Presentation on theme: "The World of Access Controls"— Presentation transcript:
1 The World of Access Controls This layout functions well as a section opener.Kevin Savoy, MBA, CPA, CISA, CISSPDirector of Information Technology Audits
2 RiskBusiness Risk“The potential that a given threat will exploit vulnerabilities of an asset to cause a loss or damage to an asset.”This is the dominant secondary page.
3 ControlsControls“The policies, practices and organizational structure designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected”This is the dominant secondary page.
4 Layers Where IT Controls Exist Application (this is where YOU come in)Database (oracle admin level)Operating System (Unix, Windows)Network (routers, firewalls, switches)This is the dominant secondary page.
5 Program Integrity (change control) Edit Checks Data Reconciliations Application ControlsProgram Integrity (change control)Edit ChecksData ReconciliationsACCESS CONTROLSThis is the dominant secondary page.
6 Most IntrusionsStatistics continue to show that most unauthorized access to data is from within an organization.You would not know this fact from the press that hackers receive.Therefore your responsibility over ACCESS CONTROLS within applications (Finance, Student System, HR and other supporting systems) is critical.This is the dominant secondary page.
7 Access Controls Consist of two parts: Authentication (is a user who they say they are)Authorization (what can they do once they “are in”)This is the dominant secondary page.
8 Authorization YOU are the gatekeeper to UVA data. Should be based on a “least amount of access needed to perform a job function”.Should not allow a user to have conflicting access. For instance, a user should not be allowed to record and approve payments without oversight.The person giving access should be knowledgeable of the individual’s need for data access (can be personal knowledge at the lowest levels and trust of supervisors at the higher levels of approval).This is the dominant secondary page.
9 AuthorizationUsers should not be able to build up access as they move to different departments, thus all access should be terminated and reapplied for.User access should be reviewed periodically to determine if it is still needed. A standard approach should be taken AND documented.Access should be removed immediately upon termination or change of position except within the same department.This is the dominant secondary page.
10 ESHARP…Audit was involved and believes automating access requests should make your job easier and more secure.Audit will continue to spot check Access Control procedures, validity of access granted, and approvals during regular audits.