🔐 Security Training — Delinea Platform
Building an internal
Building an internal
security policy
that holds.
A practical, framework-aligned guide to governing Delinea Platform usage — from role definition to audit-ready controls.
01
Admin Roles
02
Session & Password
03
Change Approval
04
SOC 2 / ISO 27001
05
Policy Template
06
Knowledge Check
Modules
6
Progressive learning path
Est. Duration
45 min
Self-paced
Frameworks
SOC 2 + ISO
27001 control mapping
Deliverable
Policy Draft
Ready to customise
Learning objective: By the end of this guide you'll have defined role assignments, configured baseline controls, understood your audit posture, and produced a draft security policy you can adapt for your organisation.
Module 01
Admin Roles & Responsibilities
Delinea's role-based access model separates duties across three administrative tiers. Assigning the right role to the right person is the foundation of your governance posture.
Owner
Platform Owner
Ultimate authority over the platform. Should map to a named exec or security leadership role.
- Full platform configuration access
- Create / remove Admin and Auditor accounts
- Define global password & session policies
- Manage licencing and integrations
- Emergency break-glass account holder
- Approve all Tier-1 change requests
Admin
Platform Administrator
Day-to-day operational control. Typically assigned to senior IAM or PAM engineers.
- Manage vaults, secrets, and connections
- Onboard / offboard end-users and groups
- Apply and test session-recording policies
- Configure connectors and target systems
- View (not export) audit logs
- Respond to and escalate alerts
Auditor
Security Auditor
Read-only oversight and evidence collection. Ideal for compliance officers or external auditors.
- Read access to all audit logs and reports
- Export audit evidence for compliance reviews
- Review session recordings (read-only)
- Generate compliance dashboards
- No ability to modify any configuration
- No access to secret values
Principle of least privilege: Restrict Owner accounts to at most 2 named individuals. Admin roles should require MFA. Auditor accounts must never be shared. Review role assignments quarterly.
// Permissions Matrix
| Capability | Owner | Admin | Auditor |
|---|---|---|---|
| Global policy configuration | ✔ Full | ✖ | ✖ |
| User & role management | ✔ All | ~ Tier 2 | ✖ |
| Secret vault management | ✔ | ✔ | ✖ |
| View secret values | ✔ | ~ Scoped | ✖ |
| Session recording playback | ✔ | ✔ | Read |
| Audit log access | ✔ | ~ View | ✔ Export |
| Approve change requests | Tier 1+2 | Tier 2 | ✖ |
| Platform licencing | ✔ | ✖ | ✖ |
Module 02
Session-Timeout & Password Complexity
Baseline security settings form the backbone of your hardening posture. Use the interactive controls below to explore recommended configurations and understand the rationale behind each value.
Session Timeout Controls
NIST SP 800-53 AC-12 recommends ≤ 15 minutes for privileged sessions. Shorter values reduce risk exposure.
Even active privileged sessions should terminate and require re-authentication after a hard ceiling.
SOC 2 CC7.2 & ISO 27001 A.12.4.1 require log retention sufficient for security investigations (min. 90 days).
Password Complexity Policy
NIST SP 800-63B and CIS Benchmark recommend ≥ 14 characters for privileged accounts. 16+ is best practice.
Require uppercase & lowercase
Require at least one number
Require special character
Block previously used passwords
Enforce breach-check via HaveIBeenPwned
Allow passphrases (3+ words)
MFA Requirements
Owner accountsMFA Required
Admin accountsMFA Required
Auditor accountsMFA Required
End-user accountsMFA Recommended
Break-glass accountsTOTP + Hardware Key
FIDO2/WebAuthn preferred. SMS-based MFA should be disabled for all privileged accounts due to SIM-swap risk.
Account Lockout Policy
Lower values reduce brute-force windows but increase helpdesk burden. 5 is the industry consensus.
Lockout duration30 minutes
Admin unlock required after3 lockouts / 24 hrs
Alert on successive failuresEnabled (SIEM)
Password expiryDisabled*
*NIST SP 800-63B recommends removing periodic expiry in favour of breach detection.
Module 03
Change-Approval Process
Every modification to platform settings introduces risk. A structured change-approval workflow ensures accountability, traceability, and rollback capability.
Tier Classification
Tier 1 — CriticalOwner + 2nd approver
Tier 2 — StandardAdmin approval
Tier 3 — RoutineSelf-service + log
Tier 1 examples: global password policy changes, integration of new identity providers, breaking-glass procedures, licence modifications.
