Access and Security Representative ASR Training - PowerPoint PPT Presentation

1 / 184
About This Presentation
Title:

Access and Security Representative ASR Training

Description:

Have user sign-off on 'AIS Access Form' affirming that ... Bursar. Graduate Admissions. Undergraduate Admissions. Student Aid. Registrar. ASR Responsibilities ... – PowerPoint PPT presentation

Number of Views:211
Avg rating:3.0/5.0
Slides: 185
Provided by: aisIt
Category:

less

Transcript and Presenter's Notes

Title: Access and Security Representative ASR Training


1
Access and Security Representative (ASR)Training
  • John Williams
  • Administrative Information Services (AIS)
  • October 30, 2006

2
ASR Training
  • AIS Support Center Staff John
    Ellenberger Chrissie Harter Sue Jones
    (Manager) Linda McCamley Sue Reese
    Colleen Shives Byron Weston Matt Wolfe

3
INDEX
  • ASR Responsibilities
  • ASR Guidelines Forms
  • ASR Web Page - Guidelines and Forms - Contact
    Listings - Documentation - Paths and
    Profiles - Requesting Access
  • Privacy Office
  • Internal Auditing
  • ASR Reports
  • Imaging
  • Security Office
  • Data Warehouse
  • FIT
  • Password Requirements
  • SecurID Tokens

4
ASR Responsibilities
  • Whats my responsibility?

5
ASR Responsibilities
  • Human element in the application process.
  • Known by users
  • Personal touch
  • Trusted source outside AIS.
  • Responsible for a smaller/more manageable group
    of people.

6
ASR Responsibilities
7
ASR Responsibilities
  • Read and Understand Computer Security Policies.
  • Have user sign-off on AIS Access Form affirming
    that they read and understand AD-20, AD-23 ADG-01.

8
Computer Security Policies
  • AD-20 Computer and Network Security
  • AD-23 Use of Institutional Data
  • ADG-01 Glossary of Computerized Data and System
    Terminology
  • ADG-02 Computer Facility Security Guidelines
  • AD-11 University Policy on Confidentiality of
    Student Records
  • AD-35 University Archives and Record Management

9
AD-23 ASR Responsibilities
  • Requesting access control information (e.g., a
    User ID and Password), and initial basic
    capabilities for new system users or information
    associates.
  • Requesting access for system users or information
    associates to needed production applications,
    both on-line and batch.
  • Coordinating requests by authorized system users
    or information associates for access to
    Computerized Institutional Data for ad hoc
    reporting and analyses.
  • Ensuring that all data accessed or received is
    used in accordance with University policy and
    agreements reached with the data stewards.

10
AD-23 ASR Responsibilities
  • Providing a secure means to inform users of
    password changes or replacement passwords that
    have been entrusted to the ASR.
  • Coordinating access and security procedures for
    system users transferring to or from other
    positions within the University.
  • Ensuring that cessation of access to University
    Computer and Network Resources by system users
    terminating employment is promptly requested
  • Reporting violations of this policy or other
    University data access and use policies and
    agreements to the appropriate computer security
    officer or system administrator, and to the
    Security Operations and Services Director.
    Custodial responsibility for institutional data
    begins when data are accepted within the access
    and security representative's organization.

11
AIS Access Request Flow Diagram
Budget Executive HR Representative Financial
Officer Campus Registrar
12
ASR Responsibilities
  • Have user sign-off on AIS Access Form affirming
    that they read and understand AD-20, AD-23
    ADG-01.
  • If it is known that the user has not read these
    policies, refuse to process the form.
  • Your signature is our confirmation that the user
    read these policies and that you processed the
    form.

13
ASR Responsibilities
  • Your signature is our confirmation that
  • the user read the required policies
  • you processed the form
  • you are aware of the request
  • you have the necessary records
  • others in your area signed based on some criteria

14
ASR Responsibilities
  • Report any violation of these policies beyond
    first-time, minor violations
  • posting passwords on monitor
  • Permitting those under them to logon using their
    userid
  • Assist in investigations involving your area
  • Ensure that Terminated Employees hand in their
    SecurID token.
  • -Policy HR55 THINGS TO KNOW WHEN LEAVING
    UNIVERSITY EMPLOYMENT

15
ASR Guidelinesand FormsChrissie Harter
16
Guidelines for ASRs Requesting AIS Access
  • Use the current AIS Access Request Form located
    at http//ais.its.psu.edu/asr/index.html under
    Forms. (when printing the form please try to
    duplex and not send two pages)
  • Requests will be processed within 10 business
    days. You will receive an email when the request
    has been processed. If requested access requires
    additional approval, you will receive a second
    email once all access has been approved and
    given. (Note - additional data steward approval
    may require extra time.)
  • ASR must ensure that all information required on
    the form is complete with the following
    information
  • UserID PSUID
  • Campus, College or Administrative Unit and
    Department
  • ISIS/IBIS Profile needs to be provided
  • Path Access Update/Read-only needs to be
    indicated
  • Verify that all required signatures are on the
    form before sending to AIS Security If this
    information is not filled in it could delay the
    processing of the request.

