to control access (check out our recommendations)
  • Conducting an access review – auditors like to see you do this periodically
  • Avoiding automatic or hard-coded access to things such as APIs