elans
Active Member
Our company does periodic security reviews of each individual role. Our auditors are looking to enhance the processing and have us conform to a more robust and efficient security review process. The problem is, we don't know where to start with the change. Our current review process is as follows...
- Pick a role to review
- CNC Print out users in that role, P00950 output, and menu items assigned
- Review the details by our System Coordinator
- Assign the role to a "DEMO" user and log in, review what User/Role is allowed to complete
- Report on any needed changes verbally (no sign-off)
- CNC Implement the security changes where needed (sign-off)
- Move onto the next role.
Our auditors want us to up the volume and frequency of our reviews. Essentially, reviewing all roles every year. We are trying to find a good process that supports that frequency and add any steps that could help us satisfy the audits. From the above listing, does anyone do anything else differently? More efficiently? Or do you have a strict process as implemented by another party such as a SOX or HIPAA auditor? All answers are helpful! Thanks!
- Pick a role to review
- CNC Print out users in that role, P00950 output, and menu items assigned
- Review the details by our System Coordinator
- Assign the role to a "DEMO" user and log in, review what User/Role is allowed to complete
- Report on any needed changes verbally (no sign-off)
- CNC Implement the security changes where needed (sign-off)
- Move onto the next role.
Our auditors want us to up the volume and frequency of our reviews. Essentially, reviewing all roles every year. We are trying to find a good process that supports that frequency and add any steps that could help us satisfy the audits. From the above listing, does anyone do anything else differently? More efficiently? Or do you have a strict process as implemented by another party such as a SOX or HIPAA auditor? All answers are helpful! Thanks!