17
ASR Guidelines(continued)
  • If a user needs access to two different profiles
    from two different areas we cannot combine the
    two profiles. Both profiles will exist and the
    user will need to call the AIS Support Center to
    request that they be attached to the profile that
    they currently need.
  • Access to eDDS and Data Warehouse are not
    requested on the AIS Access Form (however we do
    need a signed form if the user has no other AIS
    access). A signed AIS Access Form is required for
    all data so there is a record of policy
    acknowledgement. Requesting access to these and
    other applications can be found at the following
    link under Requesting Access
    http//ais.its.psu.edu/access/index.html
  • Faxes will be treated like any other form and we
    still need the original form due to imaging. All
    requests including faxes will be processed in the
    order that they are received by the Security
    Office.
  • eMail requests should be sent to the AIS Support
    Center via ais-support_at_psu.edu (not individual
    personnel, this ensures that the request is
    logged into our database and processed in a
    timely manner)
  • When an employee has terminated or moved to
    another area you must notify the AIS Security
    Office immediately to have their access
    suspended/removed.

18
ASR Guidelines(continued)
  • When a SecurID Token is required for AIS Access,
    it can be assigned at any time by calling the AIS
    Support Center _at_ (814-863-2276) or by sending an
    email to ais-support_at_psu.edu with the serial
    number and userid (a token is not needed for
    eDDS, DW and EIS access). An AIS Access Form can
    be sent for processing prior to having a SecurID
    Token.
  • AIS passwords must be a minimum of six and a
    maximum of eight letter/numbers. Cannot be the
    current or previous 3 passwords. Cannot contain
    triple repeating letters or numbers. Cannot be
    your userid (if userid is six characters) and
    must contain at least one number.

19
http//ais.its.psu.edu/asr/index.html
20
Security Forms
  • AIS Access Form (under construction)
  • http//ais.its.psu.edu/access/access_accounts_docu
    mentation.html
  • ASR Access Checklist
  • ASR Authorization Card
  • http//ais.its.psu.edu/asr/asrcard.html
  • Trusted Network Certification Form
  • http//ais.its.psu.edu/security/trusted_network_fo
    rm.html

21
AIS ACCESS FORM
  • Following is a sample of the Updated AIS Access
    Form the form. This form is available to fill and
    print at http//ais.its.psu.edu/access/access_ac
    counts_documentation.html
  • The text in red needs to be completed by the
    user and ASR. If this information is not filled
    in it could delay the processing of the request.

22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
http//ais.its.psu.edu/asr/asrcard.html
26
http//ais.its.psu.edu/security/trusted_network_fo
rm.html
27
ASR Web PageContact ListingsandDocumentation
Colleen Shives
28
http//ais.its.psu.edu/
29
http//ais.its.psu.edu/asr/index.html
30
CONTACT LISTINGS
  • Access and Security Representatives
  • http//ais.its.psu.edu/access/replist.html
  • Data Stewards
  • http//ais.its.psu.edu/access/steward.html
  • Financial Officers
  • http//www.controller.psu.edu/Divisions/FinancialO
    fficers/staffcontact.html
  • Human Resource Representatives
  • http//www.ohr.psu.edu/HRRepList.cfm

31
http//ais.its.psu.edu/asr/index.html
32
http//ais.its.psu.edu/access/replist.html
33
http//ais.its.psu.edu/asr/index.html
34
http//ais.its.psu.edu/access/steward.html
35
http//ais.its.psu.edu/asr/index.html
36
http//www.controller.psu.edu/Divisions/FinancialO
fficers/staffcontact.html
37
http//ais.its.psu.edu/asr/index.html
38
http//www.ohr.psu.edu/HRRepList.cfm
39
DOCUMENTATION
  • University Policies for Computer and Data
    Security
  • http//ais.its.psu.edu/security/univpol.html
  • ISIS Screens and Procedures for the Registrar
    Subsystem
  • http//www.registrar.psu.edu/staff/isis/screens_an
    d_procedures_index.html
  • ISIS Documentation (NCRR)
  • http//ais.its.psu.edu/isis/media/NCRRDOC.pdf
  • IBIS Documentation
  • http//ais.its.psu.edu/ibis/ibis_documentation.htm
    l
  • SecurID Tokens
  • http//ais.its.psu.edu/access/securid.html
  • Net-Pass and the Net-Pass Activity Table
  • http//ais.its.psu.edu/access/netpass.html

