Templates /
Privileged Password Management

Privileged Password Management

Run this privileged password management checklist when a staff member requests temporary access to restricted data.
Introduction to Privileged Password Management:
Record the details of the involved staff
Enter the reason for the password change
Approval: Authorizing the password change
Provide a clear copy of the password to the requesting staff
Confirm access was successful and is now no longer needed
Generate a new password
Store the privileged account password securely
Notify the authorizer that the password has been used and reset
Related Checklists:

Introduction to Privileged Password Management:

Privileged Password Management

This Process Street privileged password management process is engineered to provide protected access to sensitive data in a controlled and monitored manner. 

When there is sufficient reason for a staff member to have access to sensitive data they request access and the process begins. The risk manager, or other person running this process, then verifies their request for access to the data. 

The password for the account is given to the requesting staff member and they utilize the information as necessary. Once the access is no longer needed, the risk manager creates a new password for the information and stores it securely for future need. 

This process aims to adhere to the highest standards of security in managing this information. However, you can adapt and edit this template to fit your specific needs and purposes by adding it to your Process Street account. 

Having a strong privileged password management process in place is a vital part of securing your data. This is important for company performance, fighting brand damage, and providing safety for your clients or end users. Sufficient levels of security can often be required by law depending on the nature of the data you have stored and the industry your organization operates within. 

There are two areas of risk when assessing password security:

  1. Technical risk
  2. Human risk

This process recommends using strong and well-constructed passwords to fight the technical risk, while also working on the basis that your sensitive data is stored separately to your main body of information. 

These are both ways to reduce technical risk and further steps are covered by other processes within this IT security process pack

However, the most common problem within security systems is often not technical, but human. These human errors don’t always need to be malicious to cause serious harm. Intentional leaks or defrauding of companies and other organizations do occur by people within those organizations, but they are not a highly common occurrence. 

As the rest of the processes in this pack also demonstrate, the danger is presented by both technical and human risks operating together. A staff member utilizing a weak password across their personal and work accounts while also having access to all company data is a failure on both fronts. This is where vulnerabilities can very easily appear. 

This process tries to make sure there are accountable steps in place for the accessing of sensitive data and that by running the process we can create a log of who had access, when they had access, and who authorized that access

Within the Process Street platform, each process run from a template creates an entry in the template overview section. This means that all data entered into the form fields of this checklist will automatically be stored for future reference. 

You can backup this data by downloading it periodically as a CSV file if you wish to maintain independent logs. 

Password management is a crucial part of running a large organization and is the cornerstone of security policy.

If you think we’re overstating it, you think only idiots use “password”, or you think tech savvy people are generally not going to create risks for you or your company…

Take a look at the password of four-star general and former CIA and NSA director General Michael Hayden:

Former CIA and NSA Director General Michael Hayden tweets his password

Record the details of the involved staff

Use the form fields below to record who is involved in the request and authorization process.

Enter the reason for the password change

The password change could be triggered by an employee requesting access or could be changed as part of a regular updating process.

Use the form fields to record the relevant information.

The information you record will be seen by the person authorizing the password change in the next task, as it’s an approval task.

Additionally, the authorizer will be automatically assigned to the approval task if you wrote their email in the appropriate form field in task #2.

If the password is changed due to a normal cycle of refreshing passwords, enter the date of the next due password change below.

Approval: Authorizing the password change

Will be submitted for approval:

  • Enter the reason for the password change

    Will be submitted

Provide a clear copy of the password to the requesting staff

For the most sensitive data, it is recommended that you use an offline method of storing and communicating the password – one which can be destroyed afterward. One method is to store a password upon creation in a secure location like a sealed envelope in a safe.

If you’re working in a remote team, or do not have the resources to achieve this, you can use secure online channels.   

Hand one of the envelopes to the requesting members of staff. Once they have confirmed that the password worked correctly the previously stored passwords for that purpose can be disposed of. 

Do not send the password to the member of staff over unsecured networks 

You can use encrypted communication services like Signal to send more sensitive materials, if necessary. Strong encrypted messaging services provide a reasonably high level of security for these purposes. 

Confirm access was successful and is now no longer needed

Confirm with the staff member how long they require access and follow up with them to check their needs have been met and the password is no longer needed. 

Record your notes in the form field below

Generate a new password

You can use password generators found online or create your own password in adherence with company password policy.

You can watch the video below for advice on creating strong passwords:

How to Create a Strong Password

Store the privileged account password securely

How you store the new password depends on company policy. 

One recommended route is to have a clearly written note of the password placed into a sealed envelope on its own and stored in a safe. Include a duplicate of the password in a separate envelope to be stored alongside.

Make a further copy in another sealed envelope to be stored in an offsite backup storage, if applicable.

Label these envelopes with the purpose and date.

Notify the authorizer that the password has been used and reset

Use the email widget with variables below to notify the authorizer that the password has been used and changed successfully. 


Take control of your workflows today.