16.10: Ensure All Accounts Have An Expiration Date

Ensure that all accounts have an expiration date that is monitored and enforced.

Asset Type

Security Function

Implementation Groups

Users

Protect

2, 3

Dependencies

  • Sub-control 16.1: Inventory of Authentication Systems

Inputs

  1. Account Inventory

  2. Authentication System Inventory

  3. Approved Configuration(s) for ensuring that account expiration dates are automatically enforced (there may be multiple configurations that vary by type of authentication system, etc.)

  4. Optional: Maximum amount of time in the future allowed for an expiration date (example: the organization may require all accounts to have an expiration date no more than 1 year in the future so that all accounts must be re-justified every year). This time frame could be specific to certain account types (Administrator for example), or specific to certain authentication systems.

Operations

  1. For each account in the account inventory (Input 1), check to see if that account has a valid expiration date that is in the future. If the optional Input 4 was provided, also verify if that expiration date complies with any applicable additional time frame restrictions. Based on these checks, create a list (M1) of accounts with valid expiration dates, and a list (M2) of accounts with invalid expiration dates (noting why the expiration date is invalid).

  2. For each authentication system in Input 2, check to see if it is configured according to the appropriate configuration(s) from Input 3.

  3. Create a list (M3) of authentication systems that are configured correctly

  4. Create a list (M4) of authentication systems that are not configured correctly (noting the deviations).

Measures

  • M1 = List of accounts with valid expiration dates

  • M2 = List of accounts with invalid expiration dates

  • M3 = List of authentication systems that are configured correctly

  • M4 = List of authentication systems that are not configured correctly

  • M5 = Count of accounts with valid expiration dates (count of M1)

  • M6 = Total count of accounts (count of Input 1)

  • M7 = Count of authentication systems that are configured correctly (count of M3)

  • M8 = Total count of authentication systems (count of Input 2)

Metrics

Metric
The ratio of accounts with valid expiration dates to the total number of accounts

Calculation

M5 / M6

Metric
The ratio of correctly configured authentication systems to the total number of
authentication systems

Calculation

M7 / M8