LOGICAL ACCESS:
Business Managers Presentation
FOR
Saint Louis University
1
Agenda
•
•
•
•
•
•
•
•
Logical Access Background
Purpose of Access Security Request Form
Key Sections of Form
Completion & Submission of Form
Tips to Make the Process Work
Monitoring Access Rights
Documents
Q&A
2
Background
• Logical Access is the process by which individuals
are permitted to use computer systems and networks
• SLU’s goal is to strengthen logical access controls
– Reduce risk of inappropriate and unauthorized access
– Applies to Banner, WebFOCUS, Xtender, Workflow, Axiom
and related databases
• Logical Access centered upon 12 Key Controls
• Key Controls Addressed with Access Security
Request Form and Monitoring:
–
–
–
–
–
–
–
LA1- A formalized documented system for user access is established
LA2- Full user Account information is documented and retained
LA3- Authorized approval and documentation
LA4- User access is verified by Process Owners
LA5 & LA6 - Segregation of duties analysis
LA10 Documentation and control for Terminations
LA11 Monitoring Access Reviews
3
Access Form:
Purpose
• Formal documentation of request and
approval
– Replaces email, phone, and verbal requests
– Increases consistency in requests
• Used for the following requests:
– Banner, WebFOCUS, Xtender, Workflow, Axiom, and related
databases
– New, change, and delete user access
– Faculty/staff, student workers, contractors, guest accounts
• Location of the form and instructions
– http://www.slu.edu/services/HR/university_security_forms.html
– Titled “University Access Security Request Form”
– “Security Request Form How-To Instructions”
4
Key Sections of Form
• User Information
– All users, including contractors and guests, are required to
have SLUnet (Banner) ID prior to new user access request
• Type of Request
• Access Type and Level
– Complete appropriate sections for data required (Human
Resources, Business & Finance, Advancement, Student
Financial Services, Student)
• Statement of Approval & Signature
–
–
–
–
Accuracy of request
Segregation of duties has been considered
User aware of University policies and procedures
Training has been provided (where required/available)
5
Completion & Submission
– Access Type & Level: Service Level Review Guide
• Descriptions of classes, forms, etc. Use to determine and
evaluate appropriateness of access rights (Segregation of
Duties)
http://www.slu.edu/services/HR/university_security_forms.html
– Statement of Approval: Authorized Approvers
• Business Manager or above (some exceptions):
– Directors, Associate Directors, etc
• Listing of authorized approvers currently being developed; will
be posted on a weblink for easy access.
6
Completion & Submission
 Segregation of Duties - Prevents a single person from
performing two or more incompatible functions. Failure to
adequately segregate, or implement compensating controls,
increases the risk that errors or unauthorized actions may occur
and not be detected in a timely manner.
Examples of inadequate segregation: One person has access
rights to:
• Perform billings/invoicing, receive the corresponding
payments, and record the corresponding cash receipts
entries.
• Authorize disbursements, issue corresponding
disbursements, and record corresponding disbursements
entries.
• Set up a new employee, input pay rates/salary, and issue pay
checks.
7
Completion & Submission
Submit forms to appropriate Security Officer
• Access to a single department’s data – submit to single Security
Officer
• Access to multiple departments’ data – submit to multiple
Security Officers
Department/Unit
Advancement
Business & Finance
Human Resources
Office of Registrar
Student Financial Services
Security Officer
Will Curran
Lisa Zoia
Nick Hebel
Ellen Weis
John Mejaski
Back Up
Valerie Mangnall
Jenny Kukic
Derrick Weathersby
John Jaffry
Tena Jones
8
Tips to Make the Process
Work!
 Ensure completion and accuracy of form data; Consult with
Security Officers, if unsure
 Submit documentation of user training, if required; Consult
with Security Officers, if unsure
 Submit access requests for new users (or transfers) in
advance of user’s first day of work
 Reply to Security Officers request for user access
confirmation
 Submit access form to remove user access, at least 2 days
prior to last day of work
 Monitor and communicate last days for contractors,
including guests, to Security Officers
 Ensure timely notification of terminations to HR
 Begin using the forms immediately!
9
Monitoring
Monitoring involves reviews of reports to ensure that users have appropriate and
authorized access rights. The following reports will be used:
• Service Access Report
• A comprehensive listing of user access rights
• HR, Finance, Student, Advancement, Student Financial Aid
• Banner, WebFOCUS, Xtender, Workflow, Axiom and related
databases
• Review Timing: Bi-Annually
• Position Change Report
• Lists users who have changed positions, which may require
updates to access rights
• Review Timing: Weekly
• All Business Managers involvement is not required each week;
depends on department activity
10
Monitoring
• Termination Reports
• Lists users who have separated from the university, but who still
have access rights
• Review Timing: Weekly
• Security Officers will request that Business Managers confirm
terminations as needed; depends on termination activity for the
week, if any.
• Account Inactivity Report
• Lists users whose accounts have shown no activity over a
specified period of time
• Review Timing: Bi-Annually
• Business Managers involvement dictated by number of inactive
accounts in department
11
Monitoring
Service Access and Account Inactivity Reports – Review
Process
• QA Administrator sends email to Business Managers (BMs)
notifying them of the review
• BMs obtain reports; review access rights of users in their
department for appropriateness; review users with inactivity
– Utilize “Service Level Review Guide” to review access
rights
• If necessary, BMs initiate changes/removal of access rights
using Access Control Form
• BMs email Monitoring Review Form to QA Administrator noting
review has been performed and action taken, if any.
• BMs maintains documentation of review for own records
• QA Administrator maintains overall documentation of reviews
12
Monitoring
Position Change Reports – Review Process
• Security Officers obtain reports
• Identifies BMs to assist in reviews
– Due to volume of activity, not necessary to distribute to all BMs
• If necessary, BM initiates changes to access rights using
Access Control Form
• BM sends email reply to Security Officer noting review
has been performed and action taken.
• BM maintains documentation of review for own records
• Security Officer forwards Monitoring Review form to QA
Administrator
• QA Administrator maintains overall documentation of
reviews
13
Monitoring
Termination Reports – Review Process
• Security Officers obtain reports and verifies
termination status with BMs
• BM sends email reply to Security Officer
confirming termination status
• Security Officer maintains documentation of
review for own records
• Security Officer forwards Monitoring Review
Form to QA Administrator
• QA Administrator maintains overall
documentation of reviews
14
Monitoring
Other Notes
• Service Access and Account Inactivity Reports
review to be performed end of April and October.
– BMs can request user access profile at any time –
contact a Security Officer.
• Position and Termination reports review has
begun. BMs will be notified if assistance is
required.
• Service Level Review Guide and Monitoring
Review Form located at:
http://www.slu.edu/services/HR/university_security_forms.html
15
Monitoring Reviews
Example: Service Access Report
16
Monitoring Reviews
Example: Position Change Report
17
Monitoring Reviews
Example: Termination Report
18
Key Documents
•
•
•
•
Desk Procedures
Quick Reference Guide
Access Security Request Form
Security Request Form How-To
Instructions
• Monitoring Reports
• Service Level Review Guide
• Monitoring Review Form
19
Thank You!
Q&A
Contacts:
Security Officers – See Slide #8
or
Tim Brooks, QA Administrator: 977-7221
20