ID | OM-IND-0013 |
|---|
Process | Line Manager Recertifications (Process - IAM) |
|---|
Indicator | Revocations per Line Manager |
|---|
Version | 1.1 5
| Status |
|---|
| colour | BlueGreen |
|---|
| title | Ready for peer reviewreviewED |
|---|
|
|
|---|
Formula | Given that: is the set of all line managers in the organization is the subset of line managers that have not completed their recertification is the subset of line managers that have completed their recertification and revoked 0 access rights is the access right revocation threshold above which revocations are considered abnormally high is the subset of line managers that have completed their recertification and revoked between 1 and access rights inclusive is the subset of line managers that have completed their recertification and revoked more than access rights are exclusive subsets is the set cardinality function
The indicator is composed of the following series: No Recert Recert 0 Recert Normal Recert High |
|---|
Parameters | We recommend to initially set and adapt it if necessary. | Benchmarking | This indicator is adequate for benchmarking given comparable recertification scopes and value. |
|---|
Rationale | The objective of this indicator is to measure the effectiveness of the LM Recertification process, that is to say how tightly line managers control discretionary access rights and roles. No Recert shows the ratio of line managers who failed to complete their recertification duty. This must be maintained as low as possible. Recert 0 shows the ratio of line managers who completed their recertification duty but revoked 0 access rights. Two distinct causes may explain this result: 1) access rights were optimal and did not require any change or 2) the line manager ticked the boxes without due care. Further inquiry may be required to distinguish between the two. Recert Normal shows the ratio of line managers who completed their recertification duty and revoked a number of access rights that is within expectations. Recert Highshows the ratio of line managers who completed their recertification duty and revoked an abnormally high number of access rights. A one time high may be caused by changes in the organization. But if the situation persists, this may reflect an inefficient setup where line managers must continuously adapt access rights. A root cause may be that RBAC is not implemented or improperly implemented. |
|---|
Benchmarking | This indicator is adequate for benchmarking given comparable recertification campaign scopes, campaign frequency and parameter value. |
|---|
Stakeholders | |
|---|
Scopes | This indicator may be specialized for different scopes . See Revocation Automation (Process - IAM) for typical scopes. | Negative Effects | In certain circumstances, the economical benefits of automation may be unjustifiable (e.g.: when processing low volumes of IAM artifacts on non-sensitive IT systems). Pursuing this indicator blindly could lead to economical waste. Poorly implemented automation may lead to new risks, e.g. silent automation errors leading to a false sense of security, automation mechanisms that are vulnerable to compromission or lead to denial of servicedepending on recertification campaigns. Typical scopes are: |
|---|
Negative Effects | Measuring the number of revocations is only a proxy to assess the level of engagement of line managers. This indicator should be used with critical distance and complemented with other information sources to get a genuine picture of what’s going on. For instance, surveying line managers may provide rich feedback to improve the process efficiency and effectiveness. The subset of access rights and roles that are discretionarily managed by line managers may be limited. Access rights and roles managed by other authorities may thus constitute a blind spot if the focus is only put on line managers.
|
|---|
Data Sources | |
|---|
Typical Frequency | Same frequency than recertification campaigns. Often quarterly, half-yearly or annually. |
|---|
See Also | |
|---|