LOGICAL ACCESS:
This presentation is the property of its rightful owner.
Sponsored Links
1 / 20

LOGICAL ACCESS: Business Managers Presentation FOR Saint Louis University PowerPoint PPT Presentation


  • 51 Views
  • Uploaded on
  • Presentation posted in: General

LOGICAL ACCESS: Business Managers Presentation FOR Saint Louis University. Logical Access Background Purpose of Access Security Request Form Key Sections of Form Completion & Submission of Form Tips to Make the Process Work Monitoring Access Rights Documents Q & A. Agenda.

Download Presentation

LOGICAL ACCESS: Business Managers Presentation FOR Saint Louis University

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Logical access business managers presentation for saint louis university

LOGICAL ACCESS:

Business Managers Presentation

FOR

Saint Louis University


Logical access business managers presentation for saint louis university

Logical Access Background

Purpose of Access Security Request Form

Key Sections of Form

Completion & Submission of Form

Tips to Make the Process Work

Monitoring Access Rights

Documents

Q & A

Agenda


Background

Logical Access is the process by which individuals are permitted to use computer systems and networks

SLU’s goal is to strengthen logical access controls

Reduce risk of inappropriate and unauthorized access

Applies to Banner, WebFOCUS, Xtender, Workflow, Axiom and related databases

Logical Access centered upon 12 Key Controls

Key Controls Addressed with Access Security Request Form and Monitoring:

LA1- A formalized documented system for user access is established

LA2- Full user Account information is documented and retained

LA3- Authorized approval and documentation

LA4- User access is verified by Process Owners

LA5 & LA6 - Segregation of duties analysis

LA10 Documentation and control for Terminations

LA11 Monitoring Access Reviews

Background


Access form purpose

Formal documentation of request and approval

Replaces email, phone, and verbal requests

Increases consistency in requests

Used for the following requests:

Banner, WebFOCUS, Xtender, Workflow, Axiom, and related databases

New, change, and delete user access

Faculty/staff, student workers, contractors, guest accounts

Location of the form and instructions

http://www.slu.edu/services/HR/university_security_forms.html

Titled “University Access Security Request Form”

“Security Request Form How-To Instructions”

Access Form: Purpose


Key sections of form

User Information

All users, including contractors and guests, are required to have SLUnet (Banner) ID prior to new user access request

Type of Request

Access Type and Level

Complete appropriate sections for data required (Human Resources, Business & Finance, Advancement, Student Financial Services, Student)

Statement of Approval & Signature

Accuracy of request

Segregation of duties has been considered

User aware of University policies and procedures

Training has been provided (where required/available)

Key Sections of Form


Completion submission

Access Type & Level: Service Level Review Guide

Descriptions of classes, forms, etc. Use to determine and evaluate appropriateness of access rights (Segregation of Duties)

http://www.slu.edu/services/HR/university_security_forms.html

Statement of Approval: Authorized Approvers

Business Manager or above (some exceptions):

Directors, Associate Directors, etc

Listing of authorized approvers currently being developed; will be posted on a weblink for easy access.

Completion & Submission


Completion submission1

Segregation of Duties - Prevents a single person from performing two or more incompatible functions. Failure to adequately segregate, or implement compensating controls, increases the risk that errors or unauthorized actions may occur and not be detected in a timely manner.

Examples of inadequate segregation: One person has access rights to:

Perform billings/invoicing, receive the corresponding payments, and record the corresponding cash receipts entries.

Authorize disbursements, issue corresponding disbursements, and record corresponding disbursements entries.

Set up a new employee, input pay rates/salary, and issue pay checks.

Completion & Submission


Completion submission2

Submit forms to appropriate Security Officer

Access to a single department’s data – submit to single Security Officer

Access to multiple departments’ data – submit to multiple Security Officers

Completion & Submission


Tips to make the process work

Ensure completion and accuracy of form data; Consult with Security Officers, if unsure

Submit documentation of user training, if required; Consult with Security Officers, if unsure

Submit access requests for new users (or transfers) in advance of user’s first day of work

Reply to Security Officers request for user access confirmation

Submit access form to remove user access, at least 2 days prior to last day of work

Monitor and communicate last days for contractors, including guests, to Security Officers

Ensure timely notification of terminations to HR

Begin using the forms immediately!

Tips to Make the Process Work!


Monitoring

Monitoring involves reviews of reports to ensure that users have appropriate and authorized access rights. The following reports will be used:

Service Access Report

A comprehensive listing of user access rights

HR, Finance, Student, Advancement, Student Financial Aid

Banner, WebFOCUS, Xtender, Workflow, Axiom and related databases

Review Timing: Bi-Annually

Position Change Report

Lists users who have changed positions, which may require updates to access rights

Review Timing: Weekly

All Business Managers involvement is not required each week; depends on department activity

Monitoring


Monitoring1

Termination Reports

Lists users who have separated from the university, but who still have access rights

Review Timing: Weekly

Security Officers will request that Business Managers confirm terminations as needed; depends on termination activity for the week, if any.

Account Inactivity Report

Lists users whose accounts have shown no activity over a specified period of time

Review Timing: Bi-Annually

Business Managers involvement dictated by number of inactive accounts in department

Monitoring


Monitoring2

Service Access and Account Inactivity Reports – Review Process

QA Administrator sends email to Business Managers (BMs) notifying them of the review

BMs obtain reports; review access rights of users in their department for appropriateness; review users with inactivity

Utilize “Service Level Review Guide” to review access rights

If necessary, BMs initiate changes/removal of access rights using Access Control Form

BMs email Monitoring Review Form to QA Administrator noting review has been performed and action taken, if any.

BMs maintains documentation of review for own records

QA Administrator maintains overall documentation of reviews

Monitoring


Monitoring3

Position Change Reports – Review Process

Security Officers obtain reports

Identifies BMs to assist in reviews

Due to volume of activity, not necessary to distribute to all BMs

If necessary, BM initiates changes to access rights using Access Control Form

BM sends email reply to Security Officer noting review has been performed and action taken.

BM maintains documentation of review for own records

Security Officer forwards Monitoring Review form to QA Administrator

QA Administrator maintains overall documentation of reviews

Monitoring


Monitoring4

Termination Reports – Review Process

Security Officers obtain reports and verifies termination status with BMs

BM sends email reply to Security Officer confirming termination status

Security Officer maintains documentation of review for own records

Security Officer forwards Monitoring Review Form to QA Administrator

QA Administrator maintains overall documentation of reviews

Monitoring


Monitoring5

Other Notes

Service Access and Account Inactivity Reports review to be performed end of April and October.

BMs can request user access profile at any time – contact a Security Officer.

Position and Termination reports review has begun. BMs will be notified if assistance is required.

Service Level Review Guide and Monitoring Review Form located at:

http://www.slu.edu/services/HR/university_security_forms.html

Monitoring


Logical access business managers presentation for saint louis university

Monitoring Reviews

Example: Service Access Report


Logical access business managers presentation for saint louis university

Monitoring Reviews

Example: Position Change Report


Logical access business managers presentation for saint louis university

Monitoring Reviews

Example: Termination Report


Key documents

Desk Procedures

Quick Reference Guide

Access Security Request Form

Security Request Form How-To Instructions

Monitoring Reports

Service Level Review Guide

Monitoring Review Form

Key Documents


Thank you

Q & A

Contacts:

Security Officers – See Slide #8

or

Tim Brooks, QA Administrator: 977-7221

Thank You!


  • Login