1 / 52

Implementing User’s IT Security Access Control

Community College Internal Auditors. Implementing User’s IT Security Access Control. 2011 Spring Conference. Presented by: Emmie Oesterman, IT Auditor Kris Backus, Sr. IT Analyst. Background. LRCCD includes four colleges and eight education centers.

Download Presentation

Implementing User’s IT Security Access Control

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Community College Internal Auditors Implementing User’s ITSecurity Access Control 2011 Spring Conference Presented by: Emmie Oesterman, IT Auditor Kris Backus, Sr. IT Analyst

  2. Background • LRCCD includes four colleges and eight education centers. • More than 90,000 students are enrolled in our colleges • LRCCD uses PeopleSoft Enterprise Resource Planning (ERP) System for: • Student Administration (1200+ users) • Financials (150+ users) • Human Resources (100+ users)

  3. Findings – Internal Auditor • PeopleSoft security is inadequate. • Management made it a priority to redesign our user’s access and granting procedures.

  4. Findings – External Auditor Internal Control (Information Technology) • Our observation and testing of controls over computer systems access indicated a number of conditions including duplicated profiles for users, users with more than one role, and terminated employees still active in the financial system. While we did not identify any financial statement errors or irregularities resulting from these conditions, stronger controls are necessary. • Financial Statement Audit – FY07/08 • Resolve in FY08/09 Audit

  5. Plan • Student Administration • Highest number of users (1200+ users) • Greatest risks • Financials • 150+ users • Human Resources • 100+ users

  6. The Team • IT Staff • IT Auditor • District/College Staff* • District/College Information Security Officers* * When needed

  7. Goals • Determine the current roles and security access. • Develop appropriate roles and security to assure adequate security and privacy of data.

  8. Goals (continued) • Provide user documents to clearly identify the access within each PeopleSoft role. • Develop new business process to appropriately grant access and provide accountability.

  9. Goal 1 Determine the current roles and security access. • IT ran a script to provide detailed listing of access within each role. • The team analyzed the data and determined appropriateness. • IT deleted any unused access.

  10. Goal 1

  11. Goal 1

  12. Goal 2 Develop appropriate roles and security to assure adequate security and privacy of data. Access Methodology • Data Ownership • Hierarchy

  13. Goal 2 Data Ownership • Determine data owners • Design an approval process based on data ownership. Example:

  14. Goal 2 Hierarchy: • Roles are created on a hierarchy system. Higher level access will include the access of all lower levels. • Example • SR Access III will include all the access from these roles: • Student Info View I • Student Info View II • SR Access I • SR Access II

  15. Goal 2

  16. Goal 3 Provide user documents to clearly identify the access within each PeopleSoft role. • Definitions of Roles • Mapping of old to new roles • Red Flags for Approvers • Notes for Approvers • Security Reports

  17. Goal 3 Definitions of Roles

  18. Goal 3 • Mapping of old to new roles

  19. Goal 3 Red Flags for Approvers

  20. Goal 3 Notes for Approvers

  21. Goal 3 Security Reports

  22. Goal 4 Develop new business process to appropriately grant access and provide accountability. • Request Process • Determine the process where users can request access to PeopleSoft. • Approval Process • Determine the appropriate authorized personnel for approval of access requests. • Granting Process • Determine who will process the access requests.

  23. Goal 4 • Request Process: • Paper Form (Phase 1) • Form can be printed and submitted via mail or e-mail (using email address as the electronic signature) • Online Access Requests (Phase 2) • Users log onto the Security Access System (SAS) to request access.

  24. Goal 4 • Approval Process: • Authorized Signer List • List the authorized signers who can approve PeopleSoft access • Two level of approvers • Level 1: View only access • Level 2: Update/Correction access

  25. Goal 4 PeopleSoft Authorized Signer List:

  26. Goal 4 Level 1 Approvers:

  27. Goal 4 Level 1 Approvers:

  28. Goal 4 Level 2 Approvers: yes No

  29. Goal 4 • Granting Process: • Approved form submitted to DO HelpDesk for processing • DO HelpDesk reviews form for completeness before processing • Approved by the appropriate staff • All required information is provided

  30. Goal 4 yes No

  31. Roll Out The Plan: • Testing • Communication! • Pilot Testing (selected users) • Communication! • Training • Communication!

  32. Timeline

  33. Security Access System • Online Access Request • Automatic Approval Routing • Database Storage of Access Requests (for Auditing)

  34. Security Access System

  35. Security Access System Online Request Form: Authenticate

  36. Security Access System Online Request Form: User Information/Form Selection

  37. Security Access System Online Request Form: User Information/Form Selection

  38. Security Access System Online Request Form: Role(s) Selection

  39. Security Access System Online Request Form: Justification/Reason is required!

  40. Security Access System Online Request Form: Review Request

  41. Security Access System Online Request Form: Review Request

  42. Security Access System Approval: Via Email

  43. Security Access System Approval: Via Email

  44. Security Access System Approval: Via Email

  45. Security Access System Approval: Via Web

  46. Security Access System Approval: Via Web

  47. Security Access System Approval: Via Web

  48. Security Access System Approval: Via Web

  49. Security Access System Granting Access

  50. Security Access System Granting Access

More Related