LOGICAL ACCESS: - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

LOGICAL ACCESS:

Description:

Purpose of Access Security Request Form. Key Sections of Form. Completion ... Applies to Banner, WebFOCUS, Xtender, Workflow, Axiom and related databases ... – PowerPoint PPT presentation

Number of Views:42
Avg rating:3.0/5.0
Slides: 21
Provided by: gebk
Category:
Tags: access | logical | axiom

less

Transcript and Presenter's Notes

Title: LOGICAL ACCESS:


1
LOGICAL ACCESS Business Managers
Presentation FOR Saint Louis University
2
Agenda
  • Logical Access Background
  • Purpose of Access Security Request Form
  • Key Sections of Form
  • Completion Submission of Form
  • Tips to Make the Process Work
  • Monitoring Access Rights
  • Documents
  • Q A

3
Background
  • Logical Access is the process by which
    individuals are permitted to use computer systems
    and networks
  • SLUs goal is to strengthen logical access
    controls
  • Reduce risk of inappropriate and unauthorized
    access
  • Applies to Banner, WebFOCUS, Xtender, Workflow,
    Axiom and related databases
  • Logical Access centered upon 12 Key Controls
  • Key Controls Addressed with Access Security
    Request Form and Monitoring
  • LA1- A formalized documented system for user
    access is established
  • LA2- Full user Account information is documented
    and retained
  • LA3- Authorized approval and documentation
  • LA4- User access is verified by Process Owners
  • LA5 LA6 - Segregation of duties analysis
  • LA10 Documentation and control for Terminations
  • LA11 Monitoring Access Reviews

4
Access Form Purpose
  • Formal documentation of request and approval
  • Replaces email, phone, and verbal requests
  • Increases consistency in requests
  • Used for the following requests
  • Banner, WebFOCUS, Xtender, Workflow, Axiom, and
    related databases
  • New, change, and delete user access
  • Faculty/staff, student workers, contractors,
    guest accounts
  • Location of the form and instructions
  • http//www.slu.edu/services/HR/university_security
    _forms.html
  • Titled University Access Security Request Form
  • Security Request Form How-To Instructions

5
Key Sections of Form
  • User Information
  • All users, including contractors and guests, are
    required to have SLUnet (Banner) ID prior to new
    user access request
  • Type of Request
  • Access Type and Level
  • Complete appropriate sections for data required
    (Human Resources, Business Finance,
    Advancement, Student Financial Services, Student)
  • Statement of Approval Signature
  • Accuracy of request
  • Segregation of duties has been considered
  • User aware of University policies and procedures
  • Training has been provided (where
    required/available)

6
Completion Submission
  • Access Type Level Service Level Review Guide
  • Descriptions of classes, forms, etc. Use to
    determine and evaluate appropriateness of access
    rights (Segregation of Duties)
  • http//www.slu.edu/services/HR/university_security
    _forms.html
  • Statement of Approval Authorized Approvers
  • Business Manager or above (some exceptions)
  • Directors, Associate Directors, etc
  • Listing of authorized approvers currently being
    developed will be posted on a weblink for easy
    access.

7
Completion Submission
  • Segregation of Duties - Prevents a single person
    from performing two or more incompatible
    functions. Failure to adequately segregate, or
    implement compensating controls, increases the
    risk that errors or unauthorized actions may
    occur and not be detected in a timely manner.
  • Examples of inadequate segregation One person
    has access rights to
  • Perform billings/invoicing, receive the
    corresponding payments, and record the
    corresponding cash receipts entries.
  • Authorize disbursements, issue corresponding
    disbursements, and record corresponding
    disbursements entries.
  • Set up a new employee, input pay rates/salary,
    and issue pay checks.

