We have been tasked with categorising users based on their work and the sensitivity of the data they access/process etc during their work. We ideally want to loosely put them into "high security/risk" - where more strigent windows user policies will be applied - to protect the data they process. And "low security/risk" - where potentially more lax policies can be deployed.
We have over 6000 users - any suggestions on where to start!!??!!
Also any views on how practical it is to group users based on the data they access/process?
And any risks in having more lax policies for users who access lesser sensitive data?