When administrative rights are breached or abused, the impact can be catastrophic to the organization. A privileged-level access agreement (PAA) is designed to heighten the awareness and accountability of those users who have administrative rights. The PAA is a formal agreement signed by an administrator acknowledging his or her responsibilities. The agreement basically says the administrator will protect these sensitive credentials and not abuse his or her authority. The PAA is an enhanced form of security awareness specifically for administrators.
NOTE
The federal government uses PAAs in the defense industry; however, few organizations outside the defense industry have adopted PAA use.
The PAA is typically a one- to two-page document. It reads as a formal agreement between the administrator and the organization. The PAA generally contains the following from the administrator’s perspective:
Acknowledgment of the risk associated with elevated access in the event the credentials are breached or abused
Promise not to share the credentials entrusted to his or her care
Promise to use the access granted only for approved organization business
Promise not to attempt to “hack” or breach security
Promise to protect any output from these credentials such as reports, logs, files, and downloads
Promise to report any indication of a breach or intrusion promptly
Promise not to tamper with, modify, or remove any security controls without authorization
Promise not to install any backdoor, malicious code, or unauthorized hardware or software
Promise not to violate intellectual property rights, copyrights, or trade secrets
Promise not to access or store inflammatory material, such as pornographic or racist content
Promise not to browse data that is not directly related to assigned tasks
Promise to act in good faith and be subjected to penalties under breach of contract and criminal statutes
In many respects, these items are already covered by security policies and awareness training. The PAA reinforces the importance of these terms with administrators.