40
http//ais.its.psu.edu/asr/index.html
41
http//ais.its.psu.edu/security/univpol.html
42
http//ais.its.psu.edu/asr/index.html
43
http//www.registrar.psu.edu/staff/isis/screens_an
d_procedures_index.html
44
http//www.registrar.psu.edu/staff/isis/registrar_
isis_screens.html
45
(No Transcript)
46
http//ais.its.psu.edu/asr/index.html
47
http//ais.its.psu.edu/isis/isisdoc.html
48
http//ais.its.psu.edu/isis/media/NCRRDOC.pdf
49
http//ais.its.psu.edu/asr/index.html
50
http//ais.its.psu.edu/ibis/ibis_documentation.htm
l
51
http//ais.its.psu.edu/ibis/alphabetical_listing.h
tml
52
(No Transcript)
53
(No Transcript)
54
http//ais.its.psu.edu/asr/index.html
55
http//ais.its.psu.edu/access/netpass.html
56
(No Transcript)
57
UNASSIGNED NET-PASS ACTIVITY TABLE
58
NET-PASS ACTIVITY TABLE WITH APPLICATION ACCESS
ENTERED
59
SAVING THE NET-PASS ACTIVITY TABLE ENTRIES
60
REQUESTING AIS SYSTEMS ACCESSSue Reese
61
http//ais.its.psu.edu/
62
http//ais.its.psu.edu/access/hours_avail.html
63
http//ais.its.psu.edu/
64
http//ais.its.psu.edu/asr/index.html
65
ADISALUMNI DEVELOPMENT INFORMATION SYSTEM
ADIS is an application that provides inquiry and
update access to a database containing
information on alumni and donors, alumni
memberships, biographical data, prospect
tracking, gift and pledge data, and WPSX
memberships.
66
http//ais.its.psu.edu/adis/adis_access.html
67
ADISALUMNI DEVELOPMENT INFORMATION SYSTEM
  • Need to request DCOM to use the ADIS Web Site
  • All access needs to be approved through the
    Office of University Development
  • A SecurID Token is needed
  • http//ais.its.psu.edu/adis/adis_access.html

68
AIMSAccount Information Management System
  • AIMS is a Web-based system designed to allow
    faculty members access to the financial status of
    their sponsored project accounts.

69
http//ais.its.psu.edu/aims/aimsaccess.html
70
AIMSAccount Information Management System
  • All users are given AIMS function assigned to
    their IBIS profile
  • No request is needed by the ASR, access is
    automatically granted via the IBIS account
    creation process
  • Users with AIMS access will not appear in your
    ASR profiles
  • http//ais.its.psu.edu/aims/aimsaccess.html

71
CIDRCENTRAL ID REPOSITORY FUNCTION ACCESS
  • CIDR is the Universitys Central ID Repository.
    It contains information about a person such as
    the PSU ID, Digital IDs Access or Friends of
    Penn State (FPS) accounts, SSN and additional
    biographical data like birth month and day that
    can be used for matching records. 

72
http//ais.its.psu.edu/access/central_id.html
73
CIDRCENTRAL ID REPOSITORY FUNCTION ACCESS
  • All requests for the functions below must be
    submitted by your Access and Security
    Representative (ASR) to the Administrative
    Support Center ais-support_at_psu.edu via
    electronic mail or on the AIS Access Form
  • CIDR functions can only be used by University
    employees and where noted require a SecurID token
    to be used
  • There are some CIDR functions that require
    additional Data Steward approval
  • http//ais.its.psu.edu/access/central_id.html

74
DATA WAREHOUSE ACCESS
  • Penn State's Data Warehouse provides users with
    easy, flexible and widely-available ad hoc access
    to institutional data for analytical and
    reporting purposes. With more than two dozen
    databases available, it is the source for
    information on students, employees, classroom
    facilities, applicants and financial transactions.

75
http//ais.its.psu.edu/data_warehouse/dw_request_a
ccess.html
76
(No Transcript)
77
http//ais.its.psu.edu/data_warehouse/dw_request_a
ccess.html
78
http//ais.its.psu.edu/data_warehouse/isis.html
79
DATA WAREHOUSE ACCESS
  • If a user does not already have an AIS Account,
    the ASR will need to fill out an AIS Access form
  • If the user already has an AIS Account, the ASR
    will need to go into this website
    http//ais.its.psu.edu/data_warehouse/dw_request_a
    ccess.html and click on the Data area that is
    needed. This will give you the Data Stewards
    email address and an example of how the Data
    Steward wants the request.
  • Once the request is completed, an email is sent
    to the user and the ASR telling them to that the
    access request has been completed. If this is a
    new Data Warehouse user they will be instructed
    to call Colleen Shives _at_ (814-863-8168) or the
    AIS Support Center _at_ (814-863-2276) to get the
    password, we can not email the password.

80
eDDSeDOCUMENT DISTRIBUTION SYSTEM
  • eDDS is a tool that enables the user to access
    and view reports via the Web.

