Security and Compliance

Security and compliance are interconnected in important ways. What happens if you have a policy, but you cannot assure compliance? There is no automated enforcement mechanism. You cannot be sure if policy is followed or not.

To gain a deeper appreciation for the relationship between security and compliance, consider the following scenario:

In an organization, managers are allowed to add users to Active Directory groups, which potentially grant them access to sensitive data on file shares. There are security policies and regulations that state that this access must be reviewed quarterly to ensure that only approved people have access to certain types of sensitive data. Sometimes, when people change jobs, their access may not be removed properly, so controls need to be put in place to demonstrate that the organization is doing a good job of meeting security and regulatory requirements.

Access requirements can change frequently, and at a large organization this can become very difficult to manage. When an employee moves from one job to another in the same organization, someone must change their level of access to certain resources. A manager should approve this change, and there should be quarterly metrics that show how managers are reviewing access levels for employees, and modifying access, as needed.

For this Discussion, in two hundred and fifty to four hundred words, addressing the following:

For the given scenario, recommend two policies that you would create for managers approving new access and for monitoring that access. In recommending these policies, make sure they are appropriate for the employees and are in accordance with the organizational policy for approving and monitoring access. Discuss the artifacts you would generate, as a part of these policies, to demonstrate compliance.