KuppingerCole Report
Advisory Note
By Mike Small

KRIs and KPI for Access Governance

This report provides selected Key Risk Indicators (KRI) for the area of Access Governance. These indicators are easy to measure and provide organizations with a quick overview of the relevant risks and how these are changing. The indicators can be combined into a risk scorecard which then can be used in IT management and corporate management.
By
sm@kuppingercole.com

1 Executive Summary

The report provides selected Key Risk Indicators (KRI) for the area of Access Governance. These indicators are easy to measure and provide organizatio ...

Login Free 30-day Select Access Get full Access

2 Highlights

  • The report provides selected Key Risk Indicators (KRI) for the area of Access Governance. These indicators are easy to measure and provide organizat ...
Login Free 30-day Select Access Get full Access

3 Why work with KRIs and KPIs?

To manage IT services effectively requires a set of measures against which performance can be judged.

There are several types of metrics: key goal ...

Login Free 30-day Select Access Get full Access

3.1 The value of KRIs and KPIs

There are several obvious ways in which of the use of KRI/KPI offers value. From KuppingerCole’s perspective, the four most important ones are:

  • Re ...
Login Free 30-day Select Access Get full Access

4 The Top KRIs/KPIs for Access Governance

To enable organizations to start using Risk based Access Governance quickly this report identifies the top KRIs/KPIs for the areas of IAM and Access G ...

Login Free 30-day Select Access Get full Access

4.1 Classification of Applications and Information

You can’t protect what you don’t know you have. The first step towards access governance is to classify the data held by the organization. This ...

Login Free 30-day Select Access Get full Access

4.1.1 Information Classification

You can’t protect what you don’t know you have. The first step towards access governance is to classify the data held by the organization. This ...

Login Free 30-day Select Access Get full Access

4.1.2 Risk classification of applications

We strongly recommend building a list of all applications used within an organization and a risk classification of these applications. The risk classi ...

Login Free 30-day Select Access Get full Access

4.2 Identity Lifecyle Management

This covers KPIs for all the processes concerned with managing the complete lifecycle of the electronic identities individuals with access to systems, ...

Login Free 30-day Select Access Get full Access

4.2.1 Employee Screening

It is essential that employees and other people who have access to organizational systems, applications and data are checked out. Potential employees ...

Login Free 30-day Select Access Get full Access

4.2.2 Orphan accounts

These are user accounts in systems which are not associated with a specific known person or entity.

Related ISO/IEC 27001 Controls A.9.2.1 U ...
Login Free 30-day Select Access Get full Access

4.2.3 Digital identities per physical person

Related ISO/IEC 27001 Controls A.9.2.6 Removal or Adjustment of Access Rights
Indicator: Average number of Digital identities per ...
Login Free 30-day Select Access Get full Access

4.2.4 Systems included in Identity Lifecycle Management

Related ISO/IEC 27001 Controls A.9.2.1 User registration and de-registration A.9.2.2 User Access Provisioning A.9.2.4 Management of secret a ...
Login Free 30-day Select Access Get full Access

4.2.5 Time taken for changes to identities and access

Related ISO/IEC 27001 Controls A.9.2.1 User registration and de-registration A.9.2.2 User Access Provisioning
Indicator: Average ...
Login Free 30-day Select Access Get full Access

4.2.6 Delegated administration

Related ISO/IEC 27001 Controls A.9.2.3 Privilege Management
Indicator: Systems with controlled levels of delegated administration ...
Login Free 30-day Select Access Get full Access

4.3 Access Management - Authentication

The explosion in the ways that people can connect to the systems using mobile devices and the internet has increased the risks of impersonation, and c ...

