LOGICAL ACCESS: Business Managers Presentation FOR Saint Louis University

1. LOGICAL ACCESS: Business Managers Presentation FOR Saint Louis University

2. Logical Access Background Purpose of Access Security Request Form Key Sections of Form Completion & Submission of Form Tips to Make the Process Work Monitoring Access Rights Documents Q & A Agenda

3. Logical Access is the process by which individuals are permitted to use computer systems and networks SLU’s goal is to strengthen logical access controls Reduce risk of inappropriate and unauthorized access Applies to Banner, WebFOCUS, Xtender, Workflow, Axiom and related databases Logical Access centered upon 12 Key Controls Key Controls Addressed with Access Security Request Form and Monitoring: LA1- A formalized documented system for user access is established LA2- Full user Account information is documented and retained LA3- Authorized approval and documentation LA4- User access is verified by Process Owners LA5 & LA6 - Segregation of duties analysis LA10 Documentation and control for Terminations LA11 Monitoring Access Reviews Background

4. Formal documentation of request and approval Replaces email, phone, and verbal requests Increases consistency in requests Used for the following requests: Banner, WebFOCUS, Xtender, Workflow, Axiom, and related databases New, change, and delete user access Faculty/staff, student workers, contractors, guest accounts Location of the form and instructions http://www.slu.edu/services/HR/university_security_forms.html Titled “University Access Security Request Form” “Security Request Form How-To Instructions” Access Form: Purpose

5. User Information All users, including contractors and guests, are required to have SLUnet (Banner) ID prior to new user access request Type of Request Access Type and Level Complete appropriate sections for data required (Human Resources, Business & Finance, Advancement, Student Financial Services, Student) Statement of Approval & Signature Accuracy of request Segregation of duties has been considered User aware of University policies and procedures Training has been provided (where required/available) Key Sections of Form

6. Access Type & Level: Service Level Review Guide Descriptions of classes, forms, etc. Use to determine and evaluate appropriateness of access rights (Segregation of Duties) http://www.slu.edu/services/HR/university_security_forms.html Statement of Approval: Authorized Approvers Business Manager or above (some exceptions): Directors, Associate Directors, etc Listing of authorized approvers currently being developed; will be posted on a weblink for easy access. Completion & Submission

7. Segregation of Duties - Prevents a single person from performing two or more incompatible functions. Failure to adequately segregate, or implement compensating controls, increases the risk that errors or unauthorized actions may occur and not be detected in a timely manner. Examples of inadequate segregation: One person has access rights to: Perform billings/invoicing, receive the corresponding payments, and record the corresponding cash receipts entries. Authorize disbursements, issue corresponding disbursements, and record corresponding disbursements entries. Set up a new employee, input pay rates/salary, and issue pay checks. Completion & Submission

8. Submit forms to appropriate Security Officer Access to a single department’s data – submit to single Security Officer Access to multiple departments’ data – submit to multiple Security Officers Completion & Submission

9. Ensure completion and accuracy of form data; Consult with Security Officers, if unsure Submit documentation of user training, if required; Consult with Security Officers, if unsure Submit access requests for new users (or transfers) in advance of user’s first day of work Reply to Security Officers request for user access confirmation Submit access form to remove user access, at least 2 days prior to last day of work Monitor and communicate last days for contractors, including guests, to Security Officers Ensure timely notification of terminations to HR Begin using the forms immediately! Tips to Make the Process Work!

10. Monitoring involves reviews of reports to ensure that users have appropriate and authorized access rights. The following reports will be used: Service Access Report A comprehensive listing of user access rights HR, Finance, Student, Advancement, Student Financial Aid Banner, WebFOCUS, Xtender, Workflow, Axiom and related databases Review Timing: Bi-Annually Position Change Report Lists users who have changed positions, which may require updates to access rights Review Timing: Weekly All Business Managers involvement is not required each week; depends on department activity Monitoring

11. Termination Reports Lists users who have separated from the university, but who still have access rights Review Timing: Weekly Security Officers will request that Business Managers confirm terminations as needed; depends on termination activity for the week, if any. Account Inactivity Report Lists users whose accounts have shown no activity over a specified period of time Review Timing: Bi-Annually Business Managers involvement dictated by number of inactive accounts in department Monitoring

12. Service Access and Account Inactivity Reports – Review Process QA Administrator sends email to Business Managers (BMs) notifying them of the review BMs obtain reports; review access rights of users in their department for appropriateness; review users with inactivity Utilize “Service Level Review Guide” to review access rights If necessary, BMs initiate changes/removal of access rights using Access Control Form BMs email Monitoring Review Form to QA Administrator noting review has been performed and action taken, if any. BMs maintains documentation of review for own records QA Administrator maintains overall documentation of reviews Monitoring

13. Position Change Reports – Review Process Security Officers obtain reports Identifies BMs to assist in reviews Due to volume of activity, not necessary to distribute to all BMs If necessary, BM initiates changes to access rights using Access Control Form BM sends email reply to Security Officer noting review has been performed and action taken. BM maintains documentation of review for own records Security Officer forwards Monitoring Review form to QA Administrator QA Administrator maintains overall documentation of reviews Monitoring

14. Termination Reports – Review Process Security Officers obtain reports and verifies termination status with BMs BM sends email reply to Security Officer confirming termination status Security Officer maintains documentation of review for own records Security Officer forwards Monitoring Review Form to QA Administrator QA Administrator maintains overall documentation of reviews Monitoring

15. Other Notes Service Access and Account Inactivity Reports review to be performed end of April and October. BMs can request user access profile at any time – contact a Security Officer. Position and Termination reports review has begun. BMs will be notified if assistance is required. Service Level Review Guide and Monitoring Review Form located at: http://www.slu.edu/services/HR/university_security_forms.html Monitoring

16. Monitoring Reviews Example: Service Access Report

17. Monitoring Reviews Example: Position Change Report

18. Monitoring Reviews Example: Termination Report

19. Desk Procedures Quick Reference Guide Access Security Request Form Security Request Form How-To Instructions Monitoring Reports Service Level Review Guide Monitoring Review Form Key Documents

20. Q & A Contacts: Security Officers – See Slide #8 or Tim Brooks, QA Administrator: 977-7221 Thank You!