PAM Academy › Module 2 — Crafting a PAM Strategy

Module 2: Crafting a PAM Strategy

A 2-week tool demo is not a PAM strategy. Learn how to define scope, map stakeholder requirements, select the right access control methodology, and build a business-aligned PAM programme that survives board scrutiny, vendor pressure, and audit season.

Self-study reference material
90–120 minutes
IT Directors · CISOs · Compliance
★★★★★ 4.9 · IT Directors, CISOs, Compliance Officers
PAM StrategyStakeholder MappingRBAC & SoDJoiner-Mover-LeaverCompliance
Included
Part of the PAM Best Practice Academy curriculum
Start Module 2 → ← Back to Module 1
  • 5 in-depth content sections
  • Stakeholder mapping framework
  • Access control methodology comparison
  • Joiner-Mover-Leaver process guides
  • Delegation & temporary access framework
  • 4-question knowledge check
Overview
Curriculum
Instructors
2
Module Number
5
Content Sections
90+
Minutes
4
Quiz Questions
Module 2 — Crafting a PAM Strategy
90–120 min
COMING SOON
What you will learn
Define the scope and boundaries of a PAM programme aligned to business risk
Map stakeholder requirements across CISO, IT Director, CFO, and Compliance roles
Select and apply the right access control methodology (RBAC, SoD, PoLP, JEA)
Design a Joiner-Mover-Leaver process with PAM control points at every stage
Build a delegation framework for temporary access elevation with full audit trail
Align your PAM strategy to GDPR, SOX, and PCI DSS requirements from day one
Module curriculum
1
Section 1: Defining PAM ScopeWhat to protect, who is in scope, and how to avoid the "boil the ocean" trap
Reading
2
Section 2: Stakeholder MappingCISO, IT Director, CFO, Compliance — what each stakeholder needs from PAM
Reading
3
Section 3: Access Control MethodologiesRBAC, SoD, PoLP, JEA — choosing the right model for your organisation
Reading
4
Section 4: Joiner-Mover-Leaver ProcessPAM control points at every stage of the employee lifecycle
Reading
5
Section 5: Delegation & Temporary AccessFormal delegation frameworks with time-boxing and audit trails
Reading
6
Knowledge Check4-question quiz to test your PAM strategy understanding
Quiz
Section 1: Defining PAM Scope
“A 2-week tool demo is not a PAM strategy. A strategy is built on requirements, not on what the vendor wants to sell.” — PAM Best Practice

The most common reason PAM programmes fail is not technology — it is scope creep. Organisations try to protect everything at once and end up protecting nothing properly. A PAM strategy must begin with a clear, bounded scope that prioritises the highest-risk assets first.

Scope definition answers three questions: What systems are in scope? (databases, servers, cloud, network devices, applications), Who is in scope? (human admins, service accounts, third-party vendors, contractors), and What is out of scope for now? (development environments, low-risk test systems).

Industry reality: 67% of PAM programmes that fail do so within the first 12 months. The #1 cause is undefined scope — teams attempt to vault every credential simultaneously and collapse under the operational weight.
Phase 1 Scope (Weeks 1–8)
Tier 0 assets only: domain controllers, credential vaults, backup systems, root accounts. Highest risk, highest reward.
Phase 2 Scope (Months 3–6)
Tier 1 assets: production databases, web servers, email systems, payment platforms. Core business systems.
Phase 3 Scope (Months 6–12)
Tier 2 assets: development systems, test environments, non-critical applications. Completion of full coverage.
Out of Scope (Initially)
Personal workstations, low-risk SaaS tools, read-only accounts. Revisit in Year 2 as programme matures.
Section 2: Stakeholder Mapping

PAM is not an IT project — it is a business risk programme. Every stakeholder has a different lens. Understanding what each stakeholder needs from PAM is the difference between a programme that gets funded and one that gets cancelled after the first budget review.

Stakeholder
Primary Concern
What PAM Delivers
CISO
Breach risk, incident response time, threat detection
Real-time alerting, session recording, forensic evidence in 15 min vs. 7 days
IT Director
Operational efficiency, help desk load, deployment risk
60% reduction in password reset tickets; automated provisioning; phased rollout
CFO
Cost justification, ROI, insurance premiums
3–9 month payback period; $217K/year savings; 5–10% insurance premium reduction
Compliance Officer
Audit evidence, regulatory alignment, access reviews
Automated compliance reports; quarterly access review evidence; GDPR/SOX/PCI DSS alignment
IT Operations
Day-to-day usability, workflow disruption, training burden
Self-service portal; role-based training; JIT access that does not slow operations
“The CISO wants to prevent a breach. The CFO wants to justify the spend. The IT Director wants it not to break anything. Your PAM strategy must speak all three languages simultaneously.”
Section 3: Access Control Methodologies

Choosing the wrong access control model is one of the most expensive mistakes in PAM. RBAC applied without SoD creates compliance violations. PoLP without JEA creates operational friction. The right model depends on your organisation's risk profile, regulatory requirements, and operational maturity.