81
http//ais.its.psu.edu/edds/access.html
82
(No Transcript)
83
(No Transcript)
84
eDDSeDOCUMENT DISTRIBUTION SYSTEM
  • If a user does not already have an AIS Account,
    the ASR will need to fill out an AIS Access form
  • If the user already has an AIS Account, the ASR
    will need to go into this website
    http//ais.its.psu.edu/edds/access.html and click
    on the Report Steward of the report being
    requested
  • The Report Steward will approve the request and
    send it to AIS Support via e-mail
  • If a user is requesting access to ITS Online
    Billing Statement, the user will need to submit
    the request, as long as the user already has an
    AIS Account, all other eDDS access needs to be
    requested by the ASR
  • Once the request is completed, an email is sent
    to the Report Steward and the user telling them
    that its been completed. The password is the
    same as your Access password

85
EISENTERPRISE INFORMATION SYSTEM
  • EIS is your tool for answering questions about
    enrollments, admissions and other related
    University information.

86
http//ais.its.psu.edu/eis/eis_request_access.html
87
EISENTERPRISE INFORMATION SYSTEM
  • EIS access must be requested by the ASR for the
    initial access
  • If a user does not already have an AIS Account,
    the ASR will need to fill out an AIS Access Form
  • EIS Access can be requested via email to
    ais-support_at_psu.edu or on the AIS Access Form
  • Additional access must be made by the Data
    Steward
  • If EIS is the only access the user has they will
    not show up on the ASR profiles

88
eISISElectronic Integrated Student Information
System
  • eISIS provides Penn State faculty and/or staff
    with a Web site for applications using a Web
    interface. These applications contain data on
    students who are currently taking, or have
    previously taken courses at any of the campuses.

89
http//ais.its.psu.edu/eisis/prerequisites.html
90
https//eisis.psu.edu/isapi/eisis.dll/submit
91
eISISElectronic Integrated Student Information
System
  • The ASR can request the functions on the AIS
    Access form.
  • eISIS function will be assigned to their ISIS
    security profile.
  • A SecurID Token is needed.

92
FITFINANCIAL INFORMATION TOOL
  • FIT is a client/server tool for budget
    administrators and others who need to perform
    management functions for one account or one cost
    center with IBIS Financial data.

93
http//ais.its.psu.edu/fit/fit_request_access.html
94
FITFINANCIAL INFORMATION TOOL
  • ASR must request access to ISTR
  • ISTR is available on the following profiles
  • EASY
  • FO
  • Budget Exec
  • OHR

95
IBISINTEGRATED BUSINESS INFORMATION SYSTEM
  • IBIS is the electronic business system used at
    Penn State. It is comprised of a variety of
    business applications and systems that provide
    you with financial and human resource
    information.

96
http//ais.its.psu.edu/ibis/ibis_request_access.ht
ml
97
http//ais.its.psu.edu/asr/index.html
98
http//ais.its.psu.edu/access/ibispath.html
99
(No Transcript)
100
IBISINTEGRATED BUSINESS INFORMATION SYSTEM
  • The ASR will need to fill out an AIS Access form
    for IBIS (CCOM) Access
  • If requesting Salary or OHR paths, must have the
    Financial Officer, Budget Executive or the Human
    Resource Representatives signature
  • Provide the mnemonic, FO Number and/or OHR Number
    and the profile that is needed for the user
    requesting access
  • http//ais.its.psu.edu/ibis/ibis_request_access.ht
    ml

101
ISISINTEGRATED STUDENT INFORMATION SYSTEM
  • ISIS is the centralized student system that
    manages the records for all Penn State students
    graduate and undergraduate, credit and
    non-credit, at all Penn State locations.

102
http//ais.its.psu.edu/isis/isis_access.html
103
ISISINTEGRATED STUDENT INFORMATION SYSTEM
  • The ASR will need to fill out an AIS Access form
    for ISIS (ACOM/BCOM) Access
  • Userids beginning with A-J are on ACOM
  • Userids beginning with K-Z are on BCOM
  • Requesting Registrar screens from a Campus needs
    the Registrar signature
  • http//ais.its.psu.edu/isis/isis_access.html

104
PROCESSING AIS REQUESTS
  • The ASR completes the AIS Access form, sends it
    to AIS at 24 Shields.
  • We process as much of the request as we can
    before additional approvals (if needed) are
    received.
  • We notify the ASR via email with the userid,
    password and what access was given to the user.
  • Depending on what access was requested. We may
    need to send the form out to the Data Stewards
    for ISIS and IBIS requests. This could take weeks
    depending on how many Data Stewards need to
    approve the form. There could be up to 10
    different Data Stewards when requesting access to
    an ISIS profile.
  • Once the form has all the approvals, we notify
    the ASR via email saying that the AIS Access that
    was requested has been completed.
  • Copies of the completed form will no longer be
    sent to the ASR. All forms will be scanned and
    then the ASR will be able to look at the form on
    the AIS Imaging System.

