LOGICAL ACCESS:

1
LOGICAL ACCESS Business Managers
Presentation FOR Saint Louis University
2
Agenda

• Logical Access Background
• Purpose of Access Security Request Form
• Key Sections of Form
• Completion Submission of Form
• Tips to Make the Process Work
• Monitoring Access Rights
• Documents
• Q A

3
Background

• Logical Access is the process by which
  individuals are permitted to use computer systems
  and networks
• SLUs goal is to strengthen logical access
  controls
• Reduce risk of inappropriate and unauthorized
  access
• Applies to Banner, WebFOCUS, Xtender, Workflow,
  Axiom and related databases
• Logical Access centered upon 12 Key Controls
• Key Controls Addressed with Access Security
  Request Form and Monitoring
• LA1- A formalized documented system for user
  access is established
• LA2- Full user Account information is documented
  and retained
• LA3- Authorized approval and documentation
• LA4- User access is verified by Process Owners
• LA5 LA6 - Segregation of duties analysis
• LA10 Documentation and control for Terminations
• LA11 Monitoring Access Reviews

4
Access Form Purpose

• Formal documentation of request and approval
• Replaces email, phone, and verbal requests
• Increases consistency in requests
• Used for the following requests
• Banner, WebFOCUS, Xtender, Workflow, Axiom, and
  related databases
• New, change, and delete user access
• Faculty/staff, student workers, contractors,
  guest accounts
• Location of the form and instructions
• http//www.slu.edu/services/HR/university_security
  _forms.html
• Titled University Access Security Request Form
• Security Request Form How-To Instructions

5
Key Sections of Form

• User Information
• All users, including contractors and guests, are
  required to have SLUnet (Banner) ID prior to new
  user access request
• Type of Request
• Access Type and Level
• Complete appropriate sections for data required
  (Human Resources, Business Finance,
  Advancement, Student Financial Services, Student)
• Statement of Approval Signature
• Accuracy of request
• Segregation of duties has been considered
• User aware of University policies and procedures
• Training has been provided (where
  required/available)

6
Completion Submission

• Access Type Level Service Level Review Guide
• Descriptions of classes, forms, etc. Use to
  determine and evaluate appropriateness of access
  rights (Segregation of Duties)
• http//www.slu.edu/services/HR/university_security
  _forms.html
• Statement of Approval Authorized Approvers
• Business Manager or above (some exceptions)
• Directors, Associate Directors, etc
• Listing of authorized approvers currently being
  developed will be posted on a weblink for easy
  access.

7
Completion Submission

• Segregation of Duties - Prevents a single person
  from performing two or more incompatible
  functions. Failure to adequately segregate, or
  implement compensating controls, increases the
  risk that errors or unauthorized actions may
  occur and not be detected in a timely manner.
• Examples of inadequate segregation One person
  has access rights to
• Perform billings/invoicing, receive the
  corresponding payments, and record the
  corresponding cash receipts entries.
• Authorize disbursements, issue corresponding
  disbursements, and record corresponding
  disbursements entries.
• Set up a new employee, input pay rates/salary,
  and issue pay checks.

8
Completion Submission

• Submit forms to appropriate Security Officer
• Access to a single departments data submit to
  single Security Officer
• Access to multiple departments data submit to
  multiple Security Officers

9
Tips to Make the Process Work!

• Ensure completion and accuracy of form data
  Consult with Security Officers, if unsure
• Submit documentation of user training, if
  required Consult with Security Officers, if
  unsure
• Submit access requests for new users (or
  transfers) in advance of users first day of work
• Reply to Security Officers request for user
  access confirmation
• Submit access form to remove user access, at
  least 2 days prior to last day of work
• Monitor and communicate last days for
  contractors, including guests, to Security
  Officers
• Ensure timely notification of terminations to HR
• Begin using the forms immediately!

10
Monitoring

• Monitoring involves reviews of reports to ensure
  that users have appropriate and authorized access
  rights. The following reports will be used
• Service Access Report
• A comprehensive listing of user access rights
• HR, Finance, Student, Advancement, Student
  Financial Aid
• Banner, WebFOCUS, Xtender, Workflow, Axiom and
  related databases
• Review Timing Bi-Annually
• Position Change Report
• Lists users who have changed positions, which may
  require updates to access rights
• Review Timing Weekly
• All Business Managers involvement is not required
  each week depends on department activity

11
Monitoring

• Termination Reports
• Lists users who have separated from the
  university, but who still have access rights
• Review Timing Weekly
• Security Officers will request that Business
  Managers confirm terminations as needed depends
  on termination activity for the week, if any.
• Account Inactivity Report
• Lists users whose accounts have shown no activity
  over a specified period of time
• Review Timing Bi-Annually
• Business Managers involvement dictated by number
  of inactive accounts in department

12
Monitoring

• Service Access and Account Inactivity Reports
  Review Process
• QA Administrator sends email to Business Managers
  (BMs) notifying them of the review
• BMs obtain reports review access rights of users
  in their department for appropriateness review
  users with inactivity
• Utilize Service Level Review Guide to review
  access rights
• If necessary, BMs initiate changes/removal of
  access rights using Access Control Form
• BMs email Monitoring Review Form to QA
  Administrator noting review has been performed
  and action taken, if any.
• BMs maintains documentation of review for own
  records
• QA Administrator maintains overall documentation
  of reviews

13
Monitoring

• Position Change Reports Review Process
• Security Officers obtain reports
• Identifies BMs to assist in reviews
• Due to volume of activity, not necessary to
  distribute to all BMs
• If necessary, BM initiates changes to access
  rights using Access Control Form
• BM sends email reply to Security Officer noting
  review has been performed and action taken.
• BM maintains documentation of review for own
  records
• Security Officer forwards Monitoring Review form
  to QA Administrator
• QA Administrator maintains overall documentation
  of reviews

14
Monitoring

• Termination Reports Review Process
• Security Officers obtain reports and verifies
  termination status with BMs
• BM sends email reply to Security Officer
  confirming termination status
• Security Officer maintains documentation of
  review for own records
• Security Officer forwards Monitoring Review Form
  to QA Administrator
• QA Administrator maintains overall documentation
  of reviews

15
Monitoring

• Other Notes
• Service Access and Account Inactivity Reports
  review to be performed end of April and October.
• BMs can request user access profile at any time
  contact a Security Officer.
• Position and Termination reports review has
  begun. BMs will be notified if assistance is
  required.
• Service Level Review Guide and Monitoring Review
  Form located at
• http//www.slu.edu/services/HR/university_security
  _forms.html

16
Monitoring Reviews
Example Service Access Report
17
Monitoring Reviews
Example Position Change Report
18
Monitoring Reviews
Example Termination Report
19
Key Documents

• Desk Procedures
• Quick Reference Guide
• Access Security Request Form
• Security Request Form How-To Instructions
• Monitoring Reports
• Service Level Review Guide
• Monitoring Review Form

20
Thank You!

• Q A
• Contacts
• Security Officers See Slide 8
• or
• Tim Brooks, QA Administrator 977-7221