Skip to end of banner
Go to start of banner

LM Recertification: Revocations per LM (Indicator - IAM)

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 8 Next »

Process

Line Manager Recertifications (Process - IAM)

Indicator

LM Recertification: Revocations per LM

Version

1.0 READY FOR PEER REVIEW

Formula

Given that:

  • is the set of all line managers in the organization

  • is the subset of line managers that have not completed their recertification

  • is the subset of line managers that have completed their recertification and revoked 0 access rights

  • is the access right revocation threshold above which revocations are considered abnormally high

  • is the subset of line managers that have completed their recertification and revoked between 1 and access rights inclusive

  • is the subset of line managers that have completed their recertification and revoked more than access rights

  • are exclusive subsets

  • is the set cardinality function

The indicator is composed of the following series:

No Recert

Recert 0

Recert Normal

Recert High

Parameters

We recommend to initially set and adapt it if necessary.

Benchmarking

This indicator is adequate for benchmarking given comparable recertification scopes and value.

Rationale

The objective of this indicator is to measure the effectiveness of the LM Recertification process.

No Recert shows the ratio of line managers who failed to complete their recertification duty. This must be maintained as low as possible.

Recert 0 shows the ratio of line managers who completed their recertification duty but revoked 0 access rights. Two distinct causes may explain this result: 1) access rights were optimal and did not require any change or 2) the line manager ticked the boxes without due care. Further inquiry may be required to distinguish between the two.

Recert Normal shows the ratio of line managers who completed their recertification duty and revoked a number of access rights that is within expectations.

Recert High shows the ratio of line managers who completed their recertification duty and revoked an abnormally high number of access rights. A one time high may be caused by changes in the organization. But if the situation persists, this may reflect an inefficient setup where line managers must continuously adapt access rights. A root cause may be that RBAC is not implemented or improperly implemented.

Stakeholders

Scopes

This indicator may be specialized for different scopes. See Revocation Automation (Process - IAM) for typical scopes.

Negative Effects

  • In certain circumstances, the economical benefits of automation may be unjustifiable (e.g.: when processing low volumes of IAM artifacts on non-sensitive IT systems). Pursuing this indicator blindly could lead to economical waste.

  • Poorly implemented automation may lead to new risks, e.g. silent automation errors leading to a false sense of security, automation mechanisms that are vulnerable to compromission or lead to denial of service.

Data Sources

  • IAM System

Typical Frequency

Same frequency than recertification campaigns. Often quarterly, half-yearly or annually.

See Also

  • No labels

Follow us on LinkedIn | Discuss on Slack | Support us with Patreon | Sign-up for a free membership.

This wiki is owned by Open Measure, a non-profit association. The original content we publish is licensed under a Creative Commons Attribution 4.0 International License.