Security Manager Controls

ANALYTICS

ANALYTICS in Saviynt Security Manager provides a flexible platform to create control reports on Identities and their access for compliance, management or risk reporting. A compelling feature is the ease with which one can create, schedule and push reports to managers and control owners periodically. Valuable features include graphical representation of trends from successive runs of the controls or to provide actionable controls to effect necessary changes in access to be compliant with management or audit requirements.

The following Analytics related controls are organized by Control Type . You can also “Jump To” Control Types and Categories by clicking on the link located at the right of this screen.

The following are links to more detailed pages:

All

Showing 1 control:
Control TitleControl TypeRisk Rating
High Privileged Access in onboarded applications

AWS

Showing 73 controls:
Control TitleControl TypeRisk Rating
AWS Amazon Machine Images (AMIs) shared with unknown AWS accounts without restrictions Cloud Controls High
AWS Amazon Machine Images (AMIs) using unencrypted Amazon Elastic Block Store (EBS) Cloud Controls High
AWS security credentials stored in public repositories Cloud Controls High
AWS Identity and Access Management (IAM) inline policy usage Cloud Controls Medium
AWS Identity and Access Management (IAM) with privileged access on AWS Customer Master Keys Cloud Controls, Least Privilege High
CloudFormation templates created with password violations Cloud Controls, Password controls High
Ensure the Customer Gateways Limit is not reached Cloud Controls Medium
Amazon Elastic Cloud Compute (EC2) with Termination Protection Disabled Cloud Controls Medium
Events based on DROP (Don’t Route Or Peer) IP List Cloud Controls High
Amazon Elastic Block Store (EBS) that are not encrypted and attached to an EC2 instance Cloud Controls, Data Controls High
Amazon Elastic Compute Cloud (Amazon EC2) instances associated with default Security Groups Cloud Controls High
Amazon Elastic Compute Cloud (EC2) instances setup outside of the Virtual Private Network Cloud Controls High
Amazon Elastic Compute Cloud (EC2) instances missing tags Cloud Controls Low
Amazon Elastic Compute Cloud (EC2) instances setup on dedicated tenancy Cloud Controls High
Amazon Elastic Compute Cloud (EC2) instances setup on default tenancy Cloud Controls Low
Events based on EDROP (Extended Don’t Route Or Peer) IP List Cloud Controls High
Ensure Elastic IP address Limit is not reached Cloud Controls High
Elastic Load Balancing (ELB) Certificates which are expired Cloud Controls High
Elastic Load Balancing (ELB) Certificates that will expire within 21 days Cloud Controls Low
Events based on Emerging Threats blocked IP list Cloud Controls High
Amazon Virtual Private Cloud (VPC) without any resources Cloud Controls Medium
Ensure the Expiry time for an unaccepted Virtual Private Cloud (VPC) peering connection request limit is not reached Cloud Controls Medium
Ensure VPC Flow Logs limit is not reached Cloud Controls Medium
AWS Identity and Access Management (IAM) groups with high privileged access Cloud Controls, Least Privilege High
AWS Identity and Access Management (IAM) users with high privileged access Cloud Controls, Least Privilege High
AWS Identity and Access Management (IAM) policies with High Privileges Cloud Controls, Least Privilege High
High privileged Users with non-rotated creds Identity Governance Medium
AWS Identity and Access Management (IAM) Password Policy with disabled password expiration Password controls High
AWS Identity and Access Management (IAM) Password Policy with disabled password reuse Password controls High
