Privileged Access Policy
This is a Controlled Document
In line with Vaxa's governance framework, changes to controlled documents must be approved or merged by a code owner. All contributions are welcome and encouraged.| Version | Effective | Reviewed | Next review due |
|---|---|---|---|
| 1.0.0 | 2025-02-03 | 2025-02-03 | 2026-02-03 |
Purpose
This policy ensures that privileged access to systems, applications, and data is securely managed, controlled, and monitored. It aims to minimise security risks associated with privileged accounts, ensuring they are only granted when necessary and for a limited duration.
Scope
This policy applies to all employees, contractors, and third parties who require privileged access to Vaxa’s systems, applications, and data.
Roles & Responsibilities
| Role | Responsibility |
|---|---|
| Chief Technology Officer (CTO) | Reviews and approves privileged access requests based on necessity and security considerations. Ensures compliance with this policy. |
| Information Security Group | Implements security controls, monitors privileged access events, and manages privileged accounts. |
| System Administrators | Configure and enforce privileged access controls. Manage privileged account lifecycle, including periodic revalidation. |
| Privileged Users | Use privileged accounts strictly for administrative duties. Adhere to access controls, separation of duties, and security best practices. |
Policy Statements
Definition of Privileged Access
Privileged access is defined as access to systems, applications, and data that allows users to perform administrative or configuration tasks that could impact the security, integrity, or availability of the environment. This includes, but is not limited to, access to system settings, user account management, data manipulation, and configuration changes. This is on servers, within applications, across databases, cloud environments, network devices, and local machines.
Access Control & Restrictions
- Privileged accounts must be explicitly authorised and are strictly limited to what is required for users and services to undertake their duties.
- Privileged users must use separate privileged and unprivileged operating environments.
- Privileged users must be assigned a dedicated privileged account, which must be used solely for tasks requiring privileged access.
- The environment must be configured to prevent virtualisation of privileged operating environments within unprivileged ones.
- Unprivileged accounts must be prevented from logging into privileged operating environments.
- Privileged accounts (excluding local administrator accounts) must be prevented from logging into unprivileged environments.
Privileged Access Lifecycle Management
- Privileged access is automatically disabled after 12 months unless explicitly revalidated.
- Privileged access is automatically disabled after 45 days of inactivity.
- Privileged access requests are assessed individually by the CTO, who ensures appropriate restrictions and timeouts based on necessity.
Secure Administrative Operations
- Where required, administrative activities should be conducted through jump servers. However, as a cloud-native organisation without a traditional data centre, Vaxa may go without the use of jump servers until their necessity is demonstrated or dicated by the CTO.
- Credentials for break-glass accounts, local administrator accounts, and service accounts must be long, unique, unpredictable, and their whereabouts must be known only to authorised personnel and audited regularly for misuse and availability.
Logging & Monitoring
- All privileged access events must be logged, stored in a central location, and protected from unauthorised modification and deletion.
- All privileged account and group management events must be logged, stored in a central location, and protected from unauthorised modification and deletion.
Exceptions
Exceptions to this policy must be formally requested, documented, and approved by the CTO. Exceptions must include a risk assessment and mitigation strategy.
Compliance & Monitoring
The Information Security Group will:
- Regularly audit privileged access logs.
- Conduct periodic privileged account reviews to ensure adherence to lifecycle policies.
- Investigate and respond to any unauthorised privileged access attempts.
References
- Information Security Policy.
- Evaluation of Privilege Requests Procedure.
- [Identity & Access Management Policy]