Report on the percentage of systems and applications where assignment of user and administration privileges is in compliance with the policy that specifies role-based information access privileges.

UCF ID: 02096
Control Type: Actionable Reports or measurements
Status: Live
Metric guidance

Calculation: The calculation for this metric is # of systems and applications where assignment of user and administration privileges are in compliance with the policy that specifies role based information access privileges / # of IT systems and applications.

Calculation source: No authority document source of information exists. The following formula was used: the number of systems and applications that use role-based access privileges that have assigned all user and administration privileges in accordance with policies, standards, and procedures divided by the number of systems and applications listed in the CMDB for each business unit (or the organization as a whole) .

The Common Control IDs associated with this metric are as follows:

    Secure access to the operating systems of all system components. [UCF Control ID 00551]
    Restrict access to security-related CONS mode key-in groups based on the security profiles. [UCF Control ID 02190]
    Configure custom access privileges for all MAPPER files. [UCF Control ID 02194]
    Configure custom access privileges for the PSERVER configuration file. [UCF Control ID 02195]
    Configure custom access privileges for the DEPCON configuration file. [UCF Control ID 02196]
    Configure the system to allow only Administrators with permissions to change the security settings of Distributed Component Object Model (DCOM) objects. [UCF Control ID 04529]
    Ensure the development team does not have access to the production environment. [UCF Control ID 01066]
    Enable access control for objects and users on each system and ensure each system's policy states which objects and users are subject to access control. [UCF Control ID 04553]
    Implement a centralized identification and access rights management process. [UCF Control ID 00528]
    Manage and maintain user accounts according to organizationally documented policies and procedures. [UCF Control ID 00526]
    Enforce assigned authorizations for system access and separate user functionality from system management functionality. [UCF Control ID 00558]
    Ensure accounts and stored information are segregated from operating system access. [UCF Control ID 00552]
    Confirm that the hosting provider ensures that processes with access to confidential data can only be executed by an organization on its own confidential data environment. [UCF Control ID 04264]
    Comply with all policies, standards, and procedures. [UCF Control ID 00818]

Supporting and supported controls

This control directly supports:

    Establish and maintain a user and administrator privileges management metrics program. [UCF Control ID 02076]

There are no supporting controls.

Authority documents complied with:

CISWG Information Security Program Elements, January 10,2005, ISPE20.3

US Federal Security Guidance

The organization must measure and report on the percentage of systems and applications where assignment of user privileges is in compliance with the policy that specifies role-based information access privileges. [ISPE20.3, CISWG Information Security Program Elements, January 10,2005]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.