Edit this page

Collecting Metrics 2.9 & 2.10

Privileged User Review, Adjustments, & Termination

Calculator logo

  1. Identify the users and their accounts from Metric 2.5.
  2. For each user and their privileged network accounts:

    • Was the privileged access added in the last 12 months? If it has, it should have been reviewed prior to adding. Look for evidence of this.
    • If the access existed prior to the 12 month period, was an access review performed and completed for this user’s access (typically called an access certification or recertification) within the past 12 months?

  3. If the answer to either of the above was yes across all of the user’s privileged network accounts, include the user in the count and record the value for Metric 2.9.
  4. If the result for Metric 2.9 was 0 (no reviews performed), record 0 for Metric 2.10. If there were results for 2.9, continue through these steps.
  5. Work with the ISSO to gather the documentation (digital or physical) supporting the access review process for the privileged network accounts.
  6. Identify the users (account owners)from 2.9, who at the time of review were users with privileged accounts.
  7. Of the users who have been reviewed, determine whose account access was indicated as inappropriate or no longer needed.
  8. Count the number of users identified in Step 4 who had their access removed or changed as a result of this review.

Step 2 Tip

Information System Security Officers (ISSO) are required to review privileged accounts periodically.
Work with the ISSO responsible for the network accounts to validate that the access was reviewed in the appropriate timeframe, and that the consequent actions were taken.