When performing IT audits, the Principle of Least Privilege is a term you may hear thrown around quite a bit, but how many novice auditors new to IT audit actually understand what is implied by this within an IT environment? From my experience, not many.

The most common place I see the term surface is when assessing firewalls, but the same principle also applies to all areas related to IT management including physical security.

What is the Principle of Least Privilege and why do Auditors Care?

Paraphrasing Wikipedia: The Principle of Least Privilege dictates that every abstraction layer (applications, operating systems, firmware, hardware, etc.) and every module (processes, users, programs), should only have access to the data and resources necessary to fulfil its business need.

In the case of performing Information System audits, this principle becomes relevant at all areas of review. For example:

Focus Area Control Examples
Physical Security:
  1. Access to data centers, backup media and server space is restricted to data center personnel only.
Network Security:
  1. Administrative access to firewalls, VPNs and other network devices is restricted to appropriate individuals based on job description and function.
  2. Firewalls are configured with a default “Deny All” rule, restricting all access not explicitly defined.
Logical Access:
  1. Administrative access to the backup applications is restricted to appropriate individuals.
  2. Access to recall backup tapes is restricted to appropriate individuals based on job function.
  3. Data is classified based on its level of sensitivity, value and criticality to the company in accordance with the Information Security Policy.
  4. Roles are developed to assist with managing and determining the level of access to company resources and data.
IT Administration:
  1. Segregation of duties exists between Product Support personnel and developers based on their job responsibilities. System access is configured so that only production support personnel have access to deploy applications changes to production, and developers do not have the ability to update production code, data, or application configurations for any production applications.
  2. On a monthly basis, the appropriate managers review a report of internal employee operating system administrative accounts to validate that access remains commensurate with job responsibilities. Exceptions are documented and resolved.


Surveys show that 40 – 80% of IT security incidents result from internal incidents often as result of an employee being granted too much access to systems and data. As an IT auditor and security expert this is where we can make a difference – by helping companies ensure that they have the appropriate access controls in place at their company and that those controls function as expected. When it comes to security it’s not all about hacking and viruses.