Tier 2 examples: vault creation, new target connections, session policy updates.
Tier 3 examples: individual user onboarding, secret rotation for existing entries.
Change Freeze Periods
Audit preparation windowFreeze — 2 wks prior
Emergency changesOwner override + PIR
Rollback window72 hours
CAB cadenceWeekly / Thursday
All Tier 1 & 2 changes must reference a ticket in your ITSM (ServiceNow, Jira, etc.) and the ticket must be attached to the Delinea change log.
// Approval Workflow — Tier 1 Change
✓
1. Change Request Submission
Requester documents the proposed change, business justification, rollback plan, and expected impact. Submitted via ITSM and tagged to Delinea change category.
👤 Requester (any Admin)
2
2. Risk Assessment
Security team evaluates the change against CIS Benchmarks and the current risk register. Impact on SOC 2 / ISO 27001 controls is noted. CAB review triggered for high-risk items.
🛡️ Security Lead / CISO
3
3. Dual Approval
Tier 1 changes require sign-off from the Platform Owner and one additional approver (CISO or a designated peer). Approvals are recorded with timestamps and MFA-authenticated.
👑 Owner + 🛡️ CISO
4
4. Scheduled Implementation
Change implemented in a maintenance window (outside business hours). Implemented by the requestor with one additional Admin present. Session is recorded in Delinea.
🔧 Admin (pair)
5
5. Verification & Evidence
Post-implementation verification confirms expected behaviour. Screenshots, audit log entries, and test results are attached to the ITSM ticket before closure.
🔍 Auditor review
6
6. Post-Implementation Review (PIR)
Within 72 hours, the Owner reviews the change outcome. Any deviations or unexpected impact triggers an incident and potential rollback. PIR findings feed back into the risk register.
👑 Owner + 📊 Auditor
Module 04
Governance & Audit Framework Mapping
Understanding how Delinea Platform controls map to SOC 2 Trust Service Criteria and ISO 27001 Annex A controls is essential for audit readiness. Use these mappings to gather evidence and identify gaps.
Criteria
Control Requirement
Delinea Feature
Coverage
CC6.1
Logical Access Controls
Restrict access to information assets based on authorisation
Role-based access (Owner / Admin / Auditor), vault permissions, MFA enforcement
Covered
CC6.2
User Registration & De-provisioning
Timely provisioning and removal of user credentials
Admin-controlled user lifecycle, AD/LDAP sync, automated de-provisioning workflows
Covered
CC6.3
Access Review
Periodic review and certification of access rights
Auditor role exports, access review reports; quarterly cadence required by policy
Partial
CC6.7
Transmission Integrity
Protect information in transit
TLS 1.2+ enforced for all sessions; certificate pinning for privileged access proxy
Covered
CC7.2
System Monitoring
Monitor system components for anomalies
Session recording, real-time alerting, SIEM integration (Splunk / Sentinel)
Covered
CC8.1
Change Management
Authorise, design, develop, and implement changes
Tiered change-approval workflow + audit log with timestamps & MFA-authenticated approvals
Covered
A1.2
Availability Monitoring
Monitor capacity and availability
Health dashboards; integrate Delinea status into your monitoring platform
Partial
Control Ref
Control Name & Requirement
Delinea Feature
Coverage
A.5.15
Access Control Policy
Formal access control policy based on business and security requirements
Role-based model (Owner/Admin/Auditor) implements need-to-know and least privilege
Covered
A.5.16
Identity Management
Manage full lifecycle of identities
Centralised identity store with SSO integration, automated provisioning & de-provisioning
Covered
A.5.18
Access Rights
Provision, review, modify, and remove access rights
Vault-scoped permissions, quarterly access review process (requires Auditor export)
Partial
A.8.2
Privileged Access Rights
Restrict and manage privileged access rights
PAM workflows, just-in-time access, session isolation, dual-control for Tier-1 changes
Covered
A.8.15
Logging
Produce, store, protect and analyse logs
Immutable audit logs, configurable retention (≥90 days), SIEM forwarding, Auditor export
Covered
A.8.16
Monitoring Activities
Monitor networks, systems and applications for anomalous behaviour
Behavioural analytics, session keystroke logging, anomaly alerts & SIEM integration
Covered
A.8.32
Change Management
Manage changes to information processing facilities
Tiered change workflow with CAB, ITSM integration, rollback procedures
Covered
Control ID
Control & Description
Delinea Feature
Coverage
AC-2
Account Management
Manage system accounts including establishing types, conditions and lifecycle
Centralised account lifecycle, role-based provisioning, automated disablement workflows
Covered
AC-6
Least Privilege
Employ least privilege principle for all account types
Scoped vault permissions, time-limited JIT access, break-glass controls
Covered
AC-12
Session Termination
Automatically terminate sessions after defined conditions
Configurable idle timeout (recommended: 15 min) and absolute session ceiling
Covered
AU-2
Audit Events
Identify events requiring auditing and coordinate with other organisations
Pre-built audit event taxonomy; customisable alerting thresholds in SIEM
Partial
IA-5
Authenticator Management
Manage information system authenticators
Password complexity policy engine, MFA enforcement, FIDO2 support, breach-check integration
Covered
CM-3
Configuration Change Control
Determine types of changes that require approval and document changes
Tiered change-approval workflow, dual-control for Tier-1, immutable change audit log
Covered
Partial controls require compensating measures. Items marked "Partial" typically require you to supplement Delinea's built-in features with documented procedural controls — such as a formal quarterly access review SOP or external availability monitoring integration.
