Keep the controls that run the system away from the things ordinary users touch.
What it actually means
Administrative and management functions — admin consoles, management interfaces, server back-ends — should be separated from the user-facing side of a system. In practice that means admins use separate admin accounts and dedicated management interfaces, and ordinary users can't reach management functions. This limits the blast radius if a user account is compromised.
Pass or fail — an assessor needs a "yes" to each
- Are administrative interfaces separated from ordinary user functionality (separate accounts, separate access paths)?
- Are management consoles restricted so standard users can't reach them?
What to have ready
- Account / role configuration showing separate admin accounts
- Network or access-control configuration restricting management interfaces
Where teams trip up
- Admins using their everyday user account to manage systems
- Management interfaces reachable from the general user network
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →