Access and Security Representative (ASR) Training. Consulting and Support Services (CSS) July 15, 2009. Morning Schedule. 8:30 – 9:00 Registration 9:00 - 9:10 Welcome – ASR Responsibilities - John Williams 9:10 - 9:45 AIS Web Site Redesign - Diane Weller & Tom Harrington
Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.
Access and Security Representative (ASR)Training Consulting and Support Services (CSS) July 15, 2009
Morning Schedule • 8:30 – 9:00 Registration • 9:00 - 9:10 Welcome – ASR Responsibilities- John Williams • 9:10 - 9:45 AIS Web Site Redesign- Diane Weller & Tom Harrington • 9:45 - 10:00 Audit Requirements- Gary Grgurich • 10:00 - 10:15 BREAK • 10:15 -12:00 FERPA, Profiles & Data Steward - Karen Schultz & Ross Brode • 12:00 – 1:00 Lunch
Afternoon Schedule • 1:00 – 1:30 Security Operation and Services- Jenn Stewart & Kathy Kimball • 1:30 – 1:45 Data Warehouse Testing Review- Matt Wolfe • 1:45 – 2:15 ASR Reference Page & Guideline- Chrissie Harter • 2:15 – 2:30 Break • 2:30 – 3:20 ASR Reports (eDDS, EIS & Data Warehouse), 2nd Factor Authentication- Sue Reese • 3:20 – 3:40 Termination Process Steward- Beth Trimble & Marylou Houck • 3:40 – 4:00 Questions
AIS Support Center Staff(814-863-2276)email@example.com John Ellenberger Chrissie Harter Sue Jones (Manager) Linda McCamley Sue Reese (Manager) Catherine (Kate) Shuey Byron Weston Matt Wolfe
ASR Responsibilities John Williams What’s my responsibility?
ASR Responsibilities • Human element in the application process. • Known by users • Personal touch • Trusted source outside AIS. • Responsible for a smaller/more manageable group of people. • Facilitate data access reviews for Data Stewards
ASR Responsibilities • Read and Understand Computer Security Policies. • Have user sign-off on “AIS Access Form” affirming that they read and understand AD-20, AD-23 ADG-01.
Computer Security Policies • AD-20 Computer and Network Security • AD-23 Use of Institutional Data • ADG-01 Glossary of Computerized Data and System Terminology • ADG-02 Computer Facility Security Guidelines • AD-11 University Policy on Confidentiality of Student Records • AD-35 University Archives and Record Management
AD-23 ASR Responsibilities: • Requesting access control information (e.g., a User ID and Password), and initial basic capabilities for new system users or information associates. • Requesting access for system users or information associates to needed production applications, both on-line and batch. • Coordinating requests by authorized system users or information associates for access to Computerized Institutional Data for ad hoc reporting and analyses. • Ensuring that all data accessed or received is used in accordance with University policy and agreements reached with the data stewards.
AD-23 ASR Responsibilities: • Providing a secure means to inform users of password changes or replacement passwords that have been entrusted to the ASR. • Coordinating access and security procedures for system users transferring to or from other positions within the University. • Ensuring that cessation of access to University Computer and Network Resources by system users terminating employment is promptly requested • Reporting violations of this policy or other University data access and use policies and agreements to the appropriate computer security officer or system administrator, and to the Security Operations and Services Director. Custodial responsibility for institutional data begins when data are accepted within the access and security representative's organization.
ASR Responsibilities • Have user sign-off on “AIS Access Form” affirming that they read and understand AD-20, AD-23 ADG-01. • If it is known that the user has not read these policies, refuse to process the form. • Your signature is our confirmation that the user read these policies and that you processed the form.
ASR Responsibilities • Your signature is our confirmation that: • the user read the required policies • you processed the form • you are aware of the request • you have the necessary records • others in your area signed based on some criteria
ASR Responsibilities • Report any violation of these policies beyond first-time, minor violations: • posting passwords on monitor • Permitting those under them to logon using their userid • Assist in investigations involving your area • Ensure that Terminated Employees hand in their second-factor authentication token. • Policy HR55 Things to know when leaving University employment
AIS Web Site Redesign by Tom Harrington & Diane Weller
Redesign Goal To make the AIS Web site easy to use
Steps Taken Initial Usability Testing Card Sorting Visual Redesign Implementation of Web Standards Content Migration Final Usability Testing
Initial Usability Testing • Observed users completing various tasks on old AIS Web site • Repeatedly observed key issues: • Lack of organization throughout site • Links grouped together too closely • Low visibility of main navigation • Inconsistent/confusing use of acronyms
Card Sorting A method used to help organize site content in a logical manner Recruited users to organize site content Used user feedback to help reorganize the content of the new AIS Web site Resulted in tabbed/dropdown navigation and reorganized content
Visual Redesign Implemented a modern design with: • New, professional color scheme • New site layout with persistent sidebar • New tabbed & dropdown navigation • Improved typography and more white space
Web Standards • Old site did not follow current standards • Resulted in: • Outdated design and framework (deprecated code) • Lack of easy access for all users (not accessible)
Web Standards • New site adheres to current standards • Follows W3C and Section 508: • Semantic markup • Style separate from presentation • Alternative text when and where needed
Content Migration • Had to move all site content from old site to new site • Tried to clean up content during migration process to reflect current Web standards • Established standards for new site • Design standards (colors, layout, etc.) • Editorial standards (titles, labels, etc.)
Final Usability Testing Observed users completing various tasks on new AIS Web site Checked on issues found during initial usability test Feedback on new site was mostly positive
Questions & Comments firstname.lastname@example.org
AUDITING &THE ASR Gary Grgurich Manager IT Audit July 15, 2009
Policies and Regulations AD20 – COMPUTER AND NETWORK SECURITY Appropriate security shall include protection of the privacy of information, protection of information against unauthorized modification, … and protection of systems against unauthorized access. University Computer and Network Resources may be accessed or used only by individuals authorized by the University. Issuance of an account to a system user must be approved by an authorized University representative, … FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA) Subpart D - May an Educational Agency or Institution Disclose Personally Identifiable Information From Education Records? Sec. 99.31 Under what conditions is prior consent not required to disclose information? (a) An educational agency or institution may disclose personally identifiable information from an education record of a student without the consent required by Sec. 99.30 if the disclosure meets one or more of the following conditions: (1) The disclosure is to other school officials, including teachers, within the agency or institution whom the agency or institution has determined to have legitimate educational interests. PAYMENT CARD INDUSTRY – DATA SECURITY STANDARD (PCI-DSS) Implement Strong Access Control Measures Requirement 7: Restrict access to cardholder data by business need to know To ensure critical data can only be accessed by authorized personnel, systems and processes must be in place to limit access based on need to know and according to job responsibilities. “Need to know” is when access rights are granted to only the least amount of data and privileges needed to perform a job. HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) § 164.312 Technical safeguards. A covered entity must:: (a)(1) Standard: Access control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights ….
Audit Procedures Objective: Access Security Representatives (ASR) are properly approved and properly assign and remove access to IBIS/ISIS. Determine if ACF2 users' access is removed from the system on a timely manner and SecureID records are maintained. The TNS Contact List should have accurate information. Audit Program (excerpts) Access & Security Representative (ASR) Identify the employees designated as ASR and the alternate ASR by accessing the AIS website that displays the Access & Security Representatives. Use the AIS Imaging System to obtain a copy of the "Access & Security Representative (ASR) Authorization Form" for each ASR or alternate listed above. Discuss and evaluate the methodology the ASR uses for maintaining records for AIS mainframe users. At a minimum, the records should contain the following for each user: (1) user's name and LogonID (LID). (2) department name, location and telephone number. (3) copies of access levels and/or profiles requested and granted. Evaluate method ASR uses in distributing PSU computer security policies to users? Access Test user accounts to ensure that users have been terminated on a timely basis. Also look for shared/group accounts or users with multiple accounts Determine if sensitive paths identified by AIS (CIDR, IBIS, and ISIS) are being reviewed yearly and appropriate changes have been requested and made. Determine the SecurID status of all users identified as terminated, with access to ISIS, IBIS, TSO or ROSCOE. Ensure their SecurID has been returned. Contact List Verify the accuracy of the Contact List information with the administrative contact. Confirm the IP addresses, organizations, building names, locations, contact names, e-mail addresses, and phone numbers.
Common Audit Findings Issue x. Employee Account Maintenance We noted the following related to user account maintenance: Our testing disclosed yy Administrative Information Services (AIS) mainframe accounts assigned to users in the College of xxxxx with the status of either retired or terminated that had not been suspended or deleted by AIS Security Office personnel. During our audit the Access and Security Representative (ASR) reviewed all active AIS accounts and determined that a total of 26 active accounts were no longer needed and took corrective action to suspend or delete the accounts (some account holders with status terminated and no other access, only have an AIS account for grade entry, so their account does not need to be suspended or deleted). As a general rule, the ASR, upon notification from the system administrator and/or management, should ensure that AIS mainframe computer access rights are suspended or deleted from CA-ACF2 databases when a user's employment status changes. Recommendations: We recommend that management: Periodically obtain and review a current list of users having accounts on AIS's CA-ACF2 database or the College LAN. Initiate action to remove user accounts for those individuals who no longer work for the College or who no longer require access to the mainframe computers or College LAN, to perform their assigned tasks. At a minimum, we recommend this process be performed at the end of every semester. Develop a comprehensive College termination checklist that provides for suspension/ cancellation of AIS system access as appropriate and notification to the ETC administrators so they can perform any needed account maintenance on the College LAN.
