BANNER SECURITY Tips for Functional Data Stewards for the Technology Risk & Assurance Audit

Beth Welsh, Bursar

Georgia Regents University

DATA STEWARD ROLE Who serves?

Challenges

Future Goals/Developments

BANNER SECURITY SETUP

ROLE 1 CLASS

CLASS

CLASS

CLASS

ROLE 2 CLASS

CLASS

CLASS

CLASS

ROLE 3 CLASS

CLASS

CLASS

CLASS

The organization of Banner security is pretty simple.

At the highest level are roles that are divided by security classes.

BANNER SECURITY SETUP

Class

Object

Object

Object

Class

Object

Object

Object

Class

Object

Object

Object

The next level includes objects under each class. The class determines

whether the objects within the class are maintenance or query.

CLASSES Each class should reflect the purpose. If it is used for specific duties, it should reflect that as well.

Example:

BAN_AR_QUERY_C

BAN_NAVIGATION_QUERY_C

BAN_PERSON_QUERY_C

BAN_AR_CASHIER_SUPERVISOR

NAMING OF CLASSES

• BAN=Banner • This begins all classes to ensure

there is no confusion of system security

• ADV=Advancement

• FIN=Finance

• FA=Financial Aid

• GEN=General

• HR=Human Resources

• STUD=Student

• AR=Accounts Receivable

• Use of the class, job role, duties

• The final two characters can designate the class as Q=query or M=maintenance

• Example: BAN_AR_DEPT_SUPR_USER_Q

• Audit rule: The appropriation of classes should fit the job function of the individual requesting security

• Audit rule: Changes in job functions must be tracked, changes in jobs or employment must be tracked

OBTAINING ACCESS TO BANNER

BANNER ACCESS FORM

• Ensure the user needs Banner access

• Completed

• Signed

• Filed Electronically

• Understandable

• Data steward

• End user

• IT Services

• Auditor

• Supervisor of end user

GRANTING ACCESS

• Beware of “I’m a backup” access

• Monitor last login dates

• Communicate regarding inactive access up front

• Document “special case” access

AUDITING Reports, Reports, Reports

• Crystal Reports

• Employment status reports

• Terminations, Transfers, Hires

• Includes date access was granted

• Includes last login

• Includes department and supervisor

THE TRA AUDIT

• Pre-audit preparation checklist

• SOPs by area sometimes called ACP – Access Control Procedure

• SOP-How to Request Banner Security

• Periodic audits of Banner security

• Overall review of all active users forms

• Security forms prepared for auditors, preparation of draft security request for auditors

• Pre-audit meeting to ensure there are no outstanding items, documentation is updated, sample handling review, review any leave of stewards, all emails are in central folder

THE TRA AUDIT

Auditors will : • Request reports of active users, or they may request access to database to

pull reports via SQL of active users

• Choose sample of users from various areas with various security

• Data stewards will use the sample list to send emails, audit security, obtain supervisor verification of accurate security for auditor sample file

• Obtain network shared folder access as a way to organize/share information with auditors ensuring security and ease of use

• Audit change requests of security for end users

CHANGE REQUESTS Form to handle change request documentation

Email account to handle requests and change requests for future auditing

Changes due to class or object audit changes-implications

Changes due to Banner releases

THANK YOU

Beth Welsh, Bursar, Georgia Regents University

706-737-1769

bwelsh@gru.edu