PoLP — Principle of Least Privilege
Every user gets the minimum access required to do their job — nothing more. The foundation of every PAM programme. Reduces blast radius from any single compromised account.
RBAC — Role-Based Access Control
Access is assigned by role, not by individual. DBA role gets database access; sysadmin role gets server access. Scalable and auditable — essential for organisations with 50+ privileged users.
SoD — Segregation of Duties
No single person can authorise AND execute a critical function. Prevents fraud, insider threats, and compliance violations. A direct SOX requirement.
JEA — Just Enough Administration
Users get only the specific commands/actions they need — not full admin rights. A DBA can run SELECT queries but not DROP DATABASE. Surgical precision reduces insider threat risk by 80%+.
Two-Person Integrity (TPI)
Critical actions require two authorised people simultaneously. Used for financial transactions, production deployments, and data deletion. Prevents single-point insider threat.
JIT — Just-In-Time Access
Access is provisioned on-demand and auto-expires after a set period. No standing admin access = zero insider threat risk from dormant credentials. The gold standard for privileged access.
Compliance alignment: SoD is a direct SOX requirement. PoLP is mandated by GDPR’s data minimisation principle. JIT satisfies NIST AC-2 and PCI DSS Requirement 7. Choosing the right model is not just best practice — it is regulatory compliance.
Section 4: Joiner-Mover-Leaver Process
“The most dangerous moment in privileged access is not when a hacker attacks — it is when an employee leaves and their credentials are not revoked within 24 hours.”

The Joiner-Mover-Leaver (JML) process is the operational backbone of any PAM programme. Without a formal JML process, organisations accumulate stale, orphaned, and over-privileged accounts that become the primary attack surface.

JML Stage
PAM Control Points
Compliance Link
Joiner (New Employee)
Access provisioned on Day 1 only for stated role; MFA enrolled; probation = limited access; automatic expiry if probation fails
GDPR “purpose limitation” — access only for stated job function
Mover (Role Change)
Previous access revoked within 24 hours; new role follows SoD rules; overlap period access review; change documented in audit trail
SOX change control; audit trail of all transitions
Leaver (Termination)
Vault password changed immediately; MFA reset; session recording continues until final logout; access audit report before closeout
GDPR “data minimisation” — access ends when employment ends
Industry benchmark: Standard role provisioning should complete in under 1 business day. Leaver deprovisioning should complete within 2 hours of termination notice — not 2 weeks. Every hour of delay is an open door.
Section 5: Delegation & Temporary Access

Delegation is the process by which a user temporarily grants their access rights to another user for a specific, time-bounded purpose. Without a formal delegation framework, organisations rely on shared passwords and informal email approvals — both compliance violations and security risks.

Manager Vacation
Manager delegates approval authority to deputy for 5 days
PAM control: Formal request → time-boxed approval → auto-expiry on return date → full audit trail of all approvals made under delegation
Emergency Access
On-call engineer needs production database access at 2 AM
PAM control: JIT request → manager approves via mobile → 4-hour access window → session recorded → auto-revoked at expiry
Vendor Access
Third-party vendor needs server access for maintenance window
PAM control: Scoped access (specific server only) → time-limited (maintenance window only) → session recorded → access removed immediately after window
Audit Support
External auditor needs read-only access to compliance logs
PAM control: Read-only role provisioned → specific systems only → audit period only → all access logged and reported to compliance team
Knowledge Check
Q1: What is the primary purpose of Segregation of Duties (SoD)?
A) Prevent any one person from authorising AND executing critical functions ✓
B) Reduce the number of privileged users
C) Speed up approval processes
D) Make audits easier
Q2: True or False: RBAC means everyone gets access to everything, then controls are applied per action.
False ✓ — RBAC assigns access by role; users only get what their role requires
Q3: Which stakeholder is MOST concerned with operational efficiency metrics?
A) CISO
B) IT Director ✓
C) CFO
D) Compliance Officer
Q4: In a Joiner process, when should privileged access be provisioned?
A) Before the employee’s first day
B) On the first day, only for the necessary role ✓
C) At the end of probation
D) When the employee requests it
Requirements
Completion of Module 1: Foundational Pillars of PAM (recommended)
Basic understanding of IT administration or security concepts
Target audience: IT Directors, CISOs, Compliance Officers, Business Stakeholders
No vendor-specific tool knowledge required — this is methodology-first
Your instructors
NK
Nabeel Khaliq
IAM & Privileged Access Management SME · Founder, PAM Best Practice Ltd
Practitioner with deep hands-on experience implementing PAM across enterprise environments. Founder of PAM Best Practice Academy, a UK-registered education and community hub for PAM professionals. Arsenal and Middlesbrough fan.
AR
Adrian Russo
IAM & Privileged Access Management Architect
Senior PAM architect with extensive experience designing and deploying large-scale CyberArk and BeyondTrust implementations across enterprise environments globally. Keen cyclist.
ID
Iftikar Din
Manufacturing-focused Cyber Security Engineer
Cyber security engineer specialising in industrial and manufacturing environments. Brings real-world operational technology (OT) security perspective to PAM implementation. Middlesbrough fan who loves gardening.
Your progress
Module 2 — Crafting a PAM Strategy
Not started0%
Module breakdown
Defining PAM ScopeSection 1
Stakeholder MappingSection 2
Access Control MethodologiesSection 3
Joiner-Mover-LeaverSection 4
Delegation & Temp AccessSection 5
Knowledge Check4 questions
Up next
Module 3 — Discovery & Assessment
Conduct a complete privileged account discovery, classify accounts by risk tier, and assess your PAM maturity
PAM Community
Join our network of PAM practitioners, mentors and industry partners across the UK.