Privileged Access Management (PAM)
Domain 5 — Protection of Information Assets
Definition
Privileged Access Management (PAM) refers to the security controls and processes that govern access to administrative or elevated accounts. PAM solutions typically include password vaulting, session recording, just-in-time access provisioning, and credential rotation. IS auditors evaluate PAM by reviewing who has privileged access, how credentials are stored, whether session activity is logged, and whether privileged access is reviewed periodically.
Real-World Audit Scenario
I audited a technology company where 47 employees had domain admin rights, including three interns. The "administrator" password was shared via a text message and had not been changed in 18 months. There was no system for granting temporary elevated access — everyone used the same all-powerful account for everything from installing software to creating user accounts. When I demonstrated that I could log into the domain controller using the shared admin password from a guest Wi-Fi network, the CEO finally approved a PAM solution.
Common Exam Trap
PAM questions often describe a scenario where an organisation has strong user access controls but weak privileged access controls. The correct answer is typically "implement a privileged access management solution with password rotation and session monitoring" — not "remove all privileged accounts."
Test Your Understanding
Try a free practice question on this topic — see our 4-layer explanations and find out where you stand.
Try a Free Question →150 Free Practice Questions →