Skip to content

Cybersecurity responsibilities: Who owns your organization’s PAM Policy Template?


Who is responsible for creating, implementing, and overseeing your organization’s Privileged Access Management Policy template? And what is at risk if no individuals or departments are named to ensure that your users and systems are in compliance with your PAM Policy?

Let’s get the easy part out of the way: if your organization has its PAM Policy clearly defined in a template, yet users are left to comply with your policy rules as they see fit, it’s likely that your cybersecurity posture is home to a significant amount of chaos—and with chaos comes great risk.

With ransomware and data breaches rapidly on the rise, no organization can afford the massive losses, both financial and otherwise, that come with a cyber attack.

So, who owns the PAM Policy template?

Organizations—even fairly small ones—must identify a person or department who will take ownership of their PAM Policy template and be responsible for seeing that the policy requirements are carried out.

In a small company

In a small company with a single central IT team, the responsibility falls to this team. The IT team owns the policy template and must ensure that all users in the company are educated in and compliant with the PAM Policy.

In medium and large organizations

The situation in medium or large organizations is more complex due to these and other variables:

  • The size and maturity of the organization.
  • The location—is it limited to one state, or many; one country, or a few; or is it a global organization?
  • The size and structure of the IT team—some organizations have defined teams for managing different IT systems from IT Operations, IT Security, IT Risk, Identity and Access Management, and Cloud, etc.
  • The compliance requirements of the organization—these are dependent on the organization’s industry and may include PCI, NIST, ISO, SOX, HIPPA, and EU GDPR.

With these variables in mind, here are some typical case scenarios for PAM Policy ownership in larger organizations:

  1. PAM is part of the larger Identity and Access Management (IAM) and Identity & Governance roles.  So, in organizations that have IAM responsibilities, the PAM Policy template usually falls under their ownership.
    It is also then likely that, within the IAM team, they have an assignment of ownership for Governance and Compliance (because PAM is commonly part of most industries’ compliance mandates and regulations). For these organizations, it is important to comply, and the PAM Policy template helps them meet those requirements.

  2. In organizations where IAM is not defined, then the ownership of the PAM Policy Template usually falls under the ownership of IT Risk and Governance, again to ensure the organization can meet the industry compliance mandates and regulations.

  3. If the organization does not have a Risk and Governance team, then the PAM Policy starts to fall under the IT Security and Risk team which is responsible for defining the IT Security Policy the PAM Policy is part of.  IT Operations and Security are responsible for ensuring the PAM Policy is deployed, enforced, and compliant.

As you can see, ownership of the PAM Policy template really depends on the organization’s structure and industry. But more often than not it falls under Governance and Compliance.

Download our free PAM Policy Template and implement best-practice security policies for your privileged account passwords.

Privileged Access Management Checklist

Need a step-by-step guide for planning your strategic journey to privileged access security?

Start with our free, customizable PAM Checklist.