1

LOGICAL ACCESS:LOGICAL ACCESS:Business Managers PresentationBusiness Managers Presentation

FORFOR

Saint Louis UniversitySaint Louis University

2

• Logical Access BackgroundLogical Access Background• Purpose of Access Security Request FormPurpose of Access Security Request Form• Key Sections of FormKey Sections of Form• Completion & Submission of FormCompletion & Submission of Form• Tips to Make the Process WorkTips to Make the Process Work• Monitoring Access RightsMonitoring Access Rights• DocumentsDocuments• Q & AQ & A

AgendaAgenda

3

• Logical Access is the process by which individuals Logical Access is the process by which individuals are permitted to use computer systems and networksare permitted to use computer systems and networks

• SLU’s goal is to strengthen logical access controlsSLU’s goal is to strengthen logical access controls– Reduce risk of inappropriate and unauthorized accessReduce risk of inappropriate and unauthorized access– Applies to Banner, WebFOCUS, Xtender, Workflow, Axiom Applies to Banner, WebFOCUS, Xtender, Workflow, Axiom

and related databasesand related databases• Logical Access centered upon 12 Key ControlsLogical Access centered upon 12 Key Controls• Key Controls Addressed with Access Security Key Controls Addressed with Access Security

Request Form and Monitoring:Request Form and Monitoring:– LA1- A formalized documented system for user access is established– LA2- Full user Account information is documented and retained– LA3- Authorized approval and documentation– LA4- User access is verified by Process Owners– LA5 & LA6 - Segregation of duties analysis– LA10 Documentation and control for Terminations– LA11 Monitoring Access Reviews

BackgroundBackground

4

• Formal documentation of request and Formal documentation of request and approvalapproval– Replaces email, phone, and verbal requestsReplaces email, phone, and verbal requests– Increases consistency in requestsIncreases consistency in requests

• Used for the following requests: Used for the following requests: – Banner, WebFOCUS, Xtender, Workflow, Axiom, and related Banner, WebFOCUS, Xtender, Workflow, Axiom, and related

databasesdatabases– New, change, and delete user accessNew, change, and delete user access– Faculty/staff, student workers, contractors, guest accountsFaculty/staff, student workers, contractors, guest accounts

• Location of the form and instructionsLocation of the form and instructions– http://www.slu.edu/services/HR/university_security_forms.html

– Titled “University Access Security Request Form”Titled “University Access Security Request Form”– ““Security Request Form How-To Instructions” Security Request Form How-To Instructions”

Access Form: Access Form: PurposePurpose

5

• User InformationUser Information– All users, including contractors and guests, are required to All users, including contractors and guests, are required to

have SLUnet (Banner) ID prior to new user access requesthave SLUnet (Banner) ID prior to new user access request

• Type of RequestType of Request• Access Type and LevelAccess Type and Level

– Complete appropriate sections for data required (Human Complete appropriate sections for data required (Human Resources, Business & Finance, Advancement, Student Resources, Business & Finance, Advancement, Student Financial Services, Student)Financial Services, Student)

• Statement of Approval & SignatureStatement of Approval & Signature– Accuracy of requestAccuracy of request– Segregation of duties has been consideredSegregation of duties has been considered– User aware of University policies and proceduresUser aware of University policies and procedures– Training has been provided (where required/available)Training has been provided (where required/available)

Key Sections of FormKey Sections of Form

6

– Access Type & Level: Service Level Review GuideAccess Type & Level: Service Level Review Guide• Descriptions of classes, forms, etc. Use to determine and Descriptions of classes, forms, etc. Use to determine and

evaluate appropriateness of access rights (Segregation of evaluate appropriateness of access rights (Segregation of Duties)Duties)

http://www.slu.edu/services/HR/university_security_forms.html

– Statement of Approval: Authorized ApproversStatement of Approval: Authorized Approvers• Business Manager or above (some exceptions):Business Manager or above (some exceptions):

– Directors, Associate Directors, etcDirectors, Associate Directors, etc

• Listing of authorized approvers currently being developed; will Listing of authorized approvers currently being developed; will be posted on a weblink for easy access.be posted on a weblink for easy access.

Completion & SubmissionCompletion & Submission

7

Segregation of Duties - Segregation of Duties - Prevents a single person from Prevents a single person from performing two or more incompatible functions. Failure to performing two or more incompatible functions. Failure to adequately segregate, or implement compensating controls, adequately segregate, or implement compensating controls, increases the risk that errors or unauthorized actions may occur increases the risk that errors or unauthorized actions may occur and not be detected in a timely manner. and not be detected in a timely manner.

Examples of inadequate segregation: One person has access Examples of inadequate segregation: One person has access rights to:rights to:

• Perform billings/invoicing, receive the corresponding Perform billings/invoicing, receive the corresponding payments, and record the corresponding cash receipts payments, and record the corresponding cash receipts entries.entries.

• Authorize disbursements, issue corresponding Authorize disbursements, issue corresponding disbursements, and record corresponding disbursements disbursements, and record corresponding disbursements entries.entries.

• Set up a new employee, input pay rates/salary, and issue pay Set up a new employee, input pay rates/salary, and issue pay checks. checks.

