The Privileged-Level Access Agreement (PAA)

When administrative rights are breached or abused, the impact can be catastrophic to the organization. A privileged-level access agreement (PAA) is designed to heighten the awareness and accountability of those users who have administrative rights. The PAA is a formal agreement signed by an administrator acknowledging his or her responsibilities. The agreement basically says the administrator will protect these sensitive credentials and not abuse his or her authority. The PAA is an enhanced form of security awareness specifically for administrators.

NOTE

The federal government uses PAAs in the defense industry; however, few organizations outside the defense industry have adopted PAA use.

The PAA is typically a one- to two-page document. It reads as a formal agreement between the administrator and the organization. The PAA generally contains the following from the administrator’s perspective:

• Acknowledgment of the risk associated with elevated access in the event the credentials are breached or abused
• Promise not to share the credentials entrusted to his or her care
• Promise to use the access granted only for approved organization business
• Promise not to attempt to “hack” or breach security
• Promise to protect any output from these credentials such as reports, logs, files, and downloads
• Promise to report any indication of a breach or intrusion promptly
• Promise not to tamper with, modify, or remove any security controls without authorization
• Promise not to install any backdoor, malicious code, or unauthorized hardware or software
• Promise not to violate intellectual property rights, copyrights, or trade secrets
• Promise not to access or store inflammatory material, such as pornographic or racist content
• Promise not to browse data that is not directly related to assigned tasks
• Promise to act in good faith and be subjected to penalties under breach of contract and criminal statutes

In many respects, these items are already covered by security policies and awareness training. The PAA reinforces the importance of these terms with administrators.