16.7: Establish Process for Revoking Access
Establish and follow an automated process for revoking system access by disabling accounts immediately upon termination or change of responsibilities of an employee or contractor. Disabling these accounts, instead of deleting accounts, allows preservation of audit trails.
Asset Type |
Security Function |
Implementation Groups |
|---|---|---|
Users |
Protect |
2, 3 |
Dependencies
Sub-control 16.6: Maintain an Inventory of Accounts
Inputs
The inventory of employee accounts
A given time period for analysis
Operations
For each employee terminated or changed responsibilities within the Input 2 time period, enumerate the employee’s accounts (a given employee may have a number of accounts)
Measures
M1 = List of employee accounts collected by Operation 1
M2 = Count of M1
M3 = List of employee accounts disabled within the Input 2 time period
M4 = Count of M3
Metrics
Enforcement Quality
Metric |
The ratio of employee accounts that have been terminated/revoked within the acceptable
timeframe.
|
Calculation |
|