Home · Synthesis · cl-access-rights

Privileged access management and access rights lifecycle

ISO 27001 PCI DSS RBI CSF RBI ITGRCA SEBI CSCRF CIS Controls v8.1 CSA CCM v4 IRDAI 2026 ISO 27017 NIS2 NIST 800-53 NIST CSF 2.0 SOC 2

Primary statement

Access rights — particularly privileged access — operate under: least-privilege role-based design; segregation of duties (SoD) enforcement with conflict detection; joiner-mover-leaver (JML) workflow integrated with HR providing time-to-disable within 24 hours of departure; quarterly access reviews with documented sign-off by line manager and system owner; multi-factor authentication mandatory for all administrative access and remote access; privileged access management (PAM) with session recording for high-privilege roles; periodic re-certification of privileged roles.

Audit-fatigue payoff

A single access governance programme — JML workflow + PAM platform + quarterly access reviews + MFA enforcement — satisfies access-control questions across all 13 frameworks. SEBI CSCRF PR.7 + RBI ITGRCA IAM provisions + ISO 27001 A.8.2/A.5.18 align tightly. The auditor's typical 5–7 distinct tests across frameworks collapse to: one PAM platform demo, one access review report, one JML walkthrough, one MFA scan. Done well, this is one of the most-consolidated audit-fatigue payoffs in the catalog.

Strictness matrix

Scope

Access rights to information and other associated assets shall be provisioned, reviewed, modified, and removed in accordance with the access control policy. Scope: ALL access — user, administrative, system, service-account, third-party, customer-facing. No category is exempt. Ceiling source: iso27001:A.5.18 Rationale: ISO 27001 A.5.18 is the broadest scope formulation. Other frameworks address subsets (SEBI CSCRF PR.7 focuses on privileged; RBI on banking-specific access). The ISO scope is the superset under which all others fit.

Threshold

PAM is mandatory for privileged roles (system administrators, DBAs, root, network admins, security admins) AND for high-impact business roles (treasury, payment, SWIFT operators). Session recording is mandatory for high-privilege roles. MFA is mandatory for all administrative access AND remote access AND customer-facing authentication. Ceiling source: sebi_cscrf:CSCRF.PR.7 Rationale: SEBI CSCRF PR.7 carries the strictest threshold: PAM and session recording mandatory (not recommended). The scope of "privileged" extends beyond IT roles into high-impact business roles, which is broader than other frameworks.

Method

Method: (1) documented Access Management Framework governing JML lifecycle (joiner-mover-leaver); (2) role-based access control (RBAC) with explicit role catalogue; (3) segregation of duties enforced with documented conflict matrix; (4) privileged access with additional controls — PAM platform with just-in-time elevation, session recording per SEBI CSCRF PR.7 + RBI CSF PR.3; (5) MFA across all administrative + remote + customer-facing flows per SEBI CSCRF PR.6; (6) HR integration so role changes flow to access changes. Ceiling source: rbi_itgrca:ITGRCA.RM.6 Rationale: RBI ITGRCA RM.6 specifies the holistic Access Management Framework — JML, RBAC, SoD, privileged access, quarterly review — in a single control. Other cluster members (SEBI PR.7 PAM, RBI PR.3 PAM, SEBI PR.6 MFA) contribute specific elements; ITGRCA RM.6 is the integrated specification.

Frequency

Quarterly access reviews — explicit minimum cadence in RBI ITGRCA RM.6 (other frameworks vary from semi-annual to annual). JML operational cadence: joiner same-day on start; leaver disable within 24 hours; mover re-approval within 5 business days. Privileged role re-certification: annual with formal Board / CISO sign-off. Ceiling source: rbi_itgrca:ITGRCA.RM.6 Rationale: RBI ITGRCA RM.6 is the only cluster member explicitly stating "at least quarterly" access reviews. This is the strictest periodic cadence and the audit-defensible reference.

Evidence

Required evidence per RBI ITGRCA RM.6: (1) Access Management Framework document; (2) JML workflow documentation; (3) RBAC role catalogue; (4) SoD conflict matrix with detection evidence; (5) quarterly access review records with revocations actioned; (6) privileged access register. Additional cluster evidence: (7) PAM session recordings sample per SEBI PR.7; (8) MFA enforcement scan per SEBI PR.6 across all in-scope access flows. Ceiling source: rbi_itgrca:ITGRCA.RM.6 Rationale: RBI ITGRCA RM.6 evidence list is the most comprehensive single-control evidence set. Augmented by SEBI PR.7 and PR.6 specifics, this is the audit-defensible evidence package across the cluster.

Auditor test pattern

Step 1: Inspect the RBAC role catalogue; verify roles are designed for least-privilege (not "admin can do everything"). Step 2: Sample 3 recent joiners and 3 recent leavers; trace each through the JML workflow. For leavers, verify time-to-disable ≤ 24 hours and verify access disabled in ALL systems (not just primary). Step 3: Inspect the last quarterly access review; verify sign-off coverage; sample 3 access approvals and verify the underlying business justification is current. Step 4: Inspect the PAM platform; verify session recordings for at least one high-privilege session; verify privileged admins cannot bypass PAM via direct RDP/SSH. Step 5: Run MFA enforcement scan; identify any administrative or remote access path without MFA.

Common findings

Common 2024–26 findings: (1) Leaver access disabled in primary system but retained in legacy systems (LDAP/AD updated but Salesforce/Oracle/legacy mainframe not); (2) PAM deployed but admins bypass it via direct SSH/RDP — the PAM platform sits unused; (3) Quarterly access reviews performed but same accounts repeatedly approved as "still needed" without justification; (4) Service accounts with passwords unchanged for years; (5) MFA enforced for the SSO portal but legacy applications accept username/password directly; (6) JML workflow exists but is manual — HR change does not trigger automated access change; (7) Privileged role re-certification not performed annually.