105
AIS Access Request Flow Diagram
Budget Executive HR Representative Financial
Officer Campus Registrar
106
SECURID TOKENS/PASSWORDS FOR SYSTEMS AND SERVICES
107
Risk Management and Privacy
  • David J. Lindstrom, CIPP/G
  • Chief Privacy Officer
  • Penn State University

108
Penn State Privacy Office
  • Mission
  •  
  • The mission of the Privacy Office is to serve as
    a central resource for issues of privacy among
    affected university units and to provide
    leadership in the development of programs and
    practices to meet relevant privacy requirements
    and standards.

109
Privacy Office Functional Areas
  • Compliance Resource (HIPAA, FERPA, GLBA, etc.)
  • Privacy liaison between all PSU units
  • Administer all PSU privacy policies
  • Privacy and security risk assessment and
    remediation
  • Administer a university-wide complaint and
    incident response system

110
Risk Approach
  • The use of personal and institutional information
    creates risk
  • Essential to our business processes and service
    to our customers
  • Some risks are insurable others are not
  • People can manage both kinds of risk

111
Privacy Legislation
  • Increasing number of bills introduced
  • Some current laws
  • HIPAA (Health Insurance Portability and
    Accountability of 1996)
  • Gramm-Leach-Bliley Act (GLBA)
  • Family Education Rights and Privacy Act (FERPA)
  • Telephone Consumer Protection Act
  • CAN SPAM Act of 2003
  • Fair and Accurate Credit Transactions Act of 2003
    (FACT Act)

112
Passed PA Legislation
  • PA Senate Bill 712
  • Effective June 2006
  • Personal Information is defined as name, linked
    with
  • Social Security Number,
  • Drivers License,
  • Financial Account Numbers, or
  • Credit/debit card number

113
PA Senate Bill 712
  • Need to know where covered information is stored
  • Need to know how to get in touch with data
    subjects
  • Need a plan to respond to data breach
  • Similar statutes exist in more than 20 states

114
SB 712 Requirements
  • If it is believed that personal information
    was or is reasonably believed to have been
    accessed and acquired by an unauthorized person
    they must be notified of the breach. The
    notification of breach may be in the form of any
    of the following
  • Written notice to the last known home address for
    the individual.
  • Telephone notice if it can be reasonably expected
    that the individual will receive it.
  • Email notice if a valid email is known.

115
SB 712 Requirements
  • Substitute notices may be allowed if
  • The cost of providing notice would exceed
    100,000.
  • Or if the number of individuals exceeds 175,000
  • Or if sufficient contact information is not
    available.
  • Substitute notice includes all of the following
  • Email notice to the individuals.
  • Conspicuous posting of the notice on the entitys
    website.
  • Notification to the statewide media.

116
Substitute Notice?
117
Student Information
  • Student educational records
  • Covers just about any record a college or
    university maintains on a student
  • Scattered throughout the institution
  • Anyone who has access to these records should be
    affected by the Family Educational Rights and
    Privacy Act (FERPA)

118
FERPA
  • Department of Education enforcement can
    withhold federal funds
  • Policy guidance, actual letters to school
    districts, colleges and universities are on line
  • http//www.ed.gov/policy/gen/guid/fpco/hottopics/h
    t-10-09-02a.html

119
Higher Education is a Business
  • We all sell things
  • We take cash
  • Sometimes we take checks
  • We ALWAYS take credit cards

120
PCI-VISA Standards
  • Payment Card Industry (PCI) Data Security
    Standard/Cardholder Information Security Program
    (CISP) Not a law
  • Merchant and service provider requirement for
    those that store, process or transmit data
  • Other card companies have endorsed the VISA
    standard single approach

121
CISP Standards
  • Build and maintain a secure network
  • Protect cardholder data
  • Maintain a vulnerability management program
  • Implement strong access control measures
  • Monitor and test networks
  • Maintain an information security policy

122
Wheres the PCI CISP Data?
123
What happens if we make a mistake?
  • All departments and networks could be affected.
  • Security requirements would rise for all units.
  • Credit card transaction disruption is likely.
  • Fines, up to 250,000 are not uncommon
  • http//usa.visa.com/business/business_resources/

124
Identity Theft
Greeley, Colo. ID Theft Feared from Missing Hard
DriveSome University of Northern Colorado
employees are switching bank accounts to thwart
identity theft after a college computer hard
drive containing Social Security and bank account
numbers for nearly 16,000 employees disappeared.
Officials are unsure whether the hard drive was
misplaced or stolen.
125
Penn States Motivation for SSN Use Change
  • Stanford University May 2005
  • Purdue University (3rd time) May 2005
  • George Mason University January 2005
  • University of Georgia January 2004
  • New York University December 2003
  • University of Texas at Austin March 2003
  • State of California May 2002
  • Arizona State University June 2002
  • Akron Health Insurer March 2002

126
PSU SSN Conversion Project
127
SSN Conversion Resources
  • http//ais.its.psu.edu/SSN/

http//guru.psu.edu/policies/AD19.html
128
UT Austin Hit Again
  • Posted on Mon, Apr. 24, 2006
  • Hacker got more than 100,000 Social Security
    numbers
  • JIM VERTUNO
  • Associated Press
  • AUSTIN - Whoever hacked into the computer system
    at the University of Texas at Austin's business
    school obtained the names and Social Security
    numbers of 106,000 people, including all faculty
    and staff, most students and about half the
    alumni, a UT official said Monday.

