Community College Internal Auditors
2011 Spring Conference
Implementing User’s IT
Security Access Control
Presented by:
Emmie Oesterman, IT Auditor
Kris Backus, Sr. IT Analyst
Background
• LRCCD includes four colleges and
eight education centers.
• More than 90,000 students are
enrolled in our colleges
• LRCCD uses PeopleSoft Enterprise
Resource Planning (ERP) System
for:
• Student Administration (1200+ users)
• Financials (150+ users)
• Human Resources (100+ users)
Findings – Internal Auditor
•
PeopleSoft security is inadequate.
•
Management made it a priority to
redesign our user’s access and granting
procedures.
Findings – External Auditor
Internal Control (Information Technology)
• Our observation and testing of controls
over computer systems access indicated a
number of conditions including duplicated
profiles for users, users with more than one
role, and terminated employees still active
in the financial system. While we did not
identify any financial statement errors or
irregularities resulting from these
conditions, stronger controls are
necessary.
• Financial Statement Audit – FY07/08
• Resolve in FY08/09 Audit
Plan
•
Student Administration
•
•
•
Financials
•
•
Highest number of users (1200+ users)
Greatest risks
150+ users
Human Resources
•
100+ users
The Team
•
•
•
•
IT Staff
IT Auditor
District/College Staff*
District/College Information Security
Officers*
* When needed
Goals
1. Determine the current roles and
security access.
2. Develop appropriate roles and
security to assure adequate security
and privacy of data.
Goals (continued)
3. Provide user documents to clearly
identify the access within each
PeopleSoft role.
4. Develop new business process to
appropriately grant access and
provide accountability.
Goal 1
Determine the current roles and security
access.
• IT ran a script to provide detailed
listing of access within each role.
• The team analyzed the data and
determined appropriateness.
• IT deleted any unused access.
Goal 1
Goal 1
Goal 2
Develop appropriate roles and security to assure
adequate security and privacy of data.
Access Methodology
 Data Ownership
 Hierarchy
Goal 2
Data Ownership
• Determine data owners
• Design an approval process based on data
ownership.
Example:
PeopleSoft Student Administration System
Data Type
Owner
Student Records/Personal Info
Student Services
Student Financials
Administration
Curriculum
Instruction
Goal 2
Hierarchy:
• Roles are created on a
hierarchy system. Higher
level access will include
the access of all lower
levels.
• Example
– SR Access III will include all
the access from these roles:
» Student Info View I
» Student Info View II
» SR Access I
» SR Access II
A/R Supervisor
SR Supervisor Access
A/R Lead
SR Access III
A/R Clerk
SR Access II
A/R Student Help
SR Access I
Non A/R Staff
Student Info View I or II
Goal 2
Goal 3
Provide user documents to clearly identify the
access within each PeopleSoft role.
• Definitions of Roles
• Mapping of old to new roles
• Red Flags for Approvers
• Notes for Approvers
• Security Reports
Goal 3
Definitions of Roles
Goal 3
Mapping of old to new roles
Goal 3
Red Flags for Approvers
Goal 3
Notes for Approvers
Goal 3
Security Reports
Goal 4
Develop new business process to appropriately
grant access and provide accountability.
Request Process
Determine the process where users can request
access to PeopleSoft.
Approval Process
Determine the appropriate authorized personnel
for approval of access requests.
Granting Process
Determine who will process the access requests.
Goal 4
• Request Process:
– Paper Form (Phase 1)
• Form can be printed and submitted via mail or e-mail
(using email address as the electronic signature)
– Online Access Requests (Phase 2)
• Users log onto the Security Access System (SAS) to
request access.
Goal 4
• Approval Process:
– Authorized Signer List
• List the authorized signers who can approve
PeopleSoft access
– Two level of approvers
• Level 1: View only access
• Level 2: Update/Correction access
Goal 4
PeopleSoft Authorized Signer List:
Goal 4
Level 1 Approvers:
Level 1 Approvers
(Data Owners)
PS Access
Request Form
Level 1 reviews the form to ensure
that data access requested are
appropriate. I.e. access is
necessary to perform their job
function without permitting access
to sensitive or confidential data
unnecessary to their job function.
Goal 4
Level 1 Approvers:
Level 1
Approvers
(Data Owners)
Approved by
Level 1
Level 2 reviews
access form for
appropriateness
ss
cce
w a nly
vie ted o
s,
Ye ues
re q
Depart. Manager/
Supervisor requests access
for employee via the PS
Access Request Form
Yes
Level 2 approval is
needed for access
that allows updates.
DO HelpDesk
reviews form for
completeness.
Goal 4
Level 2 Approvers:
Level 2 reviews
access form for
appropriateness
Approved by
Level 2
No
Level 1
Approvers
(Data Owners)
yes
DO HelpDesk
reviews form for
completeness.
Goal 4
• Granting Process:
– Approved form submitted to DO
HelpDesk for processing
– DO HelpDesk reviews form for
completeness before processing
• Approved by the appropriate staff
• All required information is provided
Goal 4
DO HelpDesk
reviews form for
completeness.
Form is
complete?
yes
DO Help Desk grants access,
notifies users, IT staff, and files PS
access request form
No
Level 1
Approvers
(Data Owners)
End
Roll Out
The Plan:
•
•
•
•
•
•
Testing
Communication!
Pilot Testing (selected users)
Communication!
Training
Communication!
Timeline
8/28
Begin project
to redesign
PS Security
Access Control
Student
Administration (SA)
5/14
Begin project
to redesign
PS Security
Access Control
Financials (FS)
12/1
SA and FS users
Must use new process!
12/22
FS Conversion
Completed.
9/15
PeopleSoft Security
Access Control
Completed &
5/30
SA Conversion SAS Go Live!
Sep - Oct
Pilot Testing
Nov - Dec
Training
Nov 2008
Feb 2009
May 2009
Aug 2009
Nov 2009
1/7
Begin project
to redesign
PS Security
Access Control
Human Resources (HR)
Completed.
Feb 2010
May 2010
Aug 2010
Security Access System
• Online Access Request
• Automatic Approval Routing
• Database Storage of Access
Requests (for Auditing)
Security Access System
Security Access System
Online Request Form: Authenticate
Security Access System
Online Request Form: User Information/Form Selection
Security Access System
Online Request Form: User Information/Form Selection
Security Access System
Online Request Form: Role(s) Selection
Security Access System
Online Request Form: Justification/Reason is required!
Security Access System
Online Request Form: Review Request
Security Access System
Online Request Form: Review Request
Security Access System
Approval: Via Email
Security Access System
Approval: Via Email
Security Access System
Approval: Via Email
Security Access System
Approval: Via Web
Security Access System
Approval: Via Web
Security Access System
Approval: Via Web
Security Access System
Approval: Via Web
Security Access System
Granting Access
Security Access System
Granting Access
Security Access System
Granting Access
Questions/Contacts:
Emmie Oesterman, IT Auditor
[email protected]
(916) 568 – 3134
Kris Backus, Sr. IT Analyst
[email protected]
(916) 568 - 3091
Download

Implementing Security Access Control