According to GLBA, HIPAA, PCI, SOX, and FFIEC, an organization must prove to have control over privileged users and know who holds master passwords and track these users’ activity.
Recommendations:
Do not use shared privileged accounts such as root or admin.
Do not use hard-coded privileged accounts.
Avoid using privileged accounts such as root for installation and
configuration, use sudo to gain privileges instead.
Do not use shared privileged accounts (admin or root) to login
remotely through SSH to any node. Disable login for privileged
accounts:
PermitRootLogin no