5.5: Establish and Maintain an Inventory of Service Accounts
Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.
Asset Type |
Security Function |
Implementation Groups |
---|---|---|
Users |
Identify |
2, 3 |
Dependencies
Safeguard 6.6: Establish and Maintain an Inventory of Authentication and Authorization Systems
Inputs
GV23
: Authentication and Authorizaion System InventoryInventory of service accounts
Date of last review of the inventory of service accounts
Operations
- Check if the enterprise maintains an inventory of service accounts (Input 2)
If the inventory exists M1 = 1
If the inventory does not exist M1 = 0
- Using the inventory of accounts Input 2, determine if the inventory captures the following elements: department owner, review date, and purpose
Each element is assigned a value of 1 if it exists and 0 if it does not. Total the number of elements that exist. (M3)
- Using Input 2 check each account for elements: department owner, review date, and purpose
Identify and enumerate accounts with all elements (M4)
Identify and enumerate accounts missing or with incomplete elements (M5)
Use
GV23
to identify authentication systems or other software that manages service accounts.Using the output of Operation 4, enumerate all current service accounts throughout the enterprise (M6)
- Compare the output of Operation 5 with Input 2
Identify and enumerate accounts that are supposed to be active/enabled (M7)
Identify and enumerate accounts that are supposed to be disabled/removed (M8)
Compare the current date to the date provided in Input 3 and enumerate the timeframe in months (M9)
Measures
M1 = Does the account inventory exist (Output of Operation 1)
M2 = Count of accounts in Input 2
M3 = Count of elements provided in inventory
M4 = Count of accounts in inventory with complete information
M5 = Count of accounts in inventory with missing or incomplete information
M6 = Count of current service accounts identified through Operation 5
M7 = Count of authorized accounts
M8 = Count of unauthorized accounts
M9 = Timeframe of last update in months
Metrics
If M1 is 0, this safeguard receives a failing score and other metrics don’t apply. If M9 is greater than three, this safeguard is measured at a 0 and receives a failing score. The other metrics don’t apply.
Completeness of Inventory
Metric |
The percentage of minimum elements included in the inventory.
|
Calculation |
|
Metric |
The percentage of accounts with complete information.
|
Calculation |
|
Accuracy of Inventory
Metric |
The percentage of accurately listed accounts in the inventory.
|
Calculation |
|