Report on the percentage of systems and applications where assignment of user and administration privileges are in compliance with the policy that specifies role-based information access privileges

Status: Live

The organization will report on the report on the percentage of systems and applications where assignment of user and administration privileges are in compliance with the policy that specifies role-based information access privileges. [UCF ID 02096]

Metric guidance

Calculation: The calculation for this metric is # of systems and applications where assignment of user and administration privileges are in compliance with the policy that specifies role based information access privileges / # of IT systems and applications.

Calculation source: No authority document source of information exists. The following formula was used: the number of systems and applications that use role-based access privileges that have assigned all user and administration privileges in accordance with policies, standards, and procedures divided by the number of systems and applications listed in the CMDB for each business unit (or the organization as a whole) .

The Common Control IDs associated with this metric are as follows:

Operating system access management [UCF Control ID 00551]

Restrict access to security-related CONS mode keyin groups based upon security profiles established within the organizational standard [UCF Control ID 02190]

Set custom access privileges for all MAPPER files according to organizational standards [UCF Control ID 02194]

If PSERVER is going to be enabled, set custom access privileges for the PSERVER configuration file according to organizational standards [UCF Control ID 02195]

If DEPCON is going to be enabled, set custom access privileges for the DEPCON configuration file according to organizational standards [UCF Control ID 02196]

Only Administrators should have the permissions to change the security settings of Distributed Component Object Model (DCOM) objects [UCF Control ID 04529]

The development team must not have access to the production environment [UCF Control ID 01066]

Ensure that access control for objects and users is enabled on each system and that each system’s policy states which objects and suers are subject to access control [UCF Control ID 04553]

Central identification and access rights management [UCF Control ID 00528]

User control of user accounts [UCF Control ID 00526]

Application and object access and separation enforcement [UCF Control ID 00558]

Ensure accounts (and stored information) are segregated from operating system access [UCF Control ID 00552]

The hosting provider should have access and privileges only to its own confidential data environment [UCF Control ID 04264]

Compliance with policies, standards, and procedures [UCF Control ID 00818]

Supporting and supported controls

This control directly supports:

Establish and maintain a user and administrator privileges metrics management program [UCF Control ID 02076]

There are no supporting controls.

Authority documents complied with:

CISWG Information Security Program Elements, January 10,2005, ISPE20.3

US Federal Security Guidance

The organization must measure and report on the percentage of systems and applications where assignment of user privileges is in compliance with the policy that specifies role-based information access privileges. [ISPE20.3, CISWG Information Security Program Elements, January 10,2005]