Privileged Access Standard

Minimum controls for creating, using and monitoring privileged access across cloud, server and network environments.

Virtus Group

Purpose

This standard defines baseline requirements for privileged access. It applies to Virtus Group personnel and approved third‑party administrators operating on behalf of clients.

Scope

References

Mandatory controls

Recommended enhancements (on request)

Roles & responsibilities

  • Service Owner: approves roles; runs quarterly reviews; owns exceptions.
  • Administrators: use PAW/jump hosts; request JIT elevation; document high‑risk changes with backout.
  • Security: monitors privileged changes; investigates anomalies; maintains this standard.

Change management

  • Privileged changes follow CAB where required; before/after evidence attached to the ticket.
  • Break‑glass usage is an incident; PIR within 10 business days.
  • New privileged tools/vaults require security review prior to use.

Metrics & thresholds

  • No standing Global Administrator (target: 0)
  • Unreviewed privileged assignments < 90 days (target: 0)
  • Break‑glass test cadence (target: quarterly)
  • PAW adoption for admins (target: 100%)

Evidence artefacts

  • PIM configuration export and activation logs
  • LAPS policy and rotation audit
  • Vault access logs and secret rotation records
  • Quarterly privileged access review records
  • Break‑glass test report and alerting setup

Contact

security@virtusgroup.biz · compliance@virtusgroup.biz · virtusgroup.co.nz · 0800 847 887 (VIRTUS)