AWS IAM user without Multi-Factor Authentication (MFA) enabled Cloud Controls High
AWS Identity and Access Management (IAM) user not following organization’s naming standard Cloud Controls Medium
AWS Identity and Access Management (IAM) user with access to delete CloudFormation Templates Cloud Controls, Least Privilege High
IAM users with delete rights on CF templates Identity Governance High
AWS Identity and Access Management (IAM) user with non-rotated Access Keys Cloud Controls High
AWS Identity and Access Management (IAM) user with non-rotated credentials Cloud Controls High
Inactive AWS IAM Users Identity Governance Medium
AWS Identity and Access Management (IAM) High Privileged inactive users Cloud Controls High
Amazon instances/hosts setup on default tenancy Cloud Controls Low
Amazon Elastic Compute Cloud (EC2) instances setup with non-approved DNS names Cloud Controls Medium
Ensure the Internet Gateways Limit is not reached Cloud Controls Medium
AWS Key Management Service (KMS) scheduled for deletion Cloud Controls High
AWS Key Management Service (KMS) with rotation disabled Cloud Controls High
AWS accounts with not AWS Identity and Access Management (IAM) Password Policy Password controls High
Ensure the NACLs rule Limit is not reached Cloud Controls Medium
Ensure the NACLs Limit is not reached Cloud Controls Medium
Ensure the Network Address Translation (NAT) Gateways Limit is not reached Cloud Controls Medium
Amazon Redshift clusters that are unencrypted Cloud Controls, Data Controls High
AWS IAM High Privileged user without Multi-Factor Authentication (MFA) enabled Cloud Controls Medium
Ensure the Outstanding Virtual Private Cloud (VPC) peering connection requests limit is not reached Cloud Controls Medium
Amazon Relational Database Service (RDS) which are not Encrypted Cloud Controls, Data Controls High
AWS Root Accounts with API Keys Enabled Cloud Controls High
Ensure the Route Tables Limit is not reached Cloud Controls Medium
Amazon S3 Buckets without MFA Delete enabled Cloud Controls Medium
Amazon S3 Buckets with logging disabled Cloud Controls Medium
Amazon S3 Buckets with versioning disabled Cloud Controls Low
Amazon S3 Buckets having explicit Global List access via ACL Cloud Controls Medium
Amazon S3 Buckets allowing explicit Read/Write access via ACL Cloud Controls Medium
Amazon S3 Buckets with server side encryption disabled Cloud Controls High
Ensure the Security Groups limit per VPC is not reached Cloud Controls Medium
Ensure the Security Groups per network interface limit is not reached Cloud Controls Medium
Terminated users with an AWS Identity and Access Management (IAM) user account Identity Governance, IT General Controls High
Events Based on TOR (“The Onion Router”) IP List Cloud Controls High
Track the unused Elastic IP addresses in the account Cloud Controls Medium
Track the unused Elastic IP addresses in your account Cloud Controls High
Ensure the Virtual Private Gateways Limit is not reached Cloud Controls Medium
Ensure the Virtual Private Cloud (VPC) Endpoints limit is not reached Cloud Controls Medium
Ensure the VPC Limit is not reached Cloud Controls Medium
Ensure the Virtual Private Cloud (VPC) Peering Active Connections limit is not reached Cloud Controls Medium
Ensure the VPC Subnet Limit is not reached Cloud Controls Medium
Amazon Virtual Private Cloud (VPC) setup on dedicated tenancy Cloud Controls High
Amazon Virtual Private Cloud (VPC) setup on default tenancy Cloud Controls High
Ensure the Virtual Private Network (VPN) connections per region limit is not reached Cloud Controls Medium
Ensure the Virtual Private Network (VPN) Connections per Virtual Private Cloud (VPC) limit is not reached Cloud Controls Medium

