Small business ,big audit

%3CLINGO-SUB%20id%3D%22lingo-sub-831008%22%20slang%3D%22en-US%22%3ESmall%20business%20%2Cbig%20audit%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-831008%22%20slang%3D%22en-US%22%3E%3CP%3EHello%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20recently%20had%20an%20audit%20from%20one%20of%20our%20clients%2C%20some%20of%20the%20actions%20they%20wish%20us%20to%20implement%20regarding%26nbsp%3BAccess%20Control%20principles%20are%20as%20follows.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ECustomer%20are%20required%20to%20develop%20controls%2Fprocedures%2Fpolicies%20in%20place%20to%20demonstrate%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3Ethat%20access%20is%20segregated%20to%20ensure%20conflicting%20roles%20are%20not%20provided%20to%20the%20same%20user%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3Eevidence%20that%20an%20individual%20cannot%20authorise%20their%20own%20access%2C%20evidence%20that%20user%20account%20administrators%20who%20create%2C%20modify%20or%20revoke%20a%20user%20account%20are%20not%20permitted%20to%20be%20involved%20in%20the%20authorisation%20process%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3Eevidence%20that%20approval%20of%20user%20access%2C%20set%20up%20user%20access%2C%20and%20monitoring%20of%20access%20violations%2Fviolation%20attempts%20are%20fully%20segregated%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3Eevidence%20that%20the%20individuals%20with%20privileged%20user%20access%20do%20not%20perform%20their%20own%20privileged%20user%20access%20monitoring%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3Eevidence%20that%20the%20individual%20responsible%20for%20setting%20up%20users%2C%20access%2C%20passwords%20or%20software%20changes%20must%20not%20have%20access%20to%20process%20their%20own%20access%3C%2FLI%3E%3C%2FOL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3COL%3E%3CLI%3Eevidence%20that%20the%20individual%20responsible%20for%20recording%20transactions%20must%20not%20have%20access%20to%20approve%20the%20transactions.%3C%2FLI%3E%3C%2FOL%3E%3CP%3EThe%20above%20would%20not%20be%20a%20problem%20in%20a%20large%20organisation%20but%20we%20have%205%20employees%20with%20access%20to%20the%20system.%20I%20am%20the%20global%20admin%20and%20administrate%20the%20environment%20as%20well%20as%20working%20normally.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThe%20other%20people%20in%20the%20office%20are%20not%20that%20tech%20savvy%20so%20how%20would%20we%20address%20the%20above%20points%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EJim%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-831008%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAccess%20Control%20principles%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-861973%22%20slang%3D%22en-US%22%3ERe%3A%20Small%20business%20%2Cbig%20audit%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-861973%22%20slang%3D%22en-US%22%3E%3CP%3EWhat%20they%20are%20asking%20for%20is%20overkill%20in%20my%20opinion.%20My%20recommendation%20would%20be%20to%20keep%20everything%20open%2Fread%20only%20access%20for%20internal%20users.%20For%20specific%20content%20allow%20contribute%2Ffull%20control.%20This%20would%20reduce%20your%20administration.%20For%20private%20content%20your%20users%20can%20use%20there%20OneDrive%20accounts.%20Keep%20it%20off%20the%20Intranet.%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F400415%22%20target%3D%22_blank%22%3E%40Ormesherg%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Frequent Visitor

Hello

 

We recently had an audit from one of our clients, some of the actions they wish us to implement regarding Access Control principles are as follows.

 

Customer are required to develop controls/procedures/policies in place to demonstrate:

 

  1. that access is segregated to ensure conflicting roles are not provided to the same user

 

  1. evidence that an individual cannot authorise their own access, evidence that user account administrators who create, modify or revoke a user account are not permitted to be involved in the authorisation process

 

  1. evidence that approval of user access, set up user access, and monitoring of access violations/violation attempts are fully segregated

 

  1. evidence that the individuals with privileged user access do not perform their own privileged user access monitoring

 

  1. evidence that the individual responsible for setting up users, access, passwords or software changes must not have access to process their own access

 

  1. evidence that the individual responsible for recording transactions must not have access to approve the transactions.

The above would not be a problem in a large organisation but we have 5 employees with access to the system. I am the global admin and administrate the environment as well as working normally.

 

The other people in the office are not that tech savvy so how would we address the above points?

 

Regards

 

Jim

 

1 Reply
Highlighted

What they are asking for is overkill in my opinion. My recommendation would be to keep everything open/read only access for internal users. For specific content allow contribute/full control. This would reduce your administration. For private content your users can use there OneDrive accounts. Keep it off the Intranet. @Ormesherg