6.6: Establish and Maintain an Inventory of Authentication and Authorization Systems¶
Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Users |
Identify |
2, 3 |
Dependencies¶
Safeguard 1.1: Establish and Maintain Detailed Enterprise Asset Inventory
Safeguard 2.1: Establish and Maintain a Software Inventory
Inputs¶
GV23: Authentication and Authorization System InventoryGV5: Authorized software inventoryDate of last update to the authentication and authorization system inventory
Operations¶
- Check if enterprise maintains an
GV23Authentication and Authorization System Inventory of all on-site and remote service providers If the inventory exists, M1 = 1
If the inventory does not exist or is not provided, M1 = 0
- Check if enterprise maintains an
Use
GV5identify and enumerate authorized authentication and authorization systems within the enterprise- Use the output of Operation 2 to compare to the existing inventory
GV23 Identify and enumerate systems that are authorized and currently in the inventory (M2)
Identify and enumerate systems that are authorized and not currently in the inventory (M3)
Identify and enumarate systems that are not authorized but listed in the current inventory (M4)
- Use the output of Operation 2 to compare to the existing inventory
Compare the date of Input 3 to the current date and capture timeframe in months (M6)
Measures¶
M1 = Ouptut of Operation 1
M2 = Count of authorized and properly inventoried systems
M3 = Count of authorized but not properly inventoried systems
M4 = Count of unauthorized but inventoried systems
M5 = Count of systems in the current inventory
GV23M6 = Timeframe since last update of inventory
Metrics¶
If M1 is 0, this safeguard receives a failing score. The other metrics don’t apply.
If M6 is greater than twelve months, then this safeguard is measured at a 0 and receives a failing score. The other metrics don’t apply.