129
Surplus and Salvage Issues
  • CALGARY (CP) - A privacy complaint involving the
    resale of a computer has prompted Staples
    Business Depot to develop a formal policy to
    ensure all hard drives are wiped clean before
    they are put back on store shelves.

130
This Week
  • Operator of 12 hospitals informs of lost data
  • CD contained personal data for more than a
    quarter-million patients
  • Updated 440 p.m. ET Oct 24, 2006
  • INDIANAPOLIS - The operator of 12 hospitals in
    Indiana and Illinois is notifying more than a
    quarter-million patients that compact discs
    containing their Social Security numbers and
    other personal information were lost for three
    days over the summer.
  • The Sisters of St. Francis Health Services,
    which operates 10 hospitals in Indiana and two in
    Illinois, said in the warning letter that an
    employee of a medical billing contractor copied
    the data onto several CDs in July and placed them
    in a new computer bag to work from home.

131
True PSU Stories
  • Dont place confidential material in a blue bag
    and leave it in the hall, unsecured.
  • Dont place confidential material in a clear
    plastic garbage bag and leave it outside for a
    few days.
  • Dont take confidential information home, no
    matter how secure you think you can keep it.

132
True Stories Continued
  • Dont store confidential material on unsecured
    computers
  • Dont store confidential material on unsecured
    media (e.g., flash drives)
  • Dont give data access to a third party without
    appropriate contract protections in place

133
Data Categorization
  • Re-evaluating all categories of data needing
    protection (public, non-public, confidential,
    secret, top secret, cryptographic???)

134
Penn States AD 35
  • University Confidential Records -
  • records which have the highest level of
    confidentiality attached to them and which may
    only be used by a limited number of people in the
    originating office.
  • University Restricted Records -
  • records having a high level of confidentiality
    attached to them and where access is limited to
    the staffs of a small number of offices. Examples
    include individual salary and wage data,
    individual personnel files, development gift
    records, non-directory student information, and
    fiscal records at the budget and fund level.
  • University Official Records -
  • records which are available to University faculty
    or staff members (usually within the unit), but
    are not made available to the public. Generally
    speaking, the bulk of University records fall
    into this category.
  • University Vital Records -
  • Records essential to the continued functioning or
    reconstitution of the University during and after
    an emergency, and also those records essential to
    protecting the rights and interests of the
    University and the individuals directly affected
    by its activities.

135
Penn State Privacy Activities
  • Centralized used computer sales and salvage
  • Blue Bag Program central shredding resource
  • Privacy breach incident response plan (team
    approach including key units and personnel)
  • Information Privacy and Security Improvement
    Program

136
Project Phases
  • The primary focus of Phase I is to meet the
    requirements of PCIDSS.
  • Work with consultant to make eCommerce site and
    Bursars compliant with PCIDSS
  • Develop Reference Architecture Documents to be
    used as the base template or list of
    requirements for departments using eCommerce.

137
Phase II
  • Address internal policy requirements and other
    statutory compliance obligations
  • Individual department or unit-based improvements
    achieved in Phase I will need to be expanded to
    other units of the university.

138
Project Team
  • Staff to be assigned on a full-time basis
  • Manager
  • Technical expertise
  • Support
  • Project directed jointly by Senior Director for
    Security Operations and Services and Privacy
    Officer

139
Expectation of Privacy
140
Questions
David J. Lindstrom, CIPP/G Chief Privacy Officer
Penn State University 227 West Beaver Avenue,
Suite 103 State College, PA 16801 814-863-3049
(Privacy Office) 814-865-7211 (Direct to my
desk) 814-865-4029 (Fax)privacy_at_psu.edu
141
  • IT Audit
  • ASR Meeting
  • Gary Grgurich
  • October 30, 2006

142
Internal Audit
  • Nine Auditors
  • Director
  • IT and Financial Audit Managers
  • IT staff (3)
  • Financial staff (3)
  • Report to the Corporate Controller
  • Meet regularly with the members of the Board of
    Trustees

143
College Campus Audits
  • Colleges and Campuses are selected for audit on a
    rotating basis
  • Unless some area of risk is identified
  • Dean/Chancellor are notified in advance
  • Audit consists of Financial, Operational and IT
    components
  • Primary contacts are Dean/Chancellor, Financial
    Officer, ASR and IT Manager