Azure

Showing 104 controls:
Control TitleControl TypeRisk Rating
Access to High privileged VMs Identity Governance, Least Privilege High
Access to Manage Azure Access Rights Data Controls, Least Privilege Critical
Access to Storage Accounts Keys Cloud Controls, Least Privilege High
Application Gateway Insecure listener Cloud Controls Medium
Application Gateway Subnet security group allowing traffic on insecure ports Cloud Controls High
Application Gateway with Logging Disabled Cloud Controls High
Application Gateway with no Health Probe Rule Cloud Controls Low
Application Gateway with single or no VM attached Cloud Controls Low
Application Gateway with WAF Disabled. Cloud Controls High
Application Gateway with WAF not in Prevention mode Cloud Controls High
Application gateways not in WAF tier Cloud Controls High
Availability sets with only 1 fault domain and 1 update domain Cloud Controls Low
Azure Storage account with Disabled Encryption Cloud Controls, Data Controls High
Blocked sign in High Privileged Users Identity Governance High
Containers with Public access on Blobs Cloud Controls Medium
Containers with Public Access on Container Cloud Controls Medium
Disks of type Reserved Cloud Controls Low
Disks that are not standard tier Cloud Controls Low
Dynamic public IP Address Default Limit Reached Cloud Controls Low
Ensure that ‘Auditing’ is set to ‘On’ Cloud Controls High
Ensure that ‘Automatic provisioning of monitoring agent’ is set to ‘On’ Cloud Controls High
Ensure that ‘Disk encryption’ is set to ‘On’ Cloud Controls, Data Controls High
Ensure that ‘JIT Network Access’ is set to ‘On’ Cloud Controls High
Ensure that multi-factor authentication is enabled for all non-privileged users Identity Governance High
Ensure that multi-factor authentication is enabled for all privileged users Identity Governance High
Ensure that no custom subscription owner roles are created Cloud Controls, Least Privilege High
Ensure that ‘Public access level’ is set to Private for blob containers Cloud Controls High
Ensure that ‘SQL auditing & Threat detection’ is set to ‘On’ Cloud Controls High
Ensure that ‘SQL Encryption’ is set to ‘On’ Cloud Controls, Data Controls High
Ensure that SQL server access is restricted from the internet Cloud Controls High
Ensure that ‘Storage Encryption’ is set to ‘On’ Cloud Controls, Data Controls High
Ensure that ‘Storage service encryption’ is set to Enabled for Blob Service Cloud Controls, Data Controls High
Ensure that ‘System updates’ is set to ‘On’ Cloud Controls High
Ensure that there are no guest users Identity Governance Medium
Ensure that ‘Threat Detection’ is set to ‘On’ Cloud Controls High
Ensure that ‘Threat’ Retention is ‘greater than 90 days Cloud Controls High
External accounts with owner permissions from your subscription Identity Governance Low
External accounts with read permissions on subscription Identity Governance Low
External accounts with write permissions on subscription Identity Governance Low
High privileged access to VMs Least Privilege High
High Privileged Azure Users Least Privilege High
List of classic VMs Cloud Controls Low
Load Balancer with single or no VM Attached Cloud Controls Medium
Load Balancers with no Health Probe Rule Cloud Controls Medium
LoadBalancer default Limit Reached Cloud Controls Low
Load Balancer Subnet security group allowing traffic on insecure ports Cloud Controls High
Network Security Groups with Open DNS(TCP) Cloud Controls High
Network Security Groups with Open DNS(UDP) Cloud Controls High
Network Security Groups with Open FTP Cloud Controls High
Network Security Groups with Open LDAP Cloud Controls High
Network Security Groups with Open MS SQL Cloud Controls High
Network Security Groups with Open MySQL Cloud Controls High
Network Security Groups with Open PostgreSQL Cloud Controls High
Network Security Groups with Open RDP Cloud Controls High
Network Security Groups with Open SMTP Cloud Controls High
Network Security Groups with Open SSH Cloud Controls High
Network Interface default Limit Reached Cloud Controls Low
Non-MFA High Privileged Users Cloud Controls, Least Privilege High
NSGs associated with both NIC level and Subnet level Cloud Controls Medium
NSGs with Disabled Logging Cloud Controls Medium
NSGs with Indefinite Log Retention Cloud Controls Medium
Production workloads with no Availability Set Cloud Controls Medium
Production Workloads without Resource Locks Cloud Controls Medium
Public IP’s which have static IP’s associated Cloud Controls Low
Scale Sets with Autoscaling Disabled. Cloud Controls Medium
Scale Sets with Over Provision set to false Cloud Controls Low
Scale Sets with Upgrade Policy mode set to Automatic Cloud Controls Medium
SQL databases not in standard tier Cloud Controls Low
SQL Azure Databases with Encryption Disabled Cloud Controls, Data Controls High
SQL Azure Threat Retention ‘greater than 90 days’ Cloud Controls Medium
SQL Azure with access open to Internet Cloud Controls High
SQL Azure with Auditing Disabled Cloud Controls High
SQL Azure with Threat Detection Disabled Cloud Controls High
Standard Disk attached to VMs (HDD) Cloud Controls Low
Static Public IP Address Default Limit Reached Cloud Controls Low
Storage accounts that are not standard tier Cloud Controls Low
Subscriptions with NSG default limit reached Cloud Controls Low
Total Azure Active Directory Groups Cloud Controls Low
Underutilized Availability Sets Cloud Controls Low
Underutilized Scale Sets Cloud Controls Low
Unencrypted Disks Cloud Controls, Data Controls High
Unused Disks Cloud Controls Low
Unused Network Security Groups Cloud Controls Low
Unused Public IP Addresses Cloud Controls Low
Unused Static Public IP Addresses Cloud Controls Low
VM Default Limit Reached Cloud Controls Medium
VM instances associated with Public IP Cloud Controls Low
VM Instances with disable automatic updates Cloud Controls Low
VM Instances with Open DNS(TCP) Cloud Controls High
VM Instances with Open DNS(UDP) Cloud Controls High
VM Instances with Open FTP Cloud Controls High
VM Instances with Open LDAP Cloud Controls High
VM Instances with Open MS SQL Cloud Controls High
VM Instances with Open MySQL Cloud Controls High
VM Instances with Open PostgreSQL Cloud Controls High
VM Instances with Open RDP Cloud Controls High
VM Instances with Open SMTP Cloud Controls High
VM Instances with Open SSH Cloud Controls High
VM Instances with Provision VM Agent disabled Cloud Controls Low
VM Network Security Groups allowing Global Inbound traffic on All Ports Cloud Controls Medium
VM Network Security Groups allowing inbound traffic from RFC-1918 CIDRs Cloud Controls, Least Privilege Medium
VMs outside Resource Groups Cloud Controls Medium
VMs with Disabled Logging Cloud Controls Medium
Workloads without Resource Locks Cloud Controls Low

