Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 LOGICAL ACCESS FOR University Medical Group Saint Louis University Click the Speaker Icon for Audio.

Published byAlfred Simon Modified over 8 years ago

Similar presentations

Presentation on theme: "1 LOGICAL ACCESS FOR University Medical Group Saint Louis University Click the Speaker Icon for Audio."— Presentation transcript:

1

2 1 LOGICAL ACCESS FOR University Medical Group Saint Louis University Click the Speaker Icon for Audio

3 2Agenda Logical Access: Definitions and ControlsLogical Access: Definