LOGICAL ACCESS: - PowerPoint PPT Presentation

1 / 21
About This Presentation
Title:

LOGICAL ACCESS:

Description:

Logical Access is the process by which individuals are permitted to use computer ... Applies to Banner, WebFOCUS, Xtender, Workflow, Axiom and related databases ... – PowerPoint PPT presentation

Number of Views:82
Avg rating:3.0/5.0
Slides: 22
Provided by: gebk
Category:
Tags: access | logical | axiom

less

Transcript and Presenter's Notes

Title: LOGICAL ACCESS:


1
LOGICAL ACCESS Business Managers
Presentation FOR Saint Louis University
2
Agenda
  • Logical Access Background
  • Purpose of Access Control Form
  • Key Sections of Form
  • Completion Submission of Form
  • Tips to Make the Process Work
  • Monitoring Access Rights
  • Documents
  • Q A

3
Background
  • Logical Access is the process by which
    individuals are permitted to use computer systems
    and networks
  • SLUs goal is to strengthen logical access
    controls
  • Reduce risk of inappropriate and unauthorized
    access
  • Applies to Banner, WebFOCUS, Xtender, Workflow,
    Axiom and related databases
  • Logical Access centered upon 12 Key Controls
  • Key Controls Addressed with Access Control Form
    and Monitoring
  • LA1- A formalized documented system for user
    access is established
  • LA2- Full user Account information is documented
    and retained
  • LA3- Authorized approval and documentation
  • LA4- User access is verified by Process Owners
  • LA5 LA6 - Segregation of duties analysis
  • LA10 Documentation and control for Terminations
  • LA11 Monitoring Access Reviews

4
Access Control Form Purpose
  • Formal documentation of request and approval
  • Replaces email, phone, and verbal requests
  • Increases consistency in requests
  • Used for the following requests
  • Banner, WebFOCUS, Xtender, Workflow, Axiom, and
    related databases
  • New, change, and delete user access
  • Faculty/staff, student workers, contractors,
    guest accounts
  • Location of the form
  • http//www.slu.edu/services/HR/university_security
    _forms.html
  • Titled University Access Security Request Form

5
Key Sections of Form
  • User Information
  • All users, including contractors and guests, are
    required to have SLUnet (Banner) ID prior to new
    user access request
  • Type of Request
  • Access Type and Level
  • Complete appropriate sections for data required
    (Human Resources, Business Finance,
    Advancement, Student Financial Services, Student)
  • Statement of Approval Signature
  • Accuracy of request
  • Segregation of duties has been considered
  • User aware of University policies and procedures
  • Training has been provided (where
    required/available)

6
Completion Submission
  • Access Type Level Descriptions of classes,
    forms, etc.
  • Use to determine and evaluate appropriateness of
    access rights (Segregation of Duties)
  • Description of classes, forms, is currently under
    development consult with Security Officers in
    the short term.
  • Will be posted on a weblink for easy access.
  • Statement of Approval Authorized Approvers
  • Business Manager or above (some exceptions)
  • Directors, Associate Directors, etc
  • Listing of authorized approvers currently being
    developed will be posted on a weblink for easy
    access.

7
Completion Submission
  • Segregation of Duties - Prevents a single person
    from performing two or more incompatible
    functions. Failure to adequately segregate, or
    implement compensating controls, increases the
    risk that errors or unauthorized actions may
    occur and not be detected in a timely manner.
  • Examples of inadequate segregation One person
    has access rights to
  • Perform billings/invoicing, receive the
    corresponding payments, and record the
    corresponding cash receipts entries.
  • Authorize disbursements, issue corresponding
    disbursements, and record corresponding
    disbursements entries.
  • Set up a new employee, input pay rates/salary,
    and issue pay checks.

8
Completion Submission
  • Submit forms to appropriate Security Officer
  • Access to a single departments data submit to
    single Security Officer
  • Access to multiple departments data submit to
    multiple Security Officers

9
Tips to Make the Process Work!
  • Ensure completion and accuracy of form data
    Consult with Security Officers, if unsure
  • Submit documentation of user training, if
    required Consult with Security Officers, if
    unsure
  • Submit access requests for new users (or
    transfers) in advance of users first day of work
  • Reply to Security Officers request for user
    access confirmation
  • Submit access form to remove user access, at
    least 2 days prior to last day of work
  • Monitor and communicate last days for
    contractors, including guests, to Security
    Officers
  • Ensure timely notification of terminations to HR
  • Begin using the forms immediately!