BOX

Showing 31 controls:
Control TitleControl TypeRisk Rating
American Express-Sensitive Files Data Controls High
Box-Collaborator permission on Folders Least Privilege Low
Box – Documents Labeled as Most Confidential Data Controls High
Box-External Collaborators having permission on Files Least Privilege High
BOX – External Users with File Edit or Delete Rights Cloud Controls Medium
Box False Positive Files Cloud Controls Medium
BOX – Folders Shared for External Collaboration Cloud Controls Medium
Box – PCI Sensitive Files Data Controls High
Box – PII Sensitive Files Data Controls High
BOX – Quarantine Access Rights Details Cloud Controls Medium
BOX – Shared Sensitive Files with No Link Expiration Cloud Controls Medium
BOX – Shared Sensitive Files without password Password controls High
BOX – Top 5 External Collaborators Cloud Controls Medium
BOX – Top 5 Sensitive Violation Documents Cloud Controls, Data Controls Medium
Box Whitelisted and False Positive files Cloud Controls Medium
Box Whitelisted Files Cloud Controls Medium
Diners Club Card-Sensitive Files Data Controls High
Discover Credit Card-Sensitive Files Data Controls High
Financial Violation Classification Data Controls Medium
Folders shared with link having access type – People with link Cloud Controls Medium
Government ID Violation Classification Data Controls Medium
JCB Credit Card-Sensitive Files Data Controls High
Mastercard-Sensitive Files Data Controls High
Quarantined Files by Saviynt Cloud Controls Medium
SSN Violation Classification Data Controls High
US Bank RTN- Sensitive Files Data Controls High
US Driving License- Sensitive Files Data Controls High
US ITIN- Sensitive Files Data Controls High
US Passport- Sensitive Files Data Controls High
US SWIFT Code- Sensitive Files Data Controls High
VISA Credit Card-Sensitive Files Data Controls High

GCP

Showing 7 controls:
Control TitleControl TypeRisk Rating
Detects accounts of type NULL Cloud Controls, Identity Governance Low
Detects all active accounts without any entitlement association Cloud Controls, Identity Governance Low
Detects orphan accounts Identity Governance Medium
Detects the accounts in child organization Cloud Controls Medium
Detects the accounts where mailbox is not setup Cloud Controls Low
Ensure that corporate login credentials are used instead of Gmail accounts Cloud Controls, Identity Governance Medium
List of accounts of type Internal Cloud Controls Low

GitHub

Showing 8 controls:
Control TitleControl TypeRisk Rating
Organizations with no members Cloud Controls, Identity Governance Medium
Organizations with no Repositories Cloud Controls Medium
Repositories with no members Cloud Controls, Identity Governance Medium
Teams with full access on Organizations Identity Governance High
Teams with full access on Repositories Identity Governance Medium
Unused Teams Cloud Controls Low
Users with full access on Organizations Identity Governance High
Users with full access on repositories Identity Governance High

JD Edwards

Showing 21 controls:
Control TitleControl TypeRisk Rating
Count of Applications by Role Least Privilege Medium
Count of Applications (programs and reports) by User Identity Governance Medium
Limit user accounts having access to super-user type functionality Least Privilege High
Monitor accounts with access to dev, test and production environments Identity Governance High
Monitor accounts with access to PCI relevant data Data Controls High
Monitor accounts with access to PHI or PII relevant data Data Controls High
Monitor all accounts with passwords older than six months Password controls High
Monitor all user accounts that have created other User IDs IT General Controls Medium
Monitor configuration of *ALL Least Privilege High
Monitor configuration of *PUBLIC Least Privilege High
Monitor delivered and super user accounts not locked or changed passwords Password controls, System Hardening High
Monitor employees with more than one user account Identity Governance High
Monitor generic user accounts – IDs not associated with an active employee Identity Governance High
Monitor password configuration to be consistent with company policy Password controls High
Monitor read-only Roles with write access Least Privilege Medium
Monitor unlocked accounts associated with terminated users Identity Governance, IT General Controls High
Monitor unlocked stale accounts with no activity for more than 3 months Least Privilege Medium
Restrict application, action, row, column, processing option, tab and exit security as appropriate Least Privilege High
Restrict Users that access to unsecure navigation aids in Production Least Privilege High
Restrict Users that have access to Object Workbench Least Privilege High
Restrict Users that have access to Security Workbench Least Privilege High

