High risk users

We have been tasked with categorising users based on their work and the sensitivity of the data they access/process etc during their work. We ideally want to loosely put them into "high security/risk" - where more strigent windows user policies will be applied - to protect the data they process. And "low security/risk" - where potentially more lax policies can be deployed.

We have over 6000 users - any suggestions on where to start!!??!!

Also any views on how practical it is to group users based on the data they access/process?

And any risks in having more lax policies for users who access lesser sensitive data?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


I would start by defining which data is highly secure and which is not so much. Once you understand which data is the most sensitive, you can determine which users are accessing it.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
You should consider all your users high risk, and treat everybody with the same brush.  The ironic thing is that us Administrators are a higher risk than users, because we have access to do all sorts of things.  We had a policy at one of the places I worked where All users are restricted the same, and power users - like Developers or IT staff had a different set of restrictions, but they were still not administrators on their machines nor on the domain.  In order to do management, they RDP'd to servers and logged on with their own "administrative account" to do administration.  A bit of a PITA, but it worked.  Each time I wanted to install something on my machine, UAC prompted me, and I used my administrative credentials to do it.

By having one security policy and applying it to everybody, people can't accuse you of being hypocritical, by having a different policy.  There can also be no favoritism cards played.
pma111Author Commented:
Im struggling to get my head around (especially for user policies)

what would constiture a lower security policy for low risk users and what would constitute a high risk policy for high risk users?

When the main driver is to protect the data they access / process as part of their jobs?
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

pma111Author Commented:
And if you could share any specific adminstrator "user" level policies in terms of best practice for data security that would be very interesting to hear.
pma111Author Commented:
And categories.

From I see it - there is

a) access to data on shares
b) access to data remotely via citrix/VPN
c) taking data away - i.e. saving locally / emailing offsite/ taking via USB

Any more data security elements?
pma111Author Commented:
@aquatone - do you have any parameters for ranking data sensitivity?
pma111Author Commented:
And removing applications from the issue - aside from shares & databases - where else could "sensitive data" reside?
Randy DownsOWNERCommented:
Maybe this will help. It's excerpts from a book.

How does computer system security provide protection? There are four primary methods:

System Access Controls.
Ensuring that unauthorized users don't get into the system, and by encouraging (and sometimes forcing) authorized users to be security-conscious–for example, by changing their passwords on a regular basis. The system also protects password data and keeps track of who's doing what in the system, especially if what they're doing is security-related (e.g., logging in, trying to open a file, using special privileges).

The section "System Access: Logging Into Your System" introduces the basics of system access controls. Chapter 6, Inside the Orange Book, describes the Orange Book accountability requirements, which specify the system access controls defined for different levels of secure systems. In particular, see the section entitled "Accountability Requirements" in that chapter.

Data Access Controls.
Monitoring who can access what data, and for what purpose. Your system might support discretionary access controls; with these, you determine whether other people can read or change your data. Your system might also support mandatory access controls; with these, the system determines access rules based on the security levels of the people, the files, and the other objects in your system.

"Data Access: Protecting Your Data" introduces the basics of data access controls. In Chapter 6, the section entitled "Security Policy Requirements" describes the Orange Book security policy requirements, which specify the data access controls defined for different levels of secure systems.

System and Security Administration.
Performing the offline procedures that make or break a secure system–by clearly delineating system administrator responsibilities, by training users appropriately, and by monitoring users to make sure that security policies are observed. This category also involves more global security management; for example, figuring out what security threats face your system and what it will cost to protect against them.

Chapter 5, System Security Planning and Administration, introduces the basics of system security planning and administration. In Chapter 6, the section entitled "Assurance Requirements" describes the Orange Book system administration requirements defined for different levels of secure systems.

System Design.
Taking advantage of basic hardware and software security characteristics; for example, using a system architecture that's able to segment memory, thus isolating privileged processes from nonprivileged processes.

Although a detailed discussion of secure system design is outside the province of this book, the section "System Architecture" in Chapter 6 describes briefly the major Orange Book design requirements for different levels of secure systems.
I would rank sensitive according to how many should know it.

HR information, proprietary work-product, computer/network administrator-specific documentation, data in-process and not cleared for general release. The finalities depend on the type of business you are in.

If I were writing software for a business the source code for the various software products would be considered sensitive. How compartmentalized is your organization's personnel/project division?

You should also categorize your company sensitive information based on file types, for example office documents, database files, pdf documents or ... There are separate tools available for each file type.
You may also take a look at available Right Management Services like:

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.