implementing user s it security access control
Download
Skip this Video
Download Presentation
Implementing User’s IT Security Access Control

Loading in 2 Seconds...

play fullscreen
1 / 52

Implementing User’s IT Security Access Control - PowerPoint PPT Presentation


  • 160 Views
  • Uploaded on

Community College Internal Auditors. Implementing User’s IT Security Access Control. 2011 Spring Conference. Presented by: Emmie Oesterman, IT Auditor Kris Backus, Sr. IT Analyst. Background. LRCCD includes four colleges and eight education centers.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Implementing User’s IT Security Access Control' - cameron-norman


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
implementing user s it security access control

Community College Internal Auditors

Implementing User’s ITSecurity Access Control

2011 Spring Conference

Presented by:

Emmie Oesterman, IT Auditor

Kris Backus, Sr. IT Analyst

background
Background
  • LRCCD includes four colleges and eight education centers.
  • More than 90,000 students are enrolled in our colleges
  • LRCCD uses PeopleSoft Enterprise Resource Planning (ERP) System for:
      • Student Administration (1200+ users)
      • Financials (150+ users)
      • Human Resources (100+ users)
findings internal auditor
Findings – Internal Auditor
  • PeopleSoft security is inadequate.
      • Management made it a priority to redesign our user’s access and granting procedures.
findings external auditor
Findings – External Auditor

Internal Control (Information Technology)

  • Our observation and testing of controls over computer systems access indicated a number of conditions including duplicated profiles for users, users with more than one role, and terminated employees still active in the financial system. While we did not identify any financial statement errors or irregularities resulting from these conditions, stronger controls are necessary.
      • Financial Statement Audit – FY07/08
      • Resolve in FY08/09 Audit
slide5
Plan
  • Student Administration
      • Highest number of users (1200+ users)
      • Greatest risks
  • Financials
      • 150+ users
  • Human Resources
      • 100+ users
the team
The Team
  • IT Staff
  • IT Auditor
  • District/College Staff*
  • District/College Information Security Officers*

* When needed

goals
Goals
  • Determine the current roles and security access.
  • Develop appropriate roles and security to assure adequate security and privacy of data.
goals continued
Goals (continued)
  • Provide user documents to clearly identify the access within each PeopleSoft role.
  • Develop new business process to appropriately grant access and provide accountability.
goal 1
Goal 1

Determine the current roles and security access.

  • IT ran a script to provide detailed listing of access within each role.
  • The team analyzed the data and determined appropriateness.
  • IT deleted any unused access.
goal 2
Goal 2

Develop appropriate roles and security to assure adequate security and privacy of data.

Access Methodology

  • Data Ownership
  • Hierarchy
goal 21
Goal 2

Data Ownership

  • Determine data owners
  • Design an approval process based on data ownership.

Example:

goal 22
Goal 2

Hierarchy:

  • Roles are created on a hierarchy system. Higher level access will include the access of all lower levels.
  • Example
    • SR Access III will include all the access from these roles:
      • Student Info View I
      • Student Info View II
      • SR Access I
      • SR Access II
goal 3
Goal 3

Provide user documents to clearly identify the access within each PeopleSoft role.

  • Definitions of Roles
  • Mapping of old to new roles
  • Red Flags for Approvers
  • Notes for Approvers
  • Security Reports
goal 31
Goal 3

Definitions of Roles

goal 32
Goal 3
  • Mapping of old to new roles
goal 33
Goal 3

Red Flags for Approvers

goal 34
Goal 3

Notes for Approvers

goal 35
Goal 3

Security Reports

goal 4
Goal 4

Develop new business process to appropriately grant access and provide accountability.

  • Request Process
  • Determine the process where users can request access to PeopleSoft.
  • Approval Process
  • Determine the appropriate authorized personnel for approval of access requests.
  • Granting Process
  • Determine who will process the access requests.
goal 41
Goal 4
  • Request Process:
    • Paper Form (Phase 1)
      • Form can be printed and submitted via mail or e-mail (using email address as the electronic signature)
    • Online Access Requests (Phase 2)
      • Users log onto the Security Access System (SAS) to request access.
goal 42
Goal 4
  • Approval Process:
    • Authorized Signer List
      • List the authorized signers who can approve PeopleSoft access
    • Two level of approvers
      • Level 1: View only access
      • Level 2: Update/Correction access
goal 43
Goal 4

PeopleSoft Authorized Signer List:

goal 44
Goal 4

Level 1 Approvers:

goal 45
Goal 4

Level 1 Approvers:

goal 46
Goal 4

Level 2 Approvers:

yes

No

goal 47
Goal 4
  • Granting Process:
    • Approved form submitted to DO HelpDesk for processing
    • DO HelpDesk reviews form for completeness before processing
      • Approved by the appropriate staff
      • All required information is provided
goal 48
Goal 4

yes

No

roll out
Roll Out

The Plan:

  • Testing
  • Communication!
  • Pilot Testing (selected users)
  • Communication!
  • Training
  • Communication!
security access system
Security Access System
  • Online Access Request
  • Automatic Approval Routing
  • Database Storage of Access Requests (for Auditing)
security access system2
Security Access System

Online Request Form: Authenticate

security access system3
Security Access System

Online Request Form: User Information/Form Selection

security access system4
Security Access System

Online Request Form: User Information/Form Selection

security access system5
Security Access System

Online Request Form: Role(s) Selection

security access system6
Security Access System

Online Request Form: Justification/Reason is required!

security access system7
Security Access System

Online Request Form: Review Request

security access system8
Security Access System

Online Request Form: Review Request

security access system9
Security Access System

Approval: Via Email

security access system10
Security Access System

Approval: Via Email

security access system11
Security Access System

Approval: Via Email

security access system12
Security Access System

Approval: Via Web

security access system13
Security Access System

Approval: Via Web

security access system14
Security Access System

Approval: Via Web

security access system15
Security Access System

Approval: Via Web

security access system16
Security Access System

Granting Access

security access system17
Security Access System

Granting Access

security access system18
Security Access System

Granting Access

questions contacts
Questions/Contacts:

Emmie Oesterman, IT Auditor

[email protected]

(916) 568 – 3134

Kris Backus, Sr. IT Analyst

[email protected]

(916) 568 - 3091

ad