Why Security Group Audits Are Now a Compliance Requirement
A single unconstrained security group on a compensation domain triggers a SOX finding, a GDPR Art. 5 finding, an ISO 27001 A.9 finding, and a PCI-DSS Req 7 finding — all from the same configuration item. Here is why a security group audit is now a compliance requirement, not a nice-to-have.
1. The four-framework intersection
SOX §404 requires least-privilege access to financial data. GDPR Art. 5 requires data minimisation. ISO 27001 A.9 requires access control proportional to risk. PCI-DSS Req 7 requires need-to-know restriction. An unconstrained security group violates all four with the same misconfiguration.
2. Why annual audits don't work
Tenants change daily. Annual audits see a snapshot. The compliance violation that exists for nine of twelve months does not appear in the annual report. Continuous monitoring is the only way to catch it.
3. What 'continuous' means in practice
Quarterly automated scans, plus a scan triggered by every R1/R2 release and every major business process change. Evidence retained for the auditor.
Continue reading
Find out what's broken in your tenant
Free first scan. Read-only access. Results in under 2 hours.
Start Your Free Scan