144
IT Audit Process
  • Questionnaire to IT Manager in advance
  • Basic information on IT staffing, infrastructure
    and controls
  • E-mail to ASR in advance
  • User authorization and SecurID assignment
    procedures
  • Exit meeting to discuss issues
  • Report with management responses

145
What is Reviewed
  • Documentation/Policy
  • Staffing
  • Network Administration
  • Logical Security
  • Physical Security
  • Backup and Recovery
  • System Monitoring

146
Some Areas of Emphasis
  • Access to sensitive information (i.e. FERPA,
    HIPAA, credit card s, SSNs)
  • Access to key IBIS/ISIS access paths
  • Download/storage to workstations (laptops)
  • User understanding of regulations and PSU policy
  • Secure workstations
  • Anti-virus, anti-spam, patching
  • Anti-theft
  • Encryption

147
ASR Role
  • Maintain current, accurate list of users
  • Suspend/delete terminated users on a timely basis
  • Ensure that user profile information is accurate
  • Ensure that users read PSU security policies
  • Control SecurID tokens
  • Assist with review of user access to IBIS/ISIS
    screens

148
Contact Information
  • Gary Grgurich
  • Manager IT Audit
  • gjg13_at_psu.edu
  • 814-865-9598
  • Internal Audit website
  • http//www.controller.psu.edu/Divisions/InternalAu
    dit/index.html
  • Financial Compliance Hotline
  • 800-560-1637

149
ASR REPORTS
150
Populated by a single userID. Returns information
particular to a single user.
151
Populated by a single userID. Returns information
particular to a single user.
152
Automatically populated by ASR userID. Returns a
list of all users for an ASR (note the token ID
expiration date).
153
Populated by a single userID. Returns information
particular to a single user.
154
Automatically populated by ASR userID. Returns a
list of all users for an ASR.
155
ASR REPORTS(continued)
  • Future Additions
  • IBIS report - return multiple Mnemonic access for
    a user. Currently we only have the first
    mnemonic available for this report.
  • IBIS ISIS report - return a list of users based
    on path.
  • User report - return a list of users based on
    system (ACOM, BCOM, CCOM, etc.)

156
AIS IMAGINGMatt Wolfe
157
https//imaging.ais.psu.edu/
158
  • SECURITY OFFICE

159
DATA WAREHOUSE FOR THE ASR
  • Sue Jones

160
DATA WAREHOUSE (continued)
  • Access to the data warehouse ASR database is
    automatically given when you become an ASR.
  • How to access the Data Warehouse
  • http//ais.its.psu.edu/data_warehouse/index.html
  • https//www.warehouse.ais.psu.edu/datadict/datadic
    tcomp.asp
  • Instructions included in the back of the book for
    connecting, linking tables and creating queries

161
DATA WAREHOUSE (continued)
http//ais.its.psu.edu/data_warehouse/index.html
162
DATA WAREHOUSE (continued)
http//ais.its.psu.edu/data_warehouse/data.html
163
DATA WAREHOUSE (continued)
https//www.warehouse.ais.psu.edu/datadict/datadic
tcomp.asp
164
DATA WAREHOUSE (continued)
https//www.warehouse.ais.psu.edu/datadict/datadic
t2.ASP?database_nameasr
165
DATA WAREHOUSE (continued)
https//www.warehouse.ais.psu.edu/datadict/datadic
t3.ASP?table_nameacf2
166
DATA WAREHOUSE (continued)
  • Data Warehouse Demonstration
  • create queries
  • sample queries
  • http//ais.its.psu.edu/data_warehouse/queries.html

167
  • FIT
  • AND
  • PASSWORD REQUIREMENTS
  • John Ellenberger

168
FITFINANCIAL INFORMATION TOOLWindows
RequirementsOS , Hardware and Security
  • Supported Operating Systems
  • Windows 2000 or Windows XP (32 Bit)
  • Hardware Requirements
  • 486 66 MHz or higher CPU
  • 32 MB RAM
  • 10MB available space on hard disk
  • Postscript enabled printer with at least 4MB RAM
    (if printing)
  • PSU Data Backbone or Wireless Connection or modem
  • ( IP in Trusted Network or VPN (ISP to PSU) or
    Wireless

169
FITFINANCIAL INFORMATION TOOL (CONTINUED)
  • Note  32MB is the minimum amount of memory.
    FIT's ability to process accounts and cost
    centers with large numbers of transactions is
    related to the amount of memory available.
  • Security Requirements
  • Access account from the Information Technology
    Services Accounts Office
  • IBIS access to function ISTR from the
    Administrative Information Services (AIS)
  • Permissions Full Control to the ibisfit folder
    and below folders