Completion & SubmissionCompletion & Submission

8

Submit forms to appropriate Security OfficerSubmit forms to appropriate Security Officer• Access to a single department’s data – submit to single Security Access to a single department’s data – submit to single Security

OfficerOfficer• Access to multiple departments’ data – submit to multiple Access to multiple departments’ data – submit to multiple

Security OfficersSecurity Officers

Completion & SubmissionCompletion & Submission

Department/Unit Security Officer Back Up Advancement Will Curran Valerie Mangnall Business & Finance Lisa Zoia Jenny Kukic Human Resources Nick Hebel Derrick Weathersby Office of Registrar Ellen Weis John Jaffry Student Financial Services John Mejaski Tena Jones

9

Ensure completion and accuracy of form data; Consult with Ensure completion and accuracy of form data; Consult with Security Officers, if unsureSecurity Officers, if unsure

Submit documentation of user training, if required; Consult Submit documentation of user training, if required; Consult with Security Officers, if unsurewith Security Officers, if unsure

Submit access requests for new users (or transfers) in Submit access requests for new users (or transfers) in advance of user’s first day of workadvance of user’s first day of work

Reply to Security Officers request for user access Reply to Security Officers request for user access confirmationconfirmation

Submit access form to remove user access, at least 2 days Submit access form to remove user access, at least 2 days prior to last day of workprior to last day of work

Monitor and communicate last days for contractors, Monitor and communicate last days for contractors, including guests, to Security Officersincluding guests, to Security Officers

Ensure timely notification of terminations to HREnsure timely notification of terminations to HR

Begin using the forms immediately!Begin using the forms immediately!

Tips to Make the Process Tips to Make the Process Work!Work!

10

Monitoring involves reviews of reports to ensure that users have appropriate and authorized access rights. The following reports will be used:

• Service Access Report

• A comprehensive listing of user access rights• HR, Finance, Student, Advancement, Student Financial Aid• Banner, WebFOCUS, Xtender, Workflow, Axiom and related

databases• Review Timing: Bi-Annually

• Position Change Report

• Lists users who have changed positions, which may require updates to access rights

• Review Timing: Weekly• All Business Managers involvement is not required each week;

depends on department activity

MonitoringMonitoring

11

• Termination Reports

• Lists users who have separated from the university, but who still have access rights

• Review Timing: Weekly• Security Officers will request that Business Managers confirm

terminations as needed; depends on termination activity for the week, if any.

• Account Inactivity Report

• Lists users whose accounts have shown no activity over a specified period of time

• Review Timing: Bi-Annually• Business Managers involvement dictated by number of inactive

accounts in department

MonitoringMonitoring

12

Service Access and Account Inactivity Reports – Review Process

• QA Administrator sends email to Business Managers (BMs) notifying them of the review

• BMs obtain reports; review access rights of users in their department for appropriateness; review users with inactivity– Utilize “Service Level Review Guide” to review access

rights• If necessary, BMs initiate changes/removal of access rights

using Access Control Form• BMs email Monitoring Review Form to QA Administrator noting

review has been performed and action taken, if any.• BMs maintains documentation of review for own records• QA Administrator maintains overall documentation of reviews

MonitoringMonitoring

13

Position Change Reports – Review Process• Security Officers obtain reports• Identifies BMs to assist in reviews

– Due to volume of activity, not necessary to distribute to all BMs

• If necessary, BM initiates changes to access rights using Access Control Form

• BM sends email reply to Security Officer noting review has been performed and action taken.

• BM maintains documentation of review for own records• Security Officer forwards Monitoring Review form to QA

Administrator• QA Administrator maintains overall documentation of

reviews

MonitoringMonitoring

14

Termination Reports – Review Process• Security Officers obtain reports and verifies

termination status with BMs• BM sends email reply to Security Officer

confirming termination status• Security Officer maintains documentation of

review for own records• Security Officer forwards Monitoring Review

Form to QA Administrator• QA Administrator maintains overall

documentation of reviews

MonitoringMonitoring

15

Other Notes

• Service Access and Account Inactivity Reports review to be performed end of April and October.– BMs can request user access profile at any time –

contact a Security Officer.

• Position and Termination reports review has begun. BMs will be notified if assistance is required.

• Service Level Review Guide and Monitoring Review Form located at:http://www.slu.edu/services/HR/university_security_forms.html

MonitoringMonitoring

16

Monitoring ReviewsMonitoring Reviews

Example: Service Access Report

17

Monitoring ReviewsMonitoring Reviews

Example: Position Change Report

18

Monitoring ReviewsMonitoring Reviews

Example: Termination Report

19

Key DocumentsKey Documents

• Desk ProceduresDesk Procedures

• Quick Reference GuideQuick Reference Guide

• Access Security Request FormAccess Security Request Form

• Security Request Form How-To Security Request Form How-To InstructionsInstructions

• Monitoring ReportsMonitoring Reports

• Service Level Review GuideService Level Review Guide

• Monitoring Review FormMonitoring Review Form

20

Thank You!Thank You!

Q & AQ & AContacts:Contacts:

Security Officers – See Slide #8Security Officers – See Slide #8

oror

Tim Brooks, QA Administrator: 977-7221Tim Brooks, QA Administrator: 977-7221