Thoughts on Access Control

There are several layers of Access Control that need to be audited. These are some of the questions that need to be asked when auditing access.

Physical: 

  • Which groups or individuals have access to sensitive locations or equipment in the organization being audited?

Operating System/Network Access to network resources: 

  • Who has access to file shares or network resources on the network?  I.E. does the Marketing Department really need access to the Sales Team’s reports folder?
  • What kinds of privileges do individuals or groups have in these shares – Read, Write, Execute?
  • Are these privileges appropriate?

Access to Enterprise Resource Planning systems:

  • Which groups or individuals have access to each ERP module?
  • Is this access appropriate?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>