LOGICAL ACCESS: Business Managers Presentation FOR Saint Louis University 1 Agenda • • • • • • • • Logical Access Background Purpose of Access Security Request Form Key Sections of Form Completion & Submission of Form Tips to Make the Process Work Monitoring Access Rights Documents Q&A 2 Background • Logical Access is the process by which individuals are permitted to use computer systems and networks • SLU’s goal is to strengthen logical access controls – Reduce risk of inappropriate and unauthorized access – Applies to Banner, WebFOCUS, Xtender, Workflow, Axiom and related databases • Logical Access centered upon 12 Key Controls • Key Controls Addressed with Access Security Request Form and Monitoring: – – – – – – – LA1- A formalized documented system for user access is established LA2- Full user Account information is documented and retained LA3- Authorized approval and documentation LA4- User access is verified by Process Owners LA5 & LA6 - Segregation of duties analysis LA10 Documentation and control for Terminations LA11 Monitoring Access Reviews 3 Access Form: Purpose • Formal documentation of request and approval – Replaces email, phone, and verbal requests – Increases consistency in requests • Used for the following requests: – Banner, WebFOCUS, Xtender, Workflow, Axiom, and related databases – New, change, and delete user access – Faculty/staff, student workers, contractors, guest accounts • Location of the form and instructions – http://www.slu.edu/services/HR/university_security_forms.html – Titled “University Access Security Request Form” – “Security Request Form How-To Instructions” 4 Key Sections of Form • User Information – All users, including contractors and guests, are required to have SLUnet (Banner) ID prior to new user access request • Type of Request • Access Type and Level – Complete appropriate sections for data required (Human Resources, Business & Finance, Advancement, Student Financial Services, Student) • Statement of Approval & Signature – – – – Accuracy of request Segregation of duties has been considered User aware of University policies and procedures Training has been provided (where required/available) 5 Completion & Submission – Access Type & Level: Service Level Review Guide • Descriptions of classes, forms, etc. Use to determine and evaluate appropriateness of access rights (Segregation of Duties) http://www.slu.edu/services/HR/university_security_forms.html – Statement of Approval: Authorized Approvers • Business Manager or above (some exceptions): – Directors, Associate Directors, etc • Listing of authorized approvers currently being developed; will be posted on a weblink for easy access. 6 Completion & Submission Segregation of Duties - Prevents a single person from performing two or more incompatible functions. Failure to adequately segregate, or implement compensating controls, increases the risk that errors or unauthorized actions may occur and not be detected in a timely manner. Examples of inadequate segregation: One person has access rights to: • Perform billings/invoicing, receive the corresponding payments, and record the corresponding cash receipts entries. • Authorize disbursements, issue corresponding disbursements, and record corresponding disbursements entries. • Set up a new employee, input pay rates/salary, and issue pay checks. 7 Completion & Submission Submit forms to appropriate Security Officer • Access to a single department’s data – submit to single Security Officer • Access to multiple departments’ data – submit to multiple Security Officers Department/Unit Advancement Business & Finance Human Resources Office of Registrar Student Financial Services Security Officer Will Curran Lisa Zoia Nick Hebel Ellen Weis John Mejaski Back Up Valerie Mangnall Jenny Kukic Derrick Weathersby John Jaffry Tena Jones 8 Tips to Make the Process Work! Ensure completion and accuracy of form data; Consult with Security Officers, if unsure Submit documentation of user training, if required; Consult with Security Officers, if unsure Submit access requests for new users (or transfers) in advance of user’s first day of work Reply to Security Officers request for user access confirmation Submit access form to remove user access, at least 2 days prior to last day of work Monitor and communicate last days for contractors, including guests, to Security Officers Ensure timely notification of terminations to HR Begin using the forms immediately! 9 Monitoring Monitoring involves reviews of reports to ensure that users have appropriate and authorized access rights. The following reports will be used: • Service Access Report • A comprehensive listing of user access rights • HR, Finance, Student, Advancement, Student Financial Aid • Banner, WebFOCUS, Xtender, Workflow, Axiom and related databases • Review Timing: Bi-Annually • Position Change Report • Lists users who have changed positions, which may require updates to access rights • Review Timing: Weekly • All Business Managers involvement is not required each week; depends on department activity 10 Monitoring • Termination Reports • Lists users who have separated from the university, but who still have access rights • Review Timing: Weekly • Security Officers will request that Business Managers confirm terminations as needed; depends on termination activity for the week, if any. • Account Inactivity Report • Lists users whose accounts have shown no activity over a specified period of time • Review Timing: Bi-Annually • Business Managers involvement dictated by number of inactive accounts in department 11 Monitoring Service Access and Account Inactivity Reports – Review Process • QA Administrator sends email to Business Managers (BMs) notifying them of the review • BMs obtain reports; review access rights of users in their department for appropriateness; review users with inactivity – Utilize “Service Level Review Guide” to review access rights • If necessary, BMs initiate changes/removal of access rights using Access Control Form • BMs email Monitoring Review Form to QA Administrator noting review has been performed and action taken, if any. • BMs maintains documentation of review for own records • QA Administrator maintains overall documentation of reviews 12 Monitoring Position Change Reports – Review Process • Security Officers obtain reports • Identifies BMs to assist in reviews – Due to volume of activity, not necessary to distribute to all BMs • If necessary, BM initiates changes to access rights using Access Control Form • BM sends email reply to Security Officer noting review has been performed and action taken. • BM maintains documentation of review for own records • Security Officer forwards Monitoring Review form to QA Administrator • QA Administrator maintains overall documentation of reviews 13 Monitoring Termination Reports – Review Process • Security Officers obtain reports and verifies termination status with BMs • BM sends email reply to Security Officer confirming termination status • Security Officer maintains documentation of review for own records • Security Officer forwards Monitoring Review Form to QA Administrator • QA Administrator maintains overall documentation of reviews 14 Monitoring Other Notes • Service Access and Account Inactivity Reports review to be performed end of April and October. – BMs can request user access profile at any time – contact a Security Officer. • Position and Termination reports review has begun. BMs will be notified if assistance is required. • Service Level Review Guide and Monitoring Review Form located at: http://www.slu.edu/services/HR/university_security_forms.html 15 Monitoring Reviews Example: Service Access Report 16 Monitoring Reviews Example: Position Change Report 17 Monitoring Reviews Example: Termination Report 18 Key Documents • • • • Desk Procedures Quick Reference Guide Access Security Request Form Security Request Form How-To Instructions • Monitoring Reports • Service Level Review Guide • Monitoring Review Form 19 Thank You! Q&A Contacts: Security Officers – See Slide #8 or Tim Brooks, QA Administrator: 977-7221 20