10
Monitoring
  • Monitoring involves reviews of reports to ensure
    that users have appropriate and authorized access
    rights. The following reports will be used
  • Service Access Report
  • A comprehensive listing of user access rights
  • HR, Finance, Student, Advancement, Student
    Financial Aid
  • Banner, WebFOCUS, Xtender, Workflow, Axiom and
    related databases
  • Review Timing Bi-Annually
  • Position Change Report
  • Lists users who have changed positions, which may
    require updates to access rights
  • Review Timing Weekly
  • All Business Managers involvement is not required
    each week depends on department activity

11
Monitoring
  • Termination Reports
  • Lists users who have separated from the
    university, but who still have access rights
  • Review Timing Weekly
  • Security Officers will request that Business
    Managers confirm terminations as needed depends
    on termination activity for the week, if any.
  • Account Inactivity Report
  • Lists users whose accounts have shown no activity
    over a specified period of time
  • Review Timing Quarterly
  • Business Managers involvement each quarter
    dictated by number of inactive accounts in
    department

12
Monitoring
  • Service Access Reports Review Process
  • QA Administrator sends email to Business Managers
    (BMs) notifying them of the review
  • BMs obtain reports and review access rights of
    users in their department for appropriateness
  • Description of classes, forms, etc., is currently
    under development.
  • If necessary, BMs initiate changes to access
    rights using Access Control Form
  • BMs send email reply to QA Administrator noting
    review has been performed and action taken, if
    any.
  • BMs maintains documentation of review for own
    records
  • QA Administrator maintains overall documentation
    of reviews

13
Monitoring
  • Position Change Reports Review Process
  • Security Officers obtain reports
  • Identifies BMs to assist in reviews
  • Due to volume of activity, not necessary to
    distribute to all BMs
  • If necessary, BM initiates changes to access
    rights using Access Control Form
  • BM sends email reply to Security Officer noting
    review has been performed and action taken.
  • BM maintains documentation of review for own
    records
  • Security Officer forwards documentation of review
    to QA Administrator
  • QA Administrator maintains overall documentation
    of reviews

14
Monitoring
  • Termination Reports Review Process
  • Security Officers obtain reports and verifies
    termination status with BMs
  • BM sends email reply to Security Officer
    confirming termination status
  • Security Officer maintains documentation of
    review for own records
  • Security Officer forwards documentation of review
    to QA Administrator
  • QA Administrator maintains overall documentation
    of reviews

15
Monitoring
  • Account Inactivity Reports Review Process
  • QA Administrator sends email to Business Managers
    (BMs) notifying them of the review
  • BMs obtain reports, review users with inactivity
    and determine if users access should be removed
  • If necessary, BMs initiates removal of access
    rights using Access Control Form
  • BMs send email reply to QA Administrator noting
    review has been performed and action taken, if
    any.
  • BMs maintains documentation of review for own
    records
  • QA Administrator maintains overall documentation
    of reviews

16
Monitoring
  • Other Notes
  • Service Access Reports review to be performed end
    of April and October.
  • Will test process on limited organization units
    (ITS, HR, Business Finance) in March.
  • BMs can request user access profile at any time
    contact a Security Officer.
  • Position and Termination reports review has
    begun. BMs will be notified if assistance is
    required.
  • Account Inactivity Reports review date to be
    determined.

17
Monitoring Reviews
Example Service Access Report
18
Monitoring Reviews
Example Position Change Report
19
Monitoring Reviews
Example Termination Report
20
Documents
  • Draft Desk Procedures
  • For review and commenting
  • Finalize by end of March
  • Quick Reference Guide
  • Access Control Form
  • Training Presentation
  • Available via email request

21
Thank You!
  • Q A
  • Contacts
  • Security Officers See Slide 8
  • Tim Moser, SLU ITS 977-3059
  • Ken Gebken at 977-7295
  • Keenan McKinney, Jefferson Wells 977-2567
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2025 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "LOGICAL ACCESS:" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!