- Even at an enormous firm, the number of privileged IDs with access to high-risk data should be short enough for a busy executive to personally review
- It is both feasible and reasonable for senior executives to personally review this information and record that they have done so
- Anyone can expect this kind of review may be taking place in any major organization handling high-risk data, although it is not as universal as it should be
Think about point #1 above and ask yourself if you would have a short list for your CIO/CISO to review at your company. I agree that the list should be extremely short and it should be reviewed by your management chain on a regular basis. As the author states, these reviews are not as universal as they should be. How about at your company?
identity management, QSFT, Quest Software, privileged account management