Skip to content

Page274

Management Review and Approval

There are two types of managers when discussing account management: system account managers (such as the employees responsible for creating email accounts) and the employee’s actual manager (who he or she reports to). Employee’s managers must provide formal approval for account creation, as part of an account creation process. They should also provide notification when roles change, employees leave the organization, etc.

Let’s assume an organization’s policy requires an employee’s manager to notify system account managers within 24 hours of a change to their employee’s role. Note that there is no industry-wide best practice for this duration: it is dependent on each organization’s risk analysis. NIST Special Publication 800-53r5 lists the following account management and review steps that must occur within that duration (24 hours in this case): notify account managers when accounts are no longer required, when users are terminated or transferred, and when system usage or need-to-know changes for an individual [5].

Key Performance and Risk Indicators

Key Performance Indicators (KPIs) and Key Risk Indicators (KRIs) are widely used business terms that also apply to information security. In the information security world, Key Performance Indicators are used to measure availability and (as the name implies) Risk Indicators are used to measure risk.

KPI examples include system uptime, bandwidth and latency, number of emails sent and received, and concurrent users. KRI examples include vulnerability scanning findings, tracking unpatched systems, legacy systems, use of single-factor authentication, and antivirus events. Fig. 7.1 shows an example KRI tracking system updates, vulnerabilities, user identification, and automated logout.

Fig. 7.1 Key risk indicators. Source: https://www.researchgate.net/publication/283329102_THE_INFORMATION_CONFIDENTIALITY_AND_CYBER_SECURITY_IN_MEDICAL_INSTITUTIONS.
Image by: Claudia Diana, Sabau-Popa & Ioana-Alexandra, Bradea & Bolos, Marcel & Delcea, Camelia.
Image under permission of Creative Commons Attribution-NoDerivatives 4.0 International (CC BY-ND 4.0).