170
FITFinancial Information ToolMacintosh
Requirements OS, Hardware and Security
  • Supported Operating Systems
  • Macintosh OS X
  • Note  FIT will not work on Macintosh OS 8.x or
    OS 9.x or Intel Mac OS X.
  • Hardware Requirements
  • Power Macintosh (PowerPC)
  • OS X.1 or greater.
  • 4 MB RAM
  • 2 MB available disk space
  • Postscript enabled printer with at least 4MB RAM
    (if printing)
  • Open Transport TCP/IP Version 1.1 or later

171
FITFINANCIAL INFORMATION TOOL(CONTINUED)
  • PSU Data Backbone or Wireless Connection or mode
  • (IP in Trusted Network or VPN (ISP to PSU) or
    Wireless.
  • Security Requirements
  • Access account from the Information Technology
    Services Accounts Office
  • IBIS access to function ISTR from the
    Administrative Information Services (AIS)
  • Ownership Permissions Need Read Write to
    the ibisfit directory and below

172
http//ais.its.psu.edu/fit/downloads.html
173
AIS RequirementsFor Changing Password
  • Password is required
  • Minimum of six and max of eight letters/numbers
  • Can not be current or previous 3 passwords
  • Can not contain triple repeating letters or
    numbers
  • Can not be your user id (if userid is six
    characters)
  • Must contain at least one number

174
  • SECURID TOKENS
  • Linda McCamley

175
http//ais.its.psu.edu/
176
http//ais.its.psu.edu/access/index.html
177
http//ais.its.psu.edu/access/securid.html
178
http//ais.its.psu.edu/access/securid.html
179
SecurID Tokens
  • What Systems Require a Token?
  • Listed below is a list of systems and web
    applications that require 2nd factor
    authentication as part of their access
    requirement.
  • Administrative Information Services (AIS)
    mandates the use of a SecurID token to access
    centralized administrative systems. Data
    Stewards may require that a SecurID token be used
    to access their specific data elements regardless
    of read or update access.
  • A SecurID token is required for the following
  • NetPass/Mainframe Systems
  • IBIS, ISIS, ROSCOE, Testais, TSO
  • WebADIS, ADIS
  • CIDR
  • eISIS
  • eLion Functions requiring faculty input

180
SecurID Tokens(continued)
  • eCommerce - Beginning in December 2006, in
    order to process credit cards,
    eCommerce users will need to have a SecurID
    token to log on to eCommerce services.
  • eSteward - Now available. Alumni Development web
    application that provides authorized Penn State
    faculty and/or staff with a Web site tool that
    brings together necessary data for the effective
    management and stewardship of our donors' gifts
    and the scholarship, faculty, and program
    endowments/accounts that their gifts support.

181
SecurID Tokens(continued)
  • Reminder Current Pricing
  • SecurIDs for Staff ? 31.00 each
  • SecurIDs for Faculty ? 25.00 each (for a
    limited time until the supply is depleted)
  • Please share this pricing information with all
    departments within your administrative unit. The
    AIS Business Office is still receiving IDCCs
    with the old 75.00 cost per token indicated.

182
SecurID Tokens(continued)
  • Faculty Token Allotments
  • In November 2005, each area ASR and alternate's)
    were informed that any new SecurID tokens
    purchased for Faculty members (grade entry
    process), would be priced at 25.00 per token for
    a limited time.
  • This special token allotment was determined by
    the number of Faculty positions held within each
    College or Campus and will be available until
    their allocation has been depleted. At that time,
    you will be notified that the token price will
    increase to 31.00 (same as the current staff
    pricing).
  • Quarterly, an email message is sent alerting you
    to the status of your allotment.

183
SecurID Tokens(continued)
  • Expiring Tokens
  • In June 2006, a message was sent listing those
    users whose tokens would be expiring during the
    next fiscal year. We will continue to provide
    this information.
  • Returning and Replacing Faulty Tokens
  • Any SecurID token malfunctioning before its
    expiration date (located on the back of each
    token) will be replaced free of charge. The
    replacement token will have a comparable
    expiration date as the faulty token.
  • Faulty tokens should not be returned to us
    through interoffice mail. University Park
  • staff should bring the token to our office in 24
    Shields Bldg., for a replacement.
  • Campus returns should be placed in a cushioned
    mailer and sent to us via surface mail. A
    replacement will then be mailed.

184
SecurID Tokens(continued)
  • Transferring Ownership of the Token
  • If an employee is transferring within the
    University or leaving the University, their
    SecurID token should be returned to the area ASR
    or the person who issued it to them.
  • A previously assigned token can be reassigned to
    another user within that department. Funds used
    to purchase the token came from a specific
    department budget, therefore the token should
    remain in this area unless other arrangements
    have been made.
  • Token Orders
  • Any concerns?
  • Are you receiving your token order in a timely
    manner?
Write a Comment
User Comments (0)
About PowerShow.com