Login Free 30-day Select Access Get full Access

4.3.1 Users which use one authentication system

Related ISO/IEC 27001 Controls A.9.4 System and application access control
Indicator: Percentage of users which are authenticated ...
Login Free 30-day Select Access Get full Access

4.3.2 Applications with integration to one authentication system

Related ISO/IEC 27001 Controls A.9.4 System and application access control
Indicator: Percentage of applications which authentica ...
Login Free 30-day Select Access Get full Access

4.3.3 Portals/portlets with no/own authentication

...
Related ISO/IEC 27001 Controls A.9.4 System and application access controlA.9.4.2 Secure log on proceduresA.9.4.3 Password management system
Login Free 30-day Select Access Get full Access

4.3.4 Application Directories

...
Related ISO/IEC 27001 Controls A.9.4 System and application access controlA.9.4.2 Secure log on proceduresA.9.4.3 Password management system
Login Free 30-day Select Access Get full Access

4.3.5 Single Sign-On reach

...
Related ISO/IEC 27001 Controls A.9.4 System and application access controlA.9.4.2 Secure log on proceduresA.9.4.3 Password management system
Login Free 30-day Select Access Get full Access

4.3.6 Deployment of strong authentication

Related ISO/IEC 27001 Controls A.9.4 System and application access controlA.9.4.2 Secure log on procedures
Indicator: Percentage ...
Login Free 30-day Select Access Get full Access

4.3.7 Authentication strength

Related ISO/IEC 27001 Controls A.9.4 System and application access controlA.9.4.2 Secure log on procedures
Indicator: Strength of ...
Login Free 30-day Select Access Get full Access

4.3.8 Federation support

...
Related ISO/IEC 27001 Controls A.9.4 System and application access controlA.9.4.2 Secure log on proceduresA.13.2 Information transfer
Login Free 30-day Select Access Get full Access

4.4 Access Management – Allocation and Review

Access to information, applications, and systems should be controlled based on business requirements. Access rights should be assigned in a timely ma ...

Login Free 30-day Select Access Get full Access

4.4.1 Role Management reach

Related ISO/IEC 27001 Controls A.9.1 Business requirements of access managementA.9.4 Systems and applications access controlA.9.4.1 Informatio ...
Login Free 30-day Select Access Get full Access

4.4.2 Entitlement Management

Related ISO/IEC 27001 Controls A.9.1 Business requirements of access managementA.9.4 Systems and applications access controlA.9.4.1 Informatio ...
Login Free 30-day Select Access Get full Access

4.4.3 Number of Business Roles

Related ISO/IEC 27001 Controls A.9.1 Business requirements of access managementA.9.4 Systems and applications access control
Indicat ...
Login Free 30-day Select Access Get full Access

4.4.4 Completeness of Segregation of Duties

Related ISO/IEC 27001 Controls A.6.1 Segregation of dutiesA.9.1 Business requirements of access managementA.9.4 Systems and applications acces ...
Login Free 30-day Select Access Get full Access

4.4.5 Completeness of Attestation of Entitlements

Related ISO/IEC 27001 Controls A.9.1 Business requirements of access managementA.9.2.5 Review of access rights
Indicator: Proport ...
Login Free 30-day Select Access Get full Access

4.4.6 Authorization and Cloud Services

Related ISO/IEC 27001 Controls A.9.1 Business requirements of access managementA.9.4 Systems and applications access control A.13.2 Informatio ...
Login Free 30-day Select Access Get full Access

4.5 Privileged Access Management

Managing privileged user access is an important objective of identity and access governance. These privileged accounts represent a potential risk bec ...

Login Free 30-day Select Access Get full Access

4.5.1 Privileged Accounts

Related ISO/IEC 27001 Controls A.9.2.3 Privilege managementA.9.4.4 Use of privileged utility programs
Indicator: Percentage of un ...
Login Free 30-day Select Access Get full Access

4.6 Identity and Accesss Monitoring

Identity and access governance depends upon being able to monitor performance against specified controls. This monitoring requires trustworthy logs o ...