Office 365

Showing 101 controls:
Control TitleControl TypeRisk Rating
All Users (membership) Access Least Privilege Medium
Auditlog Trimming Retention period of SharePoint Sites Cloud Controls High
Confidential Documents on Site Data Controls Medium
Count of Files and Document Libraries within Site Collection Cloud Controls Low
Count of Files and Document Libraries within Site Cloud Controls Low
Count of Files Within Document Library Cloud Controls Low
Document Libraries of a Site Collection Cloud Controls High
Document Libraries on Site Cloud Controls Low
Document Libraries with Major and Minor Versions Cloud Controls Low
Document libraries with no versioning enabled Cloud Controls Low
Documents In Site Collection Cloud Controls Medium
Documents In Sites Cloud Controls Low
Documents on SiteCollection -Dynamic Cloud Controls Medium
Documents shared publically Cloud Controls High
Documents with Broken Inheritance and no FSO Cloud Controls Low
Documents with versions Cloud Controls, Data Controls Low
Export Control – Non-US Content – Controlled Cloud Controls, Data Controls Low
Export Control – US Content – Controlled Cloud Controls, Data Controls Medium
Files with Guest Links with Edit Permissions and No Expiration Period Cloud Controls High
FSO’s of Site Collection Cloud Controls Low
Invalid FSO for Site Collection Cloud Controls Low
Libraries with Inheritance Break Cloud Controls Low
Libraries with No Major Versioning Cloud Controls Low
List of document libraries with broken inheritance and FSO access Cloud Controls Medium
List of document libraries with broken inheritance and TSO access Cloud Controls Medium
List of external users having access to confidential documents from internal sites Cloud Controls, Data Controls High
List of external users having access to document libraries with unique permissions in internal sites Cloud Controls, Identity Governance High
List of external users having access to export controlled Non-US content from internal sites Cloud Controls High
List of external users having access to export controlled US content from internal sites Cloud Controls High
List of external users having access to restricted documents from internal sites Cloud Controls High
List of external users having access to SharePoint Sites Cloud Controls, Identity Governance High
List of external users having access to shared sites Cloud Controls High
List of external users with allowed ISI having access to Internal Sites Cloud Controls High
List of external users with blocked ISI having access to Internal Sites Cloud Controls High
List of Items on SubSite Cloud Controls Low
List of Orphaned Permissions on Sharepoint Sites Cloud Controls, Identity Governance High
List of Ownership Cloud Controls Medium
Lists with Broken Inheritance and no FSO Cloud Controls Medium
Major and Minor Version Cloud Controls Medium
O365 License Utilization Cloud Controls Low
O365 Services utilization Cloud Controls Low
One Drives with Sensitive Files Cloud Controls Low
Permission Hierarchy of Group on Sites Cloud Controls Medium
Permission Hierarchy of site and its elements Cloud Controls Low
Permission management audit report Cloud Controls Medium
Records of business type declared on a site Cloud Controls Low
Records on SiteCollection Cloud Controls Low
Records on SubSites Cloud Controls Low
Records per month Cloud Controls Medium
Restricted Documents on Site Cloud Controls Medium
Sensitive Files shared publically Cloud Controls, Data Controls High
SharePoint Confidential Sensitive Files Cloud Controls, Data Controls High
SharePoint Diners Club Card Sensitive Files Cloud Controls High
SharePoint Discover Credit Card Sensitive Files Cloud Controls, Data Controls High
SharePoint External users list Cloud Controls, Identity Governance Low
SharePoint files with external access Cloud Controls Low
SharePoint files with guest link Cloud Controls Low
SharePoint files with guest links with Edit permissions Cloud Controls Low
SharePoint Files with Unique Permissions Cloud Controls Low
SharePoint JCB Credit Card Sensitive Files Cloud Controls, Data Controls High
SharePoint Mastercard Sensitive Files Cloud Controls, Data Controls High
SharePoint PCI Sensitive Files Cloud Controls, Data Controls High
SharePoint PII Sensitive Files Data Controls High
SharePoint Secret Sensitive Files Cloud Controls, Data Controls High
SharePoint Site Collection Owner Reports Cloud Controls Low
SharePoint Site Collections not modified for last 6 weeks Cloud Controls Low
SharePoint Site Collections with external sharing enabled Cloud Controls High
SharePoint Site Collections with guest links and edit permissions Cloud Controls High
SharePoint Sites not modified for last 6 weeks Cloud Controls Low
SharePoint Sites Shared with External Users Cloud Controls High
SharePoint Sites With Broken Inheritance Cloud Controls High
SharePoint Sites With No document libraries Cloud Controls Low
SharePoint UK Driver License Sensitive Files Cloud Controls, Data Controls Low
SharePoint UK National Insurance Number Sensitive Files Cloud Controls, Data Controls High
SharePoint US Bank RTN Sensitive Files Cloud Controls, Data Controls High
SharePoint US Drivers License Sensitive Files Cloud Controls, Data Controls High
SharePoint US ITIN Sensitive Files Cloud Controls, Data Controls High
SharePoint US Passport Sensitive Files Cloud Controls, Data Controls High
SharePoint US SSN Sensitive Files Data Controls High
SharePoint US Swift Code Sensitive Files Cloud Controls High
SharePoint VISA Credit Card Sensitive Files Cloud Controls, Data Controls High
Site Collection without PSO Cloud Controls Low
Site Collection without SSO Cloud Controls Medium
Site with broken inheritance and user permission Cloud Controls Medium
Sites with broken inheritance and no FSO Cloud Controls Low
Storage level of Site Collection Cloud Controls Low
Subsites In SiteCollection Cloud Controls Medium
Terminated users with O365 licenses Cloud Controls, Identity Governance Low
Top 5 Sensitive Documents Cloud Controls Low
Total Accounts in Office365 Cloud Controls, Identity Governance Low
Total Active Accounts in Office365 Cloud Controls, Identity Governance Low
Total Inactive accounts Identity Governance Low
Total non Records Cloud Controls Medium
Total Orphan Accounts in O365 Cloud Controls, Identity Governance Low
Total Records Cloud Controls Low
Total SharePoint Files Cloud Controls Low
Total SharePoint Groups Cloud Controls Low
Total SharePoint Lists Cloud Controls Low
Total SharePoint Site Collection Cloud Controls Low
Total SharePoint Sites Cloud Controls Low
Unrestricted Documents Cloud Controls Low

