User Security Audit Based on Role Risk Level

Has anyone implemented a user security audit review based on roles/permission lists being assigned a risk level?

If so, how did you define your risk levels?

For each risk level how often do you complete an audit of users with that role/permission list?  (Monthly, Qtrly or Yearly)

Hi Keith.

Haven't implemented a user security audit review based on role/permission lists being assigned a risk level as such, but have been involved in a related exercise. Hence you could :

1. Get the customer to categorize and classify their data within PeopleSoft (ie. sensitive or non sensitive).  Refer to PeopleSoft HCM 9.2 - Personally Identifiable and Sensitive Data (Doc ID 2313438.1) as an example..

2. Following the above, assist the Customer in assigning a risk rating across the various data categories & system access..eg Updating employee Bank Account information would be a High risk. Access to Query Manager would be a High risk etc

3. Using the above information and with reference to PeopleSoft Permission lists & page navigation, generate a User Role Security matrix and assign a default risk rating across all system access.

4. Distribute the spreadsheet as part of your internal security assessment for SME review and update to validate system / data access is appropriate.

5. Any changes would need to follow standard internal user provisioning change control procedures

My current customer is looking to conduct a security assessment twice per year (once mandatory) for Financials  just prior to their yearly external audit.

Cheers Michael