Implementing User’s ITSecurity Access Control

Community College Internal Auditors2011 Spring Conference

Presented by:

Emmie Oesterman, IT Auditor

Kris Backus, Sr. IT Analyst

Background

• LRCCD includes four colleges and eight education centers.

• More than 90,000 students are enrolled in our colleges

• LRCCD uses PeopleSoft Enterprise Resource Planning (ERP) System for:

• Student Administration (1200+ users)• Financials (150+ users)• Human Resources (100+ users)

Findings – Internal Auditor

• PeopleSoft security is inadequate. • Management made it a priority to

redesign our user’s access and granting procedures.

Findings – External Auditor

• Our observation and testing of controls over computer systems access indicated a number of conditions including duplicated profiles for users, users with more than one role, and terminated employees still active in the financial system. While we did not identify any financial statement errors or irregularities resulting from these conditions, stronger controls are necessary.

• Financial Statement Audit – FY07/08• Resolve in FY08/09 Audit

Internal Control (Information Technology)

Plan

• Student Administration• Highest number of users (1200+ users)• Greatest risks

• Financials• 150+ users

• Human Resources• 100+ users

The Team

• IT Staff

• IT Auditor

• District/College Staff*

• District/College Information Security Officers*

* When needed

Goals

1. Determine the current roles and security access.

2. Develop appropriate roles and security to assure adequate security and privacy of data.

Goals (continued)

3. Provide user documents to clearly identify the access within each PeopleSoft role.

4. Develop new business process to appropriately grant access and provide accountability.

Goal 1

• IT ran a script to provide detailed listing of access within each role.

• The team analyzed the data and determined appropriateness.

• IT deleted any unused access.

Determine the current roles and security access.

Goal 1

Goal 1

Goal 2

Develop appropriate roles and security to assure adequate security and privacy of data.

Access Methodology

Data Ownership

Hierarchy

Goal 2Data Ownership

• Determine data owners

• Design an approval process based on data ownership.

PeopleSoft Student Administration System

Data Type Owner

Student Records/Personal Info Student Services

Student Financials Administration

Curriculum Instruction

Example:

Goal 2

A/R Supervisor

SR Supervisor Access

A/R LeadSR Access III

A/R ClerkSR Access II

A/R Student HelpSR Access I

Non A/R StaffStudent Info View I or II

Hierarchy:• Roles are created on a

hierarchy system. Higher level access will include the access of all lower levels.

• Example– SR Access III will include all

the access from these roles:» Student Info View I» Student Info View II» SR Access I» SR Access II

Goal 2

Goal 3

Provide user documents to clearly identify the access within each PeopleSoft role.

• Definitions of Roles

• Mapping of old to new roles

• Red Flags for Approvers

• Notes for Approvers

• Security Reports

Goal 3Definitions of Roles

Goal 3Mapping of old to new roles

Goal 3Red Flags for Approvers

Goal 3Notes for Approvers

Goal 3Security Reports

Goal 4 Develop new business process to appropriately

grant access and provide accountability.

Approval ProcessDetermine the appropriate authorized personnel for approval of access requests.

Granting ProcessDetermine who will process the access requests.

Request ProcessDetermine the process where users can request access to PeopleSoft.

Goal 4

• Request Process:– Paper Form (Phase 1)

• Form can be printed and submitted via mail or e-mail (using email address as the electronic signature)

– Online Access Requests (Phase 2)• Users log onto the Security Access System (SAS) to

request access.

Goal 4

• Approval Process:– Authorized Signer List

• List the authorized signers who can approve PeopleSoft access

– Two level of approvers• Level 1: View only access• Level 2: Update/Correction access

Goal 4PeopleSoft Authorized Signer List:

Goal 4

Level 1 Approvers(Data Owners)

Level 1 reviews the form to ensure that data access requested are

appropriate. I.e. access is necessary to perform their job

function without permitting access to sensitive or confidential data

unnecessary to their job function.

PS Access Request Form

Level 1 Approvers:

Goal 4

Level 1 Approvers:

Level 1 Approvers

(Data Owners)Approved by

Level 1

Yes, view

access

requested only

DO HelpDesk reviews form for completeness.

Depart. Manager/Supervisor requests access

for employee via the PS Access Request Form

YesLevel 2 approval is needed for access that allows updates.

Level 2 reviews access form for appropriateness

Goal 4

Level 2 Approvers:

Level 2 reviews access form for appropriateness

Approved by Level 2

DO HelpDesk reviews form for completeness.

Level 1 Approvers

(Data Owners)

yes

No

Goal 4

• Granting Process:– Approved form submitted to DO

HelpDesk for processing– DO HelpDesk reviews form for

completeness before processing• Approved by the appropriate staff• All required information is provided

Goal 4

DO HelpDesk reviews form for completeness.

Form is complete?

DO Help Desk grants access, notifies users, IT staff, and files PS

access request form

End

Level 1 Approvers

(Data Owners)

yes

No

Roll Out

• Testing

• Communication!

• Pilot Testing (selected users)

• Communication!

• Training

• Communication!

The Plan:

Timeline

Nov 2008 Feb 2009 May 2009 Aug 2009 Nov 2009 Feb 2010 May 2010 Aug 2010

8/28Begin project to redesign PS Security

Access ControlStudent

Administration (SA)

5/14Begin project to redesign PS Security

Access ControlFinancials (FS)

1/7Begin project to redesign PS Security

Access ControlHuman Resources (HR)

9/15PeopleSoft Security

Access Control Completed & SAS Go Live!

Sep - OctPilot Testing

Nov - DecTraining

12/1SA and FS users

Must use new process!

5/30SA Conversion

Completed.

12/22FS Conversion

Completed.

Security Access System

• Online Access Request

• Automatic Approval Routing

• Database Storage of Access Requests (for Auditing)

Security Access System

Security Access SystemOnline Request Form: Authenticate

Security Access System

Online Request Form: User Information/Form Selection

Security Access System

Online Request Form: User Information/Form Selection

Security Access SystemOnline Request Form: Role(s) Selection

Security Access System

Online Request Form: Justification/Reason is required!

Security Access System

Online Request Form: Review Request

Security Access System

Online Request Form: Review Request

Security Access System

Approval: Via Email

Security Access System

Approval: Via Email

Security Access SystemApproval: Via Email

Security Access SystemApproval: Via Web

Security Access SystemApproval: Via Web

Security Access SystemApproval: Via Web

Security Access SystemApproval: Via Web

Security Access SystemGranting Access

Security Access SystemGranting Access

Security Access SystemGranting Access

Questions/Contacts:

Emmie Oesterman, IT AuditorOestere@losrios.edu

(916) 568 – 3134

Kris Backus, Sr. IT Analyst

Backusk@losrios.edu

(916) 568 - 3091