Common Audit Findings Issue x. ACF2 Sensitive Information The xxxxx Campus has not conducted a review of sensitive screens/paths/functions as requested by the AIS Support Center in January of 2008. The AIS Support Center requested all ASRs to conduct a yearly review of specific IBIS, ISIS, and CIDR screens/paths/functions. The reason for the review is because these screens contain FERPA related or other sensitive data that the user may no longer need. All ASRs were instructed to conduct the review and report back to the AIS Support Center any changes that are required or no changes need to be made at this time. Recommendation: We recommend that management periodically conduct a review of all sensitive CIDR, IBIS, and ISIS paths that permit access to sensitive information be performed, to determine if assigned account access is appropriate. A project should be initiated to review and remove or modify access for those who do not need it based on their job responsibilities.
FERPA . . . What Every University Employee Should Know Karen Schultz University Registrar
What is FERPA? • The Family Educational Rights and Privacy Act of 1974 (FERPA) affords students certain rights concerning their student educational records.
What is FERPA? • FERPA is not a student privacy law, but rather it specifies the way we handle and protect the privacy of student records • FERPA governs access to, and confidentiality of, student records
Student Records and FERPA • As a recipient of federal funding, Penn State must comply fully with FERPA which governs access to, and confidentiality of, student records. • Penn State provides guidelines through the Confidentiality page on the Registrar Web site (www.registrar.psu.edu) and through policy AD11 (www.guru.psu.edu)
What are the Basic Rules? • Faculty and staff members have access to student records for “legitimate educational interests” necessary to carry out their job responsibilities. Need-to-know is the basic principle. • Student educational records are confidential and in general may not be released without written consent of the student. • You have a responsibility to protect educational records in your possession. • Student information should only be kept as long as it is valid and useful – otherwise destroy it responsibly (see policy AD35 in GURU)
Student Rights Relating to Educational Records Students have a right to expect that information in their educational records (including computerized records) will be kept confidential and disclosed only with their permission or as allowed by law. • For example: • Grades • Enrollment records • Schedules • Class Lists • Disciplinary records • PSU ID and Social Security Number • Financial records • Student work study & grad asst employment and payroll information
Student Rights Relating to Educational Records • Students also have a right to review their educational record and request amendment of any inaccurate or misleading information in the record • Students wishing to review their educational record should contact the Registrar’s Office
What are not Educational Records? • “Sole possession” records made by faculty and staff for their own use as reference or memory aids and not shared with others • Personal observations/experiences • Penn State law enforcement records • Medical and mental health records used only for treatment of the student • Alumni records • Peer graded papers and exams
Directory Information • FERPA identifies a category of information as “directory information,” which institutions may (but are not required to) release without student permission • Penn State is not subject to PA’s Right to Know Law
Directory Information Directory Information at Penn State: • Student’s name, addresses (including email), and telephone numbers • Date and place of birth • Current enrollment status (full- or part-time), dates of attendance, and major • Date of graduation, degrees and awards received • Student activities • Most recent educational institution attended • Weight and height of athletic team members • Name and address of parents, guardian, spouse
Directory Information Beware of “implicit disclosures” • Class list containing names and email addresses • Email to list of students who failed the last exam • Always use BCC when emailing to groups • List of names and addresses of all students who have been removed from the graduation list
Directory Information • Students may request that their directory information be withheld by completing the “Request to Withhold Directory Information” form at www.registrar.psu.edu • Permanent until rescinded by student
Directory Information Before responding to any request for directory information, first check to see if student has requested confidentiality: • On ISIS screen ARUSPD • Asterisk (*) in student last name • Class lists in eLion and ANGEL and adviser screens in eLion If student has requested confidentiality, respond to requestor that we have no record of the person.
Disclosure Requires Consent • Disclosure of non-directory information from a student’s educational record requires written consent • Penn State access id and password act as electronic signature • Consent form available in GURU • Consent overrides confidentiality
Disclosure Requires Consent • “FERPA does not require that a postsecondary institution disclose information to any party except to the . . . student, even if the student has consented to the disclosure.”
Disclosures Without Consent FERPA permits the release of non-directory information from a student’s educational record without student permission under certain conditions. For example: • To school officials (including third parties under contract) with legitimate educational interests • To comply with a judicial order or lawfully issued subpoena • To appropriate parties in a health or safety emergency in order to protect the student or others • To parents with proof of dependency • To parents in cases of drug or alcohol violation when student is under 21
Legitimate Educational Interest • Curiosity is not a legitimate educational interest • School officials do not have legitimate educational interest just because they are employed by the institution
Subpoenas • Any legal documents such as court orders or subpoenas should be sent to the Registrar’s Office for processing • FERPA requires notification to student prior to responding to subpoena