Implementing user s it security access control
This presentation is the property of its rightful owner.
Sponsored Links
1 / 52

Implementing User’s IT Security Access Control PowerPoint PPT Presentation


  • 118 Views
  • Uploaded on
  • Presentation posted in: General

Community College Internal Auditors. Implementing User’s IT Security Access Control. 2011 Spring Conference. Presented by: Emmie Oesterman, IT Auditor Kris Backus, Sr. IT Analyst. Background. LRCCD includes four colleges and eight education centers.

Download Presentation

Implementing User’s IT Security Access Control

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Implementing user s it security access control

Community College Internal Auditors

Implementing User’s ITSecurity Access Control

2011 Spring Conference

Presented by:

Emmie Oesterman, IT Auditor

Kris Backus, Sr. IT Analyst


Background

Background

  • LRCCD includes four colleges and eight education centers.

  • More than 90,000 students are enrolled in our colleges

  • LRCCD uses PeopleSoft Enterprise Resource Planning (ERP) System for:

    • Student Administration (1200+ users)

    • Financials (150+ users)

    • Human Resources (100+ users)


Findings internal auditor

Findings – Internal Auditor

  • PeopleSoft security is inadequate.

    • Management made it a priority to redesign our user’s access and granting procedures.


Findings external auditor

Findings – External Auditor

Internal Control (Information Technology)

  • Our observation and testing of controls over computer systems access indicated a number of conditions including duplicated profiles for users, users with more than one role, and terminated employees still active in the financial system. While we did not identify any financial statement errors or irregularities resulting from these conditions, stronger controls are necessary.

    • Financial Statement Audit – FY07/08

    • Resolve in FY08/09 Audit


Implementing user s it security access control

Plan

  • Student Administration

    • Highest number of users (1200+ users)

    • Greatest risks

  • Financials

    • 150+ users

  • Human Resources

    • 100+ users


  • The team

    The Team

    • IT Staff

    • IT Auditor

    • District/College Staff*

    • District/College Information Security Officers*

      * When needed


    Goals

    Goals

    • Determine the current roles and security access.

    • Develop appropriate roles and security to assure adequate security and privacy of data.


    Goals continued

    Goals (continued)

    • Provide user documents to clearly identify the access within each PeopleSoft role.

    • Develop new business process to appropriately grant access and provide accountability.


    Goal 1

    Goal 1

    Determine the current roles and security access.

    • IT ran a script to provide detailed listing of access within each role.

    • The team analyzed the data and determined appropriateness.

    • IT deleted any unused access.


    Goal 11

    Goal 1


    Goal 12

    Goal 1


    Goal 2

    Goal 2

    Develop appropriate roles and security to assure adequate security and privacy of data.

    Access Methodology

    • Data Ownership

    • Hierarchy


    Goal 21

    Goal 2

    Data Ownership

    • Determine data owners

    • Design an approval process based on data ownership.

    Example:


    Goal 22

    Goal 2

    Hierarchy:

    • Roles are created on a hierarchy system. Higher level access will include the access of all lower levels.

    • Example

      • SR Access III will include all the access from these roles:

        • Student Info View I

        • Student Info View II

        • SR Access I

        • SR Access II


    Goal 23

    Goal 2


    Goal 3

    Goal 3

    Provide user documents to clearly identify the access within each PeopleSoft role.

    • Definitions of Roles

    • Mapping of old to new roles

    • Red Flags for Approvers

    • Notes for Approvers

    • Security Reports


    Goal 31

    Goal 3

    Definitions of Roles


    Goal 32

    Goal 3

    • Mapping of old to new roles


    Goal 33

    Goal 3

    Red Flags for Approvers


    Goal 34

    Goal 3

    Notes for Approvers


    Goal 35

    Goal 3

    Security Reports


    Goal 4

    Goal 4

    Develop new business process to appropriately grant access and provide accountability.

    • Request Process

    • Determine the process where users can request access to PeopleSoft.

    • Approval Process

    • Determine the appropriate authorized personnel for approval of access requests.

    • Granting Process

    • Determine who will process the access requests.


    Goal 41

    Goal 4

    • Request Process:

      • Paper Form (Phase 1)

        • Form can be printed and submitted via mail or e-mail (using email address as the electronic signature)

      • Online Access Requests (Phase 2)

        • Users log onto the Security Access System (SAS) to request access.


    Goal 42

    Goal 4

    • Approval Process:

      • Authorized Signer List

        • List the authorized signers who can approve PeopleSoft access

      • Two level of approvers

        • Level 1: View only access

        • Level 2: Update/Correction access


    Goal 43

    Goal 4

    PeopleSoft Authorized Signer List:


    Goal 44

    Goal 4

    Level 1 Approvers:


    Goal 45

    Goal 4

    Level 1 Approvers:


    Goal 46

    Goal 4

    Level 2 Approvers:

    yes

    No


    Goal 47

    Goal 4

    • Granting Process:

      • Approved form submitted to DO HelpDesk for processing

      • DO HelpDesk reviews form for completeness before processing

        • Approved by the appropriate staff

        • All required information is provided


    Goal 48

    Goal 4

    yes

    No


    Roll out

    Roll Out

    The Plan:

    • Testing

    • Communication!

    • Pilot Testing (selected users)

    • Communication!

    • Training

    • Communication!


    Timeline

    Timeline


    Security access system

    Security Access System

    • Online Access Request

    • Automatic Approval Routing

    • Database Storage of Access Requests (for Auditing)


    Security access system1

    Security Access System


    Security access system2

    Security Access System

    Online Request Form: Authenticate


    Security access system3

    Security Access System

    Online Request Form: User Information/Form Selection


    Security access system4

    Security Access System

    Online Request Form: User Information/Form Selection


    Security access system5

    Security Access System

    Online Request Form: Role(s) Selection


    Security access system6

    Security Access System

    Online Request Form: Justification/Reason is required!


    Security access system7

    Security Access System

    Online Request Form: Review Request


    Security access system8

    Security Access System

    Online Request Form: Review Request


    Security access system9

    Security Access System

    Approval: Via Email


    Security access system10

    Security Access System

    Approval: Via Email


    Security access system11

    Security Access System

    Approval: Via Email


    Security access system12

    Security Access System

    Approval: Via Web


    Security access system13

    Security Access System

    Approval: Via Web


    Security access system14

    Security Access System

    Approval: Via Web


    Security access system15

    Security Access System

    Approval: Via Web


    Security access system16

    Security Access System

    Granting Access


    Security access system17

    Security Access System

    Granting Access


    Security access system18

    Security Access System

    Granting Access


    Questions contacts

    Questions/Contacts:

    Emmie Oesterman, IT Auditor

    [email protected]

    (916) 568 – 3134

    Kris Backus, Sr. IT Analyst

    [email protected]

    (916) 568 - 3091


  • Login