GRCWatch
Sign inStart free trial

AC.L2-3.1.7: Prevent and Audit Privileged Function Execution

Privileged functions are high-risk attack vectors that require strict access controls and comprehensive auditing. AC.L2-3.1.7 mandates that your organization prevent non-privileged users from executing administrative or system-level functions while maintaining detailed audit trails of all privileged activity. This control is foundational to preventing lateral movement and unauthorized system changes.

What this means

This control requires two core capabilities: (1) technical enforcement preventing non-privileged users from accessing or executing privileged functions, and (2) complete audit logging of every privileged function execution. Privileged functions include administrative tasks, system configuration changes, security policy modifications, and access to sensitive data stores. The audit trail must be tamper-proof and retained per your organization's logging policy.

How to comply

  1. 1.Identify all privileged functions across systems, applications, and infrastructure
  2. 2.Implement role-based access control (RBAC) to restrict privileged function execution to authorized users only
  3. 3.Enable and configure audit logging for all privileged function attempts—both successful and failed
  4. 4.Configure centralized log collection to aggregate privileged function audit records from all sources
  5. 5.Establish log retention policies aligned with your compliance requirements (typically 1+ years)
  6. 6.Implement log integrity controls to prevent tampering or deletion of audit records
  7. 7.Monitor and alert on suspicious privileged function execution patterns
  8. 8.Conduct periodic reviews of privileged function access logs to identify unauthorized attempts

Evidence auditors look for

  • Role definitions and RBAC policies limiting privileged functions to authorized personnel
  • Access control lists (ACLs) or group policies restricting administrative account usage
  • Audit logs showing successful and failed privileged function execution attempts with timestamps
  • Centralized logging configuration (e.g., syslog, Windows Event Forwarding, cloud audit logs)
  • Log retention policies and evidence of adherence to retention schedules
  • Screenshots of privileged function execution audit trails with user identity and action details
  • Monitoring alerts configured for unusual privileged function activity
  • Privileged access management (PAM) solution configurations or session recording outputs

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automatically discovers and monitors privileged function execution across your infrastructure, aggregates audit logs from all sources, and provides pre-built dashboards showing privileged access patterns—eliminating manual log review and reducing audit preparation time.

See how GRCWatch handles this control automatically

Start free trial

Related controls

AC.L2-3.1.1 — Authorized AccessAC.L2-3.1.2 — Least PrivilegeAU.L2-3.3.1 — Audit LoggingAU.L2-3.3.3 — Audit Log Protection