Login Free 30-day Select Access Get full Access

4.6.1 Auditing according to guidelines

Related ISO/IEC 27001 Controls A.9 Access Control A.12.4 Logging and monitoringA.12.7 Information systems audit considerations
Indic ...
Login Free 30-day Select Access Get full Access

4.6.2 Signed audit logs

Related ISO/IEC 27001 Controls A.12.4 Logging and monitoringA.12.4.2 Protection of log information
Indicator Percentage of audit l ...
Login Free 30-day Select Access Get full Access

4.6.3 Centralized Auditing

Related ISO/IEC 27001 Controls A.12.4 Logging and monitoringA.12.4.1 Event loggingA.12.4.3 Administrator and operator logs
Indicator ...
Login Free 30-day Select Access Get full Access

4.6.4 Authentication failures

Related ISO/IEC 27001 Controls A.12.4 Logging and monitoringA.12.4.1 Event loggingA.9.4 System and application access control
Indica ...
Login Free 30-day Select Access Get full Access

4.6.5 Fraud attempts detected

Related ISO/IEC 27001 Controls A.14.1 Security requirements of information systemsA.12.4 Logging and monitoring
Indicator: Number ...
Login Free 30-day Select Access Get full Access

4.6.6 Segregation of audit

...
Related ISO/IEC 27001 Controls A.6.1 Segregation of dutiesA.12.4 Logging and monitoringA.12.7 Information systems audit considerations
Login Free 30-day Select Access Get full Access

4.7 ISO/IEC 27001 Controls Mapped to KPIs

ISO/IEC 27001 is a widely accepted standard for information security. The KPIs specified in this report help to demonstrate progress towards implemen ...

ISO Control KPI KPI Name
A.6.1 4.4.44.6.6 Completeness of Segregation of Duties Controls Segregation of audit
A.7.1 4. ...
Login Free 30-day Select Access Get full Access

5 Recommendations

To realize the benefits described in the previous chapters it is recommended that IT organization move to using KRIs and KPIs for access governance. ...

Login Free 30-day Select Access Get full Access

5.1 Organizational aspects

There are several standardized frameworks for IT Management available, examples include ISO/IEC 20000, ITIL and COBIT5. So, there are already availab ...

Login Free 30-day Select Access Get full Access

5.2 Risk based access governance processes

Using the approach described in 5.1, the initial phase of a risk based access governance should adopt lean processes.

  • Collection: How can the info ...
Login Free 30-day Select Access Get full Access

5.3 The choice of KRIs and KPIs

There are three golden rules for choosing the appropriate KRIs/KPIs, these are:

  1. Choose valid indicators: Indicators should capable of being direct ...
Login Free 30-day Select Access Get full Access

5.4 Base KPIs and KRIs on business goals

The KPIs and KRIs must be based on business goals.

For example, if a strategic goal of an organization is to comply with the EU GDPR (General Data ...

In terms of access governance this means that:

  • The organization must be able to identify which data it holds is within the scope of this regulatio ...
Login Free 30-day Select Access Get full Access

5.5 Scorecard Approach

KuppingerCole strongly recommends building a scorecard for the KRIs. That scorecard could be divided into the following segments:

The scorecard could then include four pieces of information per KRI:

  • Current value
  • Change (either absolute or relative)
  • Direction of change
  • I ...
Login Free 30-day Select Access Get full Access

Copyright

©2019 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarksTM or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole Analysts, founded in 2004, is a global analyst company headquartered in Europe focusing on Information Security and Identity and Access Management (IAM). KuppingerCole stands for expertise, thought leadership, outstanding practical relevance, and a vendor-neutral view on the information security market segments, covering all relevant aspects like: Identity and Access Management (IAM), Governance & Auditing Tools, Cloud and Virtualization Security, Information Protection, Mobile as well as Software Security, System and Network Security, Security Monitoring, Analytics & Reporting, Governance, and Organization & Policies.

For further information, please contact clients@kuppingercole.com.

top