You will need to work with the Functional Area Mangers and Auditors to identify the following items:
• Identify Sensitive Data Fields - Data fields on a page or table that is regarded as PII (Personal Identifiable information) or PCI (Payment Card Industry) e.g. Social Security Number, Bank Account #, Credit Card #.
• Identify Restricted Pages - Pages that don’t necessarily contain PII or PCI data but provide functionality that should be restricted only selected authorized users e.g. Security and System Setup Pages, Check Printing.
• Define Segregation of Duty controls - You can use previous audit report reports to determine the SOD controls that are relevant to your organization. Internal or External auditors should also be able to provide a list of controls.