An encompassing Security Policy objective regarding Access Control is:

• To limit access to information and information processing facilities.

As you are aware, Access Control is a fundamental prerequisite to securing information or services on information processing systems, and it is also necessary to protect physical premises containing information in all forms. The confidentiality, integrity and availability of the organisation's business information, services, and processes, together with other business assets, are at stake.

You have been hired as an external IT Auditor for a company that is growing. The company currently has a hybrid structure in place: On premise and Cloud.

With this in mind, you are to audit the Access Controls this company has developed, documented, and implemented which define user access rights based on business needs. You should also consider the classification and handling requirements of the information, services, networks, and/or applications accessed, and any legal or regulatory requirements.

Answer what access controls you as an external IT Auditor look for given this hybrid structure. You may form your own assumptions (company type, processes, regulatory environment etc.) to answer the question. If you choose to do, please provide your assumptions before you begin answering the question. .

Please list the Controls you would seek from Physical and Logical standpoints. Explain your reasoning as to why these controls are necessary in this day and age.

This is a fairly in-depth question and wants an in-depth explanation for the whole topic.