Presentation is loading. Please wait.

Presentation is loading. Please wait.

The World of Access Controls

Published byAmaya Saul Modified over 9 years ago

Similar presentations

Presentation on theme: "The World of Access Controls"— Presentation transcript:

1 The World of Access Controls
This layout functions well as a section opener. Kevin Savoy, MBA, CPA, CISA, CISSP Director of Information Technology Audits

2 Risk Business Risk “The potential that a given threat will exploit vulnerabilities of an asset to cause a loss or damage to an asset.” This is the dominant secondary page.

3 Controls Controls “The policies, practices and organizational structure designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected” This is the dominant secondary page.

4 Layers Where IT Controls Exist
Application (this is where YOU come in) Database (oracle admin level) Operating System (Unix, Windows) Network (routers, firewalls, switches) This is the dominant secondary page.

5 Program Integrity (change control) Edit Checks Data Reconciliations
Application Controls Program Integrity (change control) Edit Checks Data Reconciliations ACCESS CONTROLS This is the dominant secondary page.

6 Most Intrusions Statistics continue to show that most unauthorized access to data is from within an organization. You would not know this fact from the press that hackers receive. Therefore your responsibility over ACCESS CONTROLS within applications (Finance, Student System, HR and other supporting systems) is critical. This is the dominant secondary page.

7 Access Controls Consist of two parts:
Authentication (is a user who they say they are) Authorization (what can they do once they “are in”) This is the dominant secondary page.

8 Authorization YOU are the gatekeeper to UVA data.
Should be based on a “least amount of access needed to perform a job function”. Should not allow a user to have conflicting access. For instance, a user should not be allowed to record and approve payments without oversight. The person giving access should be knowledgeable of the individual’s need for data access (can be personal knowledge at the lowest levels and trust of supervisors at the higher levels of approval). This is the dominant secondary page.

9 Authorization Users should not be able to build up access as they move to different departments, thus all access should be terminated and reapplied for. User access should be reviewed periodically to determine if it is still needed. A standard approach should be taken AND documented. Access should be removed immediately upon termination or change of position except within the same department. This is the dominant secondary page.

10 ESHARP… Audit was involved and believes automating access requests should make your job easier and more secure. Audit will continue to spot check Access Control procedures, validity of access granted, and approvals during regular audits.

11 Questions??? Kevin Savoy -

Download ppt "The World of Access Controls"

Similar presentations

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.

OPERATING EFFECTIVELY AT WESD. What is Internal Control? A process designed to provide reasonable assurance the organizations objectives are achieved.
Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,

Evolution of Data Use and Stewardship Recent University-wide Data Stewardship Enhancements Integrated System Data Stewardship Shirley C. Payne, CISSP,
Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.

Information System Audit : © South-Asian Management Technologies Foundation Chapter 4: Information System Audit Requirements.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
Auditing Concepts.

Auditing Concepts.
Auditing Computer-Based Information Systems

Auditing Computer-Based Information Systems
Effective Design of Trusted Information Systems Luděk Novák,

Effective Design of Trusted Information Systems Luděk Novák,
Summer 200811 IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.

Summer IAVA1 NATIONAL INFORMATION ASSURANCE TRAINING STANDARD FOR SYSTEM ADMINISTRATORS (SA) Minimum.
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
The Islamic University of Gaza

The Islamic University of Gaza
Information Security Policies and Standards

Information Security Policies and Standards
1 An Overview of Computer Security computer security.

1 An Overview of Computer Security computer security.
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.

Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.

Managing Information Systems Information Systems Security and Control Part 2 Dr. Stephania Loizidou Himona ACSC 345.
The Information Systems Audit Process

The Information Systems Audit Process
Auditing 81.3550 Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.

Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.

Security Architecture Dr. Gabriel. Security Database security: –degree to which data is fully protected from tampering or unauthorized acts –Full understanding.
Introduction to Network Defense

Introduction to Network Defense

Similar presentations

Ads by Google