Forums / Categories / PeopleSoft / Technology / User Security Audit Based on Role Risk Level

    User Security Audit Based on Role Risk Level

    Has anyone implemented a user security audit review based on roles/permission lists being assigned a risk level?

    If so, how did you define your risk levels?

    For each risk level how often do you complete an audit of users with that role/permission list?  (Monthly, Qtrly or Yearly)

    Hi Keith.

    Haven't implemented a user security audit review based on role/permission lists being assigned a risk level as such, but have been involved in a related exercise. Hence you could :

    1. Get the customer to categorize and classify their data within PeopleSoft (ie. sensitive or non sensitive).  Refer to PeopleSoft HCM 9.2 - Personally Identifiable and Sensitive Data (Doc ID 2313438.1) as an example..

    2. Following the above, assist the Customer in assigning a risk rating across the various data categories & system access..eg Updating employee Bank Account information would be a High risk. Access to Query Manager would be a High risk etc

    3. Using the above information and with reference to PeopleSoft Permission lists & page navigation, generate a User Role Security matrix and assign a default risk rating across all system access.

    4. Distribute the spreadsheet as part of your internal security assessment for SME review and update to validate system / data access is appropriate.

    5. Any changes would need to follow standard internal user provisioning change control procedures

    My current customer is looking to conduct a security assessment twice per year (once mandatory) for Financials  just prior to their yearly external audit.

    Cheers Michael

     

Looks like your connection to Quest Oracle Community was lost, please wait while we try to reconnect.