Subcontrol 16.12

[adammontville]

Monitor attempts to access deactivated accounts through audit logging.

Measures

M1 = # of deactivated account(Model driven)
M3 = # of disabled account selected for active testing
M2 = # of reported access attempt with deactivated account credential

Metrics/KEI

Enforcement Quality = M2/ M3

Credentials used don't matter. Logging these attempts are made in most benchmarks. Enumerate deactivated accounts, enumerate denied access requests, find subset of denials realted to deactivated accounts.

[apiperCIS]

Internal notes/discussion (not to be included in the spec): 1) The proposal below is a configuration check, which differs from the suggestions above. I think this Sub-Control similar to 4.9 in nature. 2) This proposal (and 4.9) are endpoint-based (plus many of our other proposals). Do we need to take Cloud-based environments into account more? Or, should we think about Cloud more for future versions of CAS - maybe 1.1? 3) Two wording clarifications to consider (that's why I'm tagging this with Controls team) a) does "deactivated" include deleted accounts? b) is "monitor" equivalent to "alert on" (like in 4.9)?

Inputs 1) Endpoint inventory 2) Approved configuration(s) for logging attempts to access deactivated accounts 3) Approved configuration(s) for alerting on attempts to access deactivated accounts

Note: there may be multiple configurations for Inputs 2 and 3 to account for various groups/types of endpoints.

Operations 1) For each endpoint in Input 1, select the appropriate approved configuration from Inputs 2 and 3 in turn for that endpoint and check to see if that endpoint's actual configuration complies with the approved configuration for each Input. Record this information as M1 - a list of endpoints annotated with whether that endpoint is compliant or non-compliant with the appropriate approved configuration from each of the two inputs (Input 2 and Input 3). 2) For Input 2, and for Input 3, generate a count of compliant endpoints from M1 and record these as M2 and M3 respectively. 3) Count the number of endpoints that are compliant with both inputs and record this as M4

Measures M1: List of endpoints with each endpoint entry labeled with compliance or non-compliance for both Input 2 and Input 3 M2: Number of compliant endpoints based on Input 2 configurations M3: Number of compliant endpoints based on Input 3 configurations M4: Number of endpoints that are compliant with configurations from both inputs M5: Total number of endpoints from Input 1

Metrics Ratio of compliance with Input 2: M2 / M5 Ratio of compliance with Input 3: M3 / M5 Ratio of combined compliance with both inputs: M4 / M5

[apiperCIS]

On second thought, I'm wondering if 16.12 (and 4.9) should be more authentication system based, rather than endpoint based. Thoughts?

[apiperCIS]

Internal Note (not to be included in spec): This is a reworked version to be authentication system focused. Please let me know if you agree with this approach. If so, we should consider updating 4.9 in a similar manner. Please also see the internal notes on the proposal above...I think the authentication system focus makes it a little more cloud compliant too.

Inputs 1) Authentication System Inventory 2) Approved configuration(s) for logging attempts to access deactivated accounts 3) Approved configuration(s) for alerting on attempts to access deactivated accounts

Note: there may be multiple configurations for Inputs 2 and 3 to account for various groups/types of authentication systems.

Operations 1) For each authentication system in Input 1, select the appropriate approved configuration from Inputs 2 and 3 in turn for that endpoint and check to see if that authentication system's actual configuration complies with the approved configuration for each Input. Record this information as M1 - a list of authentication systems annotated with whether that authentication system is compliant or non-compliant with the appropriate approved configuration from each of the two inputs (Input 2 and Input 3). 2) For Input 2, and for Input 3, generate a count of compliant authentication systems from M1 and record these as M2 and M3 respectively. 3) Count the number of authentication systems that are compliant with both inputs and record this as M4

Measures M1: List of authentication systems with each endpoint entry labeled with compliance or non-compliance for both Input 2 and Input 3 M2: Number of compliant authentication systems based on Input 2 configurations M3: Number of compliant authentication systems based on Input 3 configurations M4: Number of authentication systems that are compliant with configurations from both inputs M5: Total number of authentication systems from Input 1

Metrics Ratio of compliance with Input 2: M2 / M5 Ratio of compliance with Input 3: M3 / M5 Ratio of combined compliance with both inputs: M4 / M5