Versions Compared

Old Version 6

changes.mady.by.user David Doret

Saved on

compared with

New Version Current

changes.mady.by.user David Doret

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
98
Page Properties
Chart
timeSeriestrue
imageFormatpng
stackedtrue
subTitleScope: [ADD SCOPE HERE]
timePeriodMonth
width600
opacity80
typebar
titleRevocation Automation Level
yLabel# of IT Systems
xLabelTime
colors#11AD39, #F26234

31/1/2020

29/2/2020

31/3/2020

30/4/2020

31/5/2020

30/6/2020

31/7/2020

31/8/2020

30/9/2020

31/10/2020

30/11/2020

31/12/2020

Automated

50

55

52

60

70

100

108

107

117

127

147

150

Manual

200

198

195

210

202

173

150

151

140

115

97

This indicator is adequate for benchmarking given comparable scopes

ID

OM-IND-0013

Process

Line Manager Recertifications (Process - IAM)

Indicator

LM Recertification: Revocations per LMLine Manager

Version

1.0 5

Status
colourBlueGreen
titleReady for peer reviewreviewED

Formula

Given that:

  • is the set of all line managers in the organization

  • is the subset of line managers that have not completed their recertification

  • is the subset of line managers that have completed their recertification and revoked 0 access rights

  • is the access right revocation threshold above which revocations are considered abnormally high

  • is the subset of line managers that have completed their recertification and revoked between 1 and access rights inclusive

  • is the subset of line managers that have completed their recertification and revoked more than access rights

  • are exclusive subsets

  • is the set cardinality function

The indicator is composed of the following series:

No Recert

Recert 0

Recert LowNormal

Recert High

Benchmarking

Parameters

We recommend to initially set and adapt it if necessary.

Rationale

The objective of this indicator is to measure the effectiveness of the LM Recertification process, that is to say how tightly line managers control discretionary access rights and roles.

No Recert shows the ratio of line managers who failed to complete their recertification duty. This must be maintained as low as possible.

Recert 0 shows the ratio of line managers who completed their recertification duty but revoked 0 access rights. Two distinct causes may explain this result: 1) access rights were optimal and did not require any change or 2) the line manager ticked the boxes without due care. Further inquiry may be required to distinguish between the two.

Recert LowNormal shows the ratio of line managers who completed their recertification duty and revoked a few number of access rights . This is what is normally expectedthat is within expectations.

Recert Highshows the ratio of line managers who completed their recertification duty and revoked an important abnormally high number of access rights. A one time high may be caused by changes in the organization. But if the situation persists, this may reflect an inadequate inefficient setup where line managers must continuously adapt access rights. RBAC may not be implemented or not properly implemented.

Stakeholders

  • IAM Manager

  • CISO

    • IT Risk Managers

    A root cause may be that RBAC is not implemented or improperly implemented.

    Benchmarking

    This indicator is adequate for benchmarking given comparable recertification campaign scopes, campaign frequency and parameter value.

    Stakeholders

    Scopes

    This indicator may be specialized for different scopes . See Revocation Automation (Process - IAM) for typical scopes.

    Negative Effects

    • In certain circumstances, the economical benefits of automation may be unjustifiable (e.g.: when processing low volumes of IAM artifacts on non-sensitive IT systems). Pursuing this indicator blindly could lead to economical waste.

    • Poorly implemented automation may lead to new risks, e.g. silent automation errors leading to a false sense of security, automation mechanisms that are vulnerable to compromission or lead to denial of service.

    Data Sources

    • IT System inventory

    • CMDB

    • IAM software platform

    Typical Frequency

    Monthly

    See Also

    Sample Visual Representation

    If the number of automated systems is out of proportion with the number of unautomated systems, we recommend to use a broken Y axis and not use a logarithmic scale that would be misleading.

    depending on recertification campaigns. Typical scopes are:

    • Business applications

    • Sensitive business applications

    Negative Effects

    • Measuring the number of revocations is only a proxy to assess the level of engagement of line managers. This indicator should be used with critical distance and complemented with other information sources to get a genuine picture of what’s going on. For instance, surveying line managers may provide rich feedback to improve the process efficiency and effectiveness.

    • The subset of access rights and roles that are discretionarily managed by line managers may be limited. Access rights and roles managed by other authorities may thus constitute a blind spot if the focus is only put on line managers.

    Data Sources

    • IAM System

    Typical Frequency

    Same frequency than recertification campaigns. Often quarterly, half-yearly or annually.

    See Also