There are several layers of Access Control that need to be audited. These are some of the questions that need to be asked when auditing access.
- Which groups or individuals have access to sensitive locations or equipment in the organization being audited?
Operating System/Network Access to network resources:
- Who has access to file shares or network resources on the network? I.E. does the Marketing Department really need access to the Sales Team’s reports folder?
- What kinds of privileges do individuals or groups have in these shares – Read, Write, Execute?
- Are these privileges appropriate?
Access to Enterprise Resource Planning systems:
- Which groups or individuals have access to each ERP module?
- Is this access appropriate?