Subcontrol 16.9

[adammontville]

Automatically disable dormant accounts after a set period of inactivity.

Measures

M1 = # of dormant account crossing allowed time of inactivity(Model driven, data driven)
M2 = # of dormant account disabled(Model driven, data driven)

Metrics/KEI

Enforcement Quality = M2/ M1

No explicit comment.

[wmunyan]

dormant accounts / disabled-dormant accounts

[wmunyan]

Inputs:

• The list of all accounts created in the enterprise
• An organizationally defined policy indicating a "dormant threshold"; the period of inactivity after which the account is considered dormant.

Assumptions:

• The list of accounts for the enterprise includes OS-level, database, internal and external application accounts.
• Based on the account location, a query interface is assumed enabling collection of a "last activity" timestamp, such as last logon, as well as a status indicating if the account is enabled or disabled.

Operations:

• For each account, query the respective interface to collect the account's last activity.
• For each account, query the respective interface to collect the account's enabled/disabled status.
• Based on Operations 1 and 2, collect those accounts still marked as enabled but whose last activity is beyond the "dormant threshold" defined in Input 2

Measures:

• M1 = The total number of accounts
• M2 = The total number of accounts marked as enabled
• M3 = The total number of accounts collected by Operation 3

Metrics:

• Ratio of enabled dormant accounts to total = M3 / M1
• Ratio of enabled dormant accounts to accounts marked enabled = M3 / M2