8
Completion Submission
  • Submit forms to appropriate Security Officer
  • Access to a single departments data submit to
    single Security Officer
  • Access to multiple departments data submit to
    multiple Security Officers

9
Tips to Make the Process Work!
  • Ensure completion and accuracy of form data
    Consult with Security Officers, if unsure
  • Submit documentation of user training, if
    required Consult with Security Officers, if
    unsure
  • Submit access requests for new users (or
    transfers) in advance of users first day of work
  • Reply to Security Officers request for user
    access confirmation
  • Submit access form to remove user access, at
    least 2 days prior to last day of work
  • Monitor and communicate last days for
    contractors, including guests, to Security
    Officers
  • Ensure timely notification of terminations to HR
  • Begin using the forms immediately!

10
Monitoring
  • Monitoring involves reviews of reports to ensure
    that users have appropriate and authorized access
    rights. The following reports will be used
  • Service Access Report
  • A comprehensive listing of user access rights
  • HR, Finance, Student, Advancement, Student
    Financial Aid
  • Banner, WebFOCUS, Xtender, Workflow, Axiom and
    related databases
  • Review Timing Bi-Annually
  • Position Change Report
  • Lists users who have changed positions, which may
    require updates to access rights
  • Review Timing Weekly
  • All Business Managers involvement is not required
    each week depends on department activity

11
Monitoring
  • Termination Reports
  • Lists users who have separated from the
    university, but who still have access rights
  • Review Timing Weekly
  • Security Officers will request that Business
    Managers confirm terminations as needed depends
    on termination activity for the week, if any.
  • Account Inactivity Report
  • Lists users whose accounts have shown no activity
    over a specified period of time
  • Review Timing Bi-Annually
  • Business Managers involvement dictated by number
    of inactive accounts in department

12
Monitoring
  • Service Access and Account Inactivity Reports
    Review Process
  • QA Administrator sends email to Business Managers
    (BMs) notifying them of the review
  • BMs obtain reports review access rights of users
    in their department for appropriateness review
    users with inactivity
  • Utilize Service Level Review Guide to review
    access rights
  • If necessary, BMs initiate changes/removal of
    access rights using Access Control Form
  • BMs email Monitoring Review Form to QA
    Administrator noting review has been performed
    and action taken, if any.
  • BMs maintains documentation of review for own
    records
  • QA Administrator maintains overall documentation
    of reviews

13
Monitoring
  • Position Change Reports Review Process
  • Security Officers obtain reports
  • Identifies BMs to assist in reviews
  • Due to volume of activity, not necessary to
    distribute to all BMs
  • If necessary, BM initiates changes to access
    rights using Access Control Form
  • BM sends email reply to Security Officer noting
    review has been performed and action taken.
  • BM maintains documentation of review for own
    records
  • Security Officer forwards Monitoring Review form
    to QA Administrator
  • QA Administrator maintains overall documentation
    of reviews

14
Monitoring
  • Termination Reports Review Process
  • Security Officers obtain reports and verifies
    termination status with BMs
  • BM sends email reply to Security Officer
    confirming termination status
  • Security Officer maintains documentation of
    review for own records
  • Security Officer forwards Monitoring Review Form
    to QA Administrator
  • QA Administrator maintains overall documentation
    of reviews

15
Monitoring
  • Other Notes
  • Service Access and Account Inactivity Reports
    review to be performed end of April and October.
  • BMs can request user access profile at any time
    contact a Security Officer.
  • Position and Termination reports review has
    begun. BMs will be notified if assistance is
    required.
  • Service Level Review Guide and Monitoring Review
    Form located at
  • http//www.slu.edu/services/HR/university_security
    _forms.html

16
Monitoring Reviews
Example Service Access Report
17
Monitoring Reviews
Example Position Change Report
18
Monitoring Reviews
Example Termination Report
19
Key Documents
  • Desk Procedures
  • Quick Reference Guide
  • Access Security Request Form
  • Security Request Form How-To Instructions
  • Monitoring Reports
  • Service Level Review Guide
  • Monitoring Review Form

20
Thank You!
  • Q A
  • Contacts
  • Security Officers See Slide 8
  • or
  • Tim Brooks, QA Administrator 977-7221
Write a Comment
User Comments (0)
About PowerShow.com