Oracle EBS

Showing 51 controls:
Control TitleControl TypeRisk Rating
Brute force attack on the app/DB IT General Controls High
Count of Functions by Responsibility IT General Controls Medium
Count of Functions by User Identity Governance Medium
Count of Responsibilities by User Identity Governance Medium
Database accounts have appropriate access Identity Governance High
Limit access to SQL forms Least Privilege High
Limit user accounts having access to super-user type functionality Least Privilege High
Logging of unsuccessful login attempts IT General Controls High
Monitor access of Oracle Forms for under utilization IT General Controls Medium
Monitor accounts assigned delivered EBS roles or responsibilities Least Privilege High
Monitor accounts with access to AZN Menus Least Privilege High
Monitor accounts with access to PCI relevant data Data Controls High
Monitor accounts with access to PHI or PII relevant data Data Controls High
Monitor accounts with no logins and no password changes Identity Governance Medium
Monitor accounts with password configuration not consistent with policy Password controls High
Monitor active Responsibilities with menu and function exclusions IT General Controls Low
Monitor all delivered accounts, generic accounts and super user accounts with recent password changes IT General Controls High
Monitor all user accounts that have created other User IDs Identity Governance Medium
Monitor Audit SYS operations being turned off IT General Controls High
Monitor Audit Trail being turned off IT General Controls High
Monitor authentication configuration updates to the database IT General Controls High
Monitor configuration tables being audited Configuration controls High
Monitor delivered and super user accounts not locked or end dated System Hardening High
Monitor direct database logins to EBS schema database accounts IT General Controls High
Monitor employees with more than one user account Identity Governance High
Monitor generic user accounts – IDs not associated with an active employee IT General Controls High
Monitor GL Journal Sources Configuration controls High
Monitor new database accounts created IT General Controls High
Monitor non end-dated Responsibilities not assigned to any user accounts IT General Controls Low
Monitor of users with access to Order Entry Administrator Least Privilege High
Monitor Page Access Tracking being turned off IT General Controls High
Monitor password configuration Password controls High
Monitor read-only Responsibilities with write access Least Privilege Medium
Monitor Request Groups with access to sensitive data Data Controls High
Monitor Sign-On Audit being turned off IT General Controls High
Monitor unlocked or non end-dated accounts associated with terminated users IT General Controls High
Monitor unlocked stale accounts with no activity for more than 3 months Identity Governance Medium
Monitor updates to AOL tables under Audit Trail IT General Controls High
Monitor User SYSADMIN logins IT General Controls High
Monitor Users that can modify configuration settings Configuration controls High
Monitor users with access to Approvals Management Administrator Least Privilege High
Monitor users with access to Cash Management Setup Least Privilege High
Monitor users with access to Payments Setup Administrator Least Privilege High
Monitor users with access to Trading Community Architecture Least Privilege High
Monitor users with access to Workflow Administrator Least Privilege High
Monitor users with future end-dated responsibilities Identity Governance Medium
Monitor users with future end dates Identity Governance Medium
Password hashing has been implemented on Oracle DBs Password controls High
Restrict DB accounts with no corresponding application account IT General Controls High
Restrict Users that can develop concurrent programs Least Privilege High
Restrict Users with access to modify audit and logging Least Privilege High

PeopleSoft

Showing 35 controls:
Control TitleControl TypeRisk Rating
Count of non-Display Only pages by Permission List Least Privilege Medium
Count of Permission Lists by User Identity Governance Medium
Limit access to critical PeopleSoft menus and pages Least Privilege High
Limit user accounts having access to super-user type functionality Least Privilege High
Logging of unsuccessful login attempts IT General Controls High
Monitor access of PeopleSoft pages for under utilization Least Privilege Medium
Monitor accounts assigned delivered PeopleSoft roles or permission lists Least Privilege High
Monitor accounts whose password never expires Password controls High
Monitor accounts with access to PCI relevant data Data Controls High
Monitor accounts with access to PHI or PII relevant data Data Controls High
Monitor accounts with high number of duplicate passwords Password controls Medium
Monitor all accounts created by PS INSTALL or SYSADMIN System Hardening High
Monitor all accounts with passwords older than six months Password controls High
Monitor all user accounts that have created other User IDs IT General Controls Medium
Monitor delivered and super user accounts not locked System Hardening High
Monitor employees with more than one user account Identity Governance High
Monitor failed login password configuration Password controls High
Monitor generic user accounts – IDs not associated with an active employee Identity Governance High
Monitor objects in PeopleSoft to ensure they are controlled by an object group IT General Controls
Monitor querying capabilities of users Least Privilege Medium
Monitor read-only Roles and Permission Lists with write access Least Privilege Medium
Monitor unlocked accounts associated with terminated users Identity Governance, IT General Controls High
Monitor unlocked stale accounts with no activity for more than 3 months Identity Governance Medium
Monitor user primary permission lists and row security class Least Privilege High
Monitor users or roles with access to ALLPNLS or ALLPAGES and *PNLS Permission Lists Least Privilege High
Monitor users with access to Cash Management Setup Least Privilege High
Monitor users with access to delivered PeopleTools roies Least Privilege High
Monitor users with access to Payments Setup Least Privilege High
Monitor users with the ability to add or update vendors in their User Preferences settings Least Privilege High
Monitor users witht he ability to post journal entries in the their user preferences settings Least Privilege High
Restrict Users that have access to development tools in Production Least Privilege High
Restrict Users that have access to integration tools in Production Least Privilege High
Restrict Users that have access to reporting and analysis tools in Production Least Privilege High
Restrict Users that have access to the Maintain Security menu Least Privilege High
Restrict Users that have access to Utilities in Production Least Privilege High

