I’ve written before how some periodic reviews provide management with little assurance, but management doesn’t realize how little.
My previous post focused mostly on server access. In this post, I want to look at normal user access.
For example, let’s assume your company has a policy that states that all IDs must be assigned within an Active Directory group. In other words, IDs are assigned to groups, and groups are assigned to assets; IDs should not be assigned directly to an asset.
Assume the control you are testing states that user access is reviewed annually.
2010 Mid-Year Review: Most Popular Posts
Top 5 Posts
Here’s the top 5 posts between January and June, 2010. If you missed one of these posts, you might want to check it out.
Teach Yourself ACL
This post about Audit Command Language (ACL) software gets twice as many hits as any other post. If you want to know why this bothers me, see the January 2010 review.
PWC Resignation Letter
The popularity of this one really surprised me. But then again, it’s funny, sad, and really hits home if you’re an auditor (or a recovering one).
Top 10 Pay-Boosting Tech Certifications
In addition to the list published by Dice, I added some comments, and describe how the CISSP has affected my salary.
Continue reading →
Share this:
Like this:
1 Comment
Filed under Audit, Blogging, Security
Tagged as blog, comments, most popular, review