Module 05
Draft Security Policy Template
Complete the fields below to generate a customised Delinea Platform security policy for your organisation. All fields are editable and the completed document can be copied or downloaded.
Delinea Platform — Information Security Policy
Organisation
Version
Effective Date
Policy Owner
Review Cycle
1. Purpose & Scope
This policy establishes the security requirements governing the use, administration, and governance of the Delinea Privileged Access Management (PAM) platform within [organisation name]. It applies to all employees, contractors, and third-party vendors with access to Delinea.
Scope exclusions
2. Role Assignments
Platform Owner(s)
Platform Administrator(s)
Auditor(s)
Break-Glass Account Custodian
Role assignments must be reviewed quarterly. Any changes to Owner assignments require dual approval per the change-approval process defined in Section 4.
3. Baseline Security Controls
Idle Session Timeout
Absolute Session Limit
Min. Password Length
MFA Requirement
Audit Log Retention
Account Lockout Threshold
4. Change Management
All Tier-1 (critical) changes to Delinea Platform configuration require prior approval from the Platform Owner and one secondary approver. Tier-2 changes require Admin approval. All changes must be logged in [ITSM system] and referenced in Delinea's audit log.
ITSM System
Change Advisory Board (CAB) cadence
5. Compliance & Audit Alignment
This policy is designed to satisfy the following frameworks:
Applicable Frameworks
Additional organisational requirements
6. Policy Violations & Exceptions
Violations of this policy must be reported to [security team contact / email] within 24 hours of discovery. Exceptions may be granted by the Platform Owner for a maximum period of 90 days and must be documented in the risk register.
Security team contact
Module 06
Knowledge Check
Test your understanding of Delinea Platform security governance. Select the best answer for each question.
1. According to the principle of least privilege, the Platform Owner role should be assigned to a maximum of how many individuals?
✅ Correct. Two individuals — a primary owner and a named backup — balances continuity with access restriction. Sole custodianship creates a single point of failure; broader distribution weakens accountability.
2. Which MFA method should be disabled for all privileged accounts due to SIM-swap risk?
✅ Correct. SMS-based MFA is vulnerable to SIM-swap attacks. FIDO2/WebAuthn is the preferred standard for privileged accounts. TOTP and push notifications are acceptable alternatives where hardware keys aren't possible.
3. A security engineer wants to create a new vault for the DevOps team. Under the tiered change model, which tier does this fall into and who must approve it?
✅ Correct. Vault creation is a Tier 2 (Standard) change — significant enough to require Admin approval and an ITSM ticket, but not a critical platform-wide change requiring Owner involvement.
4. Which SOC 2 Trust Service Criteria maps most directly to Delinea's session recording and real-time alerting capabilities?
✅ Correct. CC7.2 covers monitoring system components for anomalies — session recording, keystroke logging, and SIEM forwarding all satisfy this criterion's evidence requirements.
5. Per NIST SP 800-63B guidance (reflected in this training), when should periodic password expiry be enforced?
✅ Correct. NIST SP 800-63B explicitly recommends removing routine password expiry in favour of breach-detection-driven resets. Forced rotation leads to predictable patterns (Password1 → Password2) and weakens security without improving it.