SAP

Showing 66 controls:
Control TitleControl TypeRisk Rating
Monitor dialog users with the number of authorization objects Least Privilege Medium
Enabler Roles (Organizational access) with transactions Least Privilege High
Monitor the complete list of Account_Creators IT General Controls High
Monitor account creators without accounts created by system delivered high privileged accounts (SAP*, CUAREMOTE, etc.) IT General Controls Critical
Monitor accounts having access to Sensitive Data Screens (e.g. BOM) critical transactions Least Privilege High
Monitor accounts that cannot change their password Password controls Medium
Monitor accounts with access to PCI relevant data Data Controls High
Monitor accounts with access to PHI or PII relevant data Data Controls High
Monitor all accounts for which password never expires Password controls Medium
Monitor Critical transactions_usage counts Least Privilege High
Monitor critical transactions usage, role assignment, and role_user assignment Least Privilege High
Monitor users locked for more than 6 months and not deleted Identity Governance Medium
Monitor purchase orders with three way match not activated Process controls High
Monitor Roles with selected authorization objects (), Fields(), Values() Least Privilege Medium
Monitor roles with manually inserted authorizations to replace or append to suggested standard Least Privilege Medium
Monitor roles with manually inserted authorizations to replace or append to suggested standard authorizations Least Privilege Medium
Monitor Roles with * (or pseudo wildcards) Least Privilege Medium
Monitor Roles with * (or pseudo wildcards) Least Privilege Medium
Monitor Roles with * (or pseudo wildcards) that give complete or excessive access Least Privilege Medium
Monitor Roles with organizational access such as postings to legal entities Least Privilege Medium
Monitor Roles with the number of unused transactions Least Privilege Medium
Monitor Roles with their count of unused transactions Least Privilege High
Monitor Roles with wildcard (*) value which provides all levels of access for activity (i.e. create/change/delete etc.) Least Privilege Medium
Monitor S2P or R2R roles and accounts with usage Least Privilege High
Monitor Source to Pay (S2P or R2R) roles with their child roles or transactions Least Privilege High
Monitor transactions associated with more than one role Least Privilege Medium
Monitor Transactions not used in the last () days Least Privilege Medium
Monitor transactions with their security status Least Privilege Medium
Monitor unused transactions with their associated Roles Least Privilege Medium
Monitor usage for System (BASIS) Administration transactions IT General Controls Critical
Monitor users and user groups that can be process asset write-offs Least Privilege High
Monitor users and user groups that can create customer master records Least Privilege High
Monitor users and user groups that can create material master records Least Privilege High
Monitor users and user groups that can create Vendor master records Least Privilege High
Monitor users and user groups that can perform security administration activities – Role Maintenance Least Privilege High
Monitor users and user groups that can perform security administration activities – user master maintenance Least Privilege High
Monitor users and user groups that can post depreciation Least Privilege High
Monitor users and user groups that can process payments to vendors Least Privilege High
Monitor users and user groups that can process returns/refunds Least Privilege High
Monitor users and user groups that can process Sales Orders Least Privilege High
Monitor users and user groups that can create asset master records Least Privilege High
Monitor users and user groups that perform invoice processing (from Vendors) Least Privilege High
Monitor users and user groups with access to significant financial reporting transactions/financial statements Least Privilege High
Monitor users by their positions/titles with Process (OTC/STP/FIN etc.) roles assignment Least Privilege High
Review users created by SAP* (System delivered super user account) IT General Controls Critical
Monitor users not in selected user group () having access to transactions () with change/update ability Least Privilege High
Monitor users and user groups that approve invoices Least Privilege High
Monitor users that approve purchase orders Least Privilege High
Monitor users that can post journal entries Least Privilege High
Monitor users that cannot change their passwords IT General Controls Medium
Monitor users and user groups that create Bank master data Least Privilege High
Monitor users and user groups that can perform treasury operations Least Privilege High
Monitor users that process purchase orders Least Privilege High
Monitor users who are assigned SAP Standard template Roles Least Privilege High
Monitor users with ability to open and close posting periods Process controls High
Monitor users with access to high risk SOX critical transactions Least Privilege High
Monitor users with access to program maintenance and ABAP workbench Least Privilege Critical
Monitor users with access to system administration transactions Least Privilege Critical
Monitor users with change permissions in critical authorization objects such as S_PROGRAM, S_DEVELOP, S_TABU_DIS, S_TABU_CLI, S_BTCH_JOB, S_BTCH_ADM Least Privilege Critical
Monitor and limit users with initial passwords that are active and unlocked IT General Controls High
Monitor users with no login information in user master table (USR02) IT General Controls High
Monitor users with no logins and no password changes IT General Controls High
Monitor users with Passwords older than 6 months IT General Controls High
Monitor users with Security Maintenance transactions Least Privilege Critical
Review read only roles with write/execute/change access Least Privilege High
Usage history for transaction/s () and or user/s () Least Privilege High

SAP HANA

Showing 61 controls:
Control TitleControl TypeRisk Rating
Enabler Roles (Organizational access) with transactions Least Privilege High
Monitor account creators without accounts created by system delivered high privileged accounts (SAP*, CUAREMOTE, etc.) IT General Controls Critical
Monitor accounts having access to Sensitive Data Screens (e.g. BOM) critical transactions Least Privilege High
Monitor accounts that cannot change their password Password controls Medium
Monitor all accounts for which password never expires Password controls Medium
Monitor and limit users with initial passwords that are active and unlocked IT General Controls, Password controls High
Monitor Critical transactions_usage counts Least Privilege High
Monitor critical transactions usage, role assignment, and role_user assignment Least Privilege High
Monitor dialog users with the number of authorization objects Least Privilege Medium
Monitor locked users for more than 6 months that are not deleted Identity Governance High
Monitor purchase orders with three way match not activated Process controls High
Monitor roles with manually inserted authorizations to replace or append to suggested standard authorizations Least Privilege Medium
Monitor Roles with * (or pseudo wildcards) that give complete or excessive access Least Privilege Medium
Monitor Roles with organizational access such as postings to legal entities Least Privilege Medium
Monitor Roles with selected authorization objects (), Fields(), Values() Least Privilege Medium
Monitor Roles with the number of unused transactions Least Privilege Medium
Monitor Roles with their count of unused transactions Least Privilege High
Monitor Roles with wildcard (*) value which provides all levels of access for activity (i.e. create/change/delete etc.) Least Privilege Medium
Monitor S2P or R2R roles and accounts with usage Least Privilege High
Monitor Source to Pay (S2P or R2R) roles with their child roles or transactions Least Privilege High
Monitor the complete list of Account_Creators IT General Controls High
Monitor transactions associated with more than one role Least Privilege Medium
Monitor Transactions not used in the last () days Least Privilege Medium
Monitor transactions with their security status Least Privilege Medium
Monitor unused transactions with their associated Roles Least Privilege Medium
Monitor usage for System (BASIS) Administration transactions IT General Controls Critical
Monitor users and user groups that approve invoices Least Privilege High
Monitor users and user groups that can be process asset write-offs Least Privilege High
Monitor users and user groups that can create asset master records Least Privilege High
Monitor users and user groups that can create customer master records Least Privilege High
Monitor users and user groups that can create material master records Least Privilege High
Monitor users and user groups that can create Vendor master records Least Privilege High
Monitor users and user groups that can perform security administration activities – Role Maintenance Least Privilege High
Monitor users and user groups that can perform security administration activities – user master maintenance Least Privilege High
Monitor users and user groups that can perform treasury operations Least Privilege High
Monitor users and user groups that can post depreciation Least Privilege High
Monitor users and user groups that can process payments to vendors Least Privilege High
Monitor users and user groups that can process returns/refunds Least Privilege High
Monitor users and user groups that can process Sales Orders Least Privilege High
Monitor users and user groups that create Bank master data Least Privilege High
Monitor users and user groups that perform invoice processing (from Vendors) Least Privilege High
Monitor users and user groups with access to significant financial reporting transactions/financial statements Least Privilege High
Monitor users by their positions/titles with Process (OTC/STP/FIN etc.) roles assignment Least Privilege High
Monitor users not in selected user group () having access to transactions () with change/update ability Least Privilege High
Monitor users that approve purchase orders Least Privilege High
Monitor users that can post journal entries Process controls High
Monitor users that cannot change their passwords IT General Controls, Password controls Medium
Monitor users that process purchase orders Least Privilege High
Monitor users who are assigned SAP Standard template Roles Least Privilege High
Monitor users with ability to open and close posting periods Process controls High
Monitor users with access to high risk SOX critical transactions Least Privilege High
Monitor users with access to program maintenance and ABAP workbench Least Privilege Critical
Monitor users with access to system administration transactions Least Privilege Critical
Monitor users with change permissions in critical authorization objects such as S_PROGRAM, S_DEVELOP, S_TABU_DIS, S_TABU_CLI, S_BTCH_JOB, S_BTCH_ADM Least Privilege Critical
Monitor users with no login information in user master table (USR02) IT General Controls High
Monitor users with no logins and no password changes IT General Controls, Password controls High
Monitor users with Passwords older than 6 months IT General Controls, Password controls High
Monitor users with Security Maintenance transactions Least Privilege Critical
Review read only roles with write/execute/change access Identity Governance High
Review users created by SAP* (System delivered super user account) IT General Controls Critical
Usage history for transaction/s () and or user/s () Least Privilege High