Welcome to NBlog, the NoticeBored blog

I may meander but I'm 'exploring', not lost

Mar 6, 2013

SMotW #47: inactive user accounts disabled

Security Metric of the Week #47:  proportion of inactive computer user accounts disabled in accordance with policy

To calculate this metric, someone first checks how many inactive user accounts there were on the systems in total, and then how many of them were disabled as they should have been according to ACME's policy during the reporting period (e.g. this calendar quarter).
Counting inactive accounts is tedious if it involves manually checking activity records maintained by the individual IT systems, but easier if the checks can be performed by running scripts on a limited number of shared/centralized network user authentication systems (such as domain servers for Windows domains), in which case this becomes a fairly straightforward and useful compliance measure.
ACME's management determined the following PRAGMATIC numbers for this metric:


P
R
A
G
M
A
T
I
C
Score
68
56
74
76
73
64
64
52
75
67%






The PRAGMATIC ratings are fairly flat across the board - in other words, the metric is neither particularly strong nor weak in any factor.  Management had some concerns about its Relevance to information security since it is such a narrow technical metric, and also about the Independence factor since those who are most likely to be measuring and reporting it have a vested interest in the metric.  On the other hand, they appreciated the fact that it is quite Genuine (readily verified or audited if needs be) and Cost-effective since ACME has a centralised system for user account management. 
Disabling computer accounts when employees leave the organization is a rather basic IT security control.  If this is not happening reliably, there are probably even more serious issues with the user administration processes, and in fact with information security controls in general - in other words, the metric could be taken as a rough indicator of ACME's overall information security status.  This boosted its Meaningfulness rating. 
Furthermore, the rate of improvement of the specific metric is also a rough indication of the extent to which ACME's managers are truly managing, controlling or influencing the organization's information security as a whole: if it takes several months of effort to get the proportion of inactive accounts disabled up from, say, 10% (dreadful) to 30% (poor), this is clearly worse than if the same improvement happens in a matter of days or weeks, or if the metric reaches 75% or more during the same period.
Talking of period, the frequency at which the metric is reported is another measurement parameter that management can adjust.  They may, for instance, ask for more frequent updates on the metric while the control is being targeted for improvement (perhaps once a month), then revert to quarterly or whatever when sufficient improvement has been made.  Another option would be to stick to quarterly reporting for senior management but track and report the status monthly or even weekly for operational managers who are actively working to improve user account administration.