A Policy Change: Admin Rights
This year we’ve made a number of policy changes to how Lineal protects your technology, data and users – part of a programme of adjustments designed to help our clients keep their organisations secure.
One of these is a change to how we manage security permissions. In future, we’ll be stricter about how and when we allow administrator (‘admin’) privileges to be used.
What does this mean?
Put simply, we expect no end-user to use an administrator account for their routine work.
Where a user needs administration privileges as part of their official role, we expect a separate admin account to be created for this function, with some extra protections put in place.
All admin accounts should be named to indicate the owner, assigned to only one individual, authorised by management, and protected by Multi-Factor Authentication, where available.
Why are Lineal taking this step?
Admin accounts carry enhanced powers – often to install applications, access raw data or bypass safeguards – each of which represents a more significant cyber security threat where an admin account is misused or compromised.
In the event of a cyber security breach, it’s not uncommon for attackers to leverage admin accounts to attack other systems or users laterally, using heightened account privileges.
Reducing the number of administrator accounts, their use, and the risk of an account breach, all help to maintain strong cyber security within your organisation.
We’re also acting in line with the current requirements of the UK NCSC’s Cyber Essentials Scheme, as well as ISO 27001, CIS benchmarks and NIST 800-60.
Does my organisation need to budget for this?
No – this change will be a guiding principle for the assignment of existing/new admin privileges.
My organisation is subject to a compliance standard / framework, what do I do?
If you’re already subject to any specific controls over the distribution of administrator privileges, please contact us to discuss further, and we’ll do our best to explain how these changes support or enhance your existing controls.
What if I don’t want to do this, because of _________?
Where a client still allows a user to have local or domain administrative rights for standard duties, we’ll now require you to declare this to us in writing – as part of a disclaimer accepting liability for any adverse consequences of this decision.
We’ll also make clear that any remedial works required by us following an incident caused by this decision will be chargeable.
Who can I speak to about this?