- 2 Posts
- 250 Views
Has anyone implemented a user security audit review based on roles/permission lists being assigned a risk level?
If so, how did you define your risk levels?
For each risk level how often do you complete an audit of users with that role/permission list? (Monthly, Qtrly or Yearly)
Haven't implemented a user security audit review based on role/permission lists being assigned a risk level as such, but have been involved in a related exercise. Hence you could :
1. Get the customer to categorize and classify their data within PeopleSoft (ie. sensitive or non sensitive). Refer to PeopleSoft HCM 9.2 - Personally Identifiable and Sensitive Data (Doc ID 2313438.1) as an example..
2. Following the above, assist the Customer in assigning a risk rating across the various data categories & system access..eg Updating employee Bank Account information would be a High risk. Access to Query Manager would be a High risk etc
3. Using the above information and with reference to PeopleSoft Permission lists & page navigation, generate a User Role Security matrix and assign a default risk rating across all system access.
4. Distribute the spreadsheet as part of your internal security assessment for SME review and update to validate system / data access is appropriate.
5. Any changes would need to follow standard internal user provisioning change control procedures
My current customer is looking to conduct a security assessment twice per year (once mandatory) for Financials just prior to their yearly external audit.