The level of access to sensitive data given to privileged users is often the highest any employees have had in the history of business. It is the equivalent of having the locksmith solely hold the keys to the safe, and then requiring them to come and maintain it at any time they wish, alone and unassisted. Whilst such access is necessary, it is most commonly managed on an ad hoc basis or not managed at all and, despite claims to pay heed to regulations, requirements with regard to privileged users are often overlooked.

This report should be of interest to anyone concerned with ensuring that the availability of their IT systems is not impacted by the inadvertent or malicious actions of privileged users, that the use of privileged user accounts is policed and that such accounts cannot be easily compromised by outsiders. It should also be of interest to those with responsibility for ensuring that their organisations’ use of IT would satisfy the demands of regulators and, indeed, anyone concerned about the safe keeping of their personal data that businesses are storing ever more of.