1 / 11

Kevin Savoy, MBA, CPA, CISA, CISSP Director of Information Technology Audits

The World of Access Controls. Kevin Savoy, MBA, CPA, CISA, CISSP Director of Information Technology Audits. Risk. Business Risk “The potential that a given threat will exploit vulnerabilities of an asset to cause a loss or damage to an asset.”. Controls. Controls

jethro
Download Presentation

Kevin Savoy, MBA, CPA, CISA, CISSP Director of Information Technology Audits

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. The World of Access Controls Kevin Savoy, MBA, CPA, CISA, CISSP Director of Information Technology Audits

  2. Risk Business Risk “The potential that a given threat will exploit vulnerabilities of an asset to cause a loss or damage to an asset.”

  3. Controls • Controls “The policies, practices and organizational structure designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected”

  4. Layers Where IT Controls Exist • Application (this is where YOU come in) • Database (oracle admin level) • Operating System (Unix, Windows) • Network (routers, firewalls, switches)

  5. Application Controls • Program Integrity (change control) • Edit Checks • Data Reconciliations • ACCESS CONTROLS

  6. Most Intrusions • Statistics continue to show that most unauthorized access to data is from within an organization. • You would not know this fact from the press that hackers receive. • Therefore your responsibility over ACCESS CONTROLS within applications (Finance, Student System, HR and other supporting systems) is critical.

  7. Access Controls • Consist of two parts: • Authentication (is a user who they say they are) • Authorization (what can they do once they “are in”)

  8. Authorization • YOU are the gatekeeper to UVA data. • Should be based on a “least amount of access needed to perform a job function”. • Should not allow a user to have conflicting access. For instance, a user should not be allowed to record and approve payments without oversight. • The person giving access should be knowledgeable of the individual’s need for data access (can be personal knowledge at the lowest levels and trust of supervisors at the higher levels of approval).

  9. Authorization • Users should not be able to build up access as they move to different departments, thus all access should be terminated and reapplied for. • User access should be reviewed periodically to determine if it is still needed. A standard approach should be taken AND documented. • Access should be removed immediately upon termination or change of position except within the same department.

  10. ESHARP… • Audit was involved and believes automating access requests should make your job easier and more secure. • Audit will continue to spot check Access Control procedures, validity of access granted, and approvals during regular audits.

  11. Questions??? • Kevin Savoy - savoy@virginia.edu

More Related