français anglais

antoine Berthier



This is not a new subject and all companies are looking into this to a greater or lesser degree. The recent EU regulation for personal data security (GDPR) has shaken things up and forces all IS holders to examine their data, content, access and possible susceptibility…

Editors who have an interest in this subject continue to progress with their ready-made solutions, allowing each company to justify the purchase of a solution which fits the principles of the regulation.

Three solutions are available to you:

  • Purchase (CAPEX), for continual use, implying qualified and available personnel
  • Annual subscription (OPEX), with similar requirements.
  • Specific but regular audit (OPEX), carried out by a qualified out-source, using the same tools and providing the right conditions for corrective action and analysis.

This third, cheap, option, allows you to make the most of these tools, at a low cost, without financial investment, so that you can get enough information to treat any security malfunctions discovered during the scans, even if it means making a purchase afterwards.

Governance of Information Systems can be therefore divided into three levels:

  • Systems: by analysis of security weaknesses in the OS, applications and web services
  • Data: by classifying information by its data, use or type
  • Users: by detecting standard or abnormal behaviour in relation to access to data.

We suggest you choose the Governance Audit below which is an easy and effective answer to your concerns and ensures proper configuration of access to your IS, a key element for security, but which is not always as well defined as we would like to think.


Vinoth SIVA


Needs and actions for an IS governance audit solution

Company data, whether non-structured (files, email) or structured (database) data, is exploding and getting out of control. Users accumulate more and more permissions over time and companies find themselves incapable of identifying and managing who has access rights to data, excessive permissions, special permissions etc…
A governance audit provides a swift, simple and effective answer to this problem.

We interviewed Vinoth Siva, consultant in governance products for Optrium, who explained how it works

Why should businesses need a Governance audit?

There are several scenarios which compel companies to ask us for an audit.

  • For all structures which do not have a data governance solution and within which resources have accumulated on the IS.
  • When a company wants to complete its licences for which it needs to audit the resources used on its IS.
  • During a merger or acquisition ; or when the company examines its rules on compliance.

This affects all companies as soon as they create a certain volume of data, or if they have 100 or so employees.

Most of the useful resources on the IS are auditable: AD, SharePoint, messaging systems, file server...

What exactly is the service offered by Optrium for a governance audit?

Optrium offers a service for a security audit which is completed using a dedicated module made up of a portable specific solution which analyses permissions. This approach has less of an impact on the company than the purchase of a solution, especially on the budget, but also on resources.

To start the service we install a virtual machine or use a laptop pre-configured with this module, allowing us to make a complete scan of all permissions (file shares, messaging systems, SharePoint…). The module and the service are specific to the chosen environment, so the audit shows us a map of the status of rights on the related part of the IS.

What is the point of an audit like this?

Information Systems change over time and the CIO/CISO often lack a clear view of the whole IS.

The aim of the audit is to provide the necessary maps for any security risks to be rectified. As a result we can have a clear view of both a full status of current permissions and recommendations through pointing of excessive or inadequate permission.

This operation gives a snapshot and costs a lot less than the purchase of a complete on-site solution. If you take as example the case of a messaging system, the report can show that everyone has access to a director’s inbox even though he thinks he has only opened it to his assistant.


Once the repair has been made, controls of access, files for consultation, errors in a company’s active directory can be remedied…

A user who changes role or an employee who leaves can also see their rights checked by this means. It can also reveal that sensitive data has been available to a large number of people…

Once we have restored the system, we have a view of the audited resources, controls of access, files for consultation, weaknesses in the company’s active directory…

This is also helpful for capacity planning so that you can check the number of licences used or manage storage space on a file server. Indeed, the audit can show up the percentage of files modified over the previous 6 months and identify those which haven’t been changed which allows administrators to store them elsewhere or to archive obsolete files.

What happens exactly during the service?

Once the installation has been done, all resources are scanned and gathered.

Optrium then drafts a report focused on the client’s needs. This will aim to modify the IS’s configuration or rectify the highlighted shortcomings. This gives a snapshot of all failures and all remediation solutions. The process takes about one week; this includes installation and treatment of metadata (report).

What are the responses from your clients about this service?

In general they appreciate the fact that the service doesn’t need any investment (operating budget only).

Some had started their own internal audit but they stopped because it is a time consuming process when you don’t have the appropriate tool to give you a whole view.

Our teams are tuned in to clients' wishes and can be available quickly, as one and consistently as required. Happy autumn and see you soon for an audit!

© 2016 - Optrium 171 avenue George Clémenceau - 92000 Nanterre (France)

www.optrium.fr - Tél. : +33 1 55 17 35 00 - Mail : info@optrium.fr