16.12: Monitor Attempts to Access Deactivated Accounts
Monitor attempts to access deactivated accounts through audit logging.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Users |
Detect |
2, 3 |
Dependencies
Sub-control 2.1: Maintain Inventory of Authorized Software
Sub-control 16.1: Inventory of Authentication Systems
Inputs
Authentication System Inventory
Approved configuration(s) for logging attempts to access deactivated accounts
Approved configuration(s) for alerting on attempts to access deactivated accounts
Note: There may be multiple configurations for Inputs 2 and 3 to account for various groups/types of authentication systems.
Operations
For each authentication system in Input 1, select the appropriate approved configuration from Inputs 2 and 3 in turn for that endpoint and check to see if that authentication system’s actual configuration complies with the approved configuration for each Input. Record this information as M1 - a list of authentication systems annotated with whether that authentication system is compliant or non-compliant with the appropriate approved configuration from each of the two inputs (Input 2 and Input 3).
For Input 2, and for Input 3, generate a count of compliant authentication systems from M1 and record these as M2 and M3 respectively.
Count the number of authentication systems that are compliant with both inputs and record this as M4
Measures
M1 = List of authentication systems with each endpoint entry labeled with compliance or non-compliance for both Input 2 and Input 3
M2 = Count of compliant authentication systems based on Input 2 configurations
M3 = Count of compliant authentication systems based on Input 3 configurations
M4 = Count of authentication systems that are compliant with configurations from both inputs
M5 = Total count of authentication systems from Input 1
Metrics
Logging Coverage
Metric |
The ratio of authentication systems configured to log attempts to access deactivated
accounts to the total number of authentication systems.
|
Calculation |
|
Alerting Coverage
Metric |
The ratio of authentication systems configured to log attempts to access deactivated
accounts to the total number of authentication systems.
|
Calculation |
|
Full Coverage
Metric |
The ratio of authentication systems configured to both log and alert on attempts to
access deactivated accounts to the total number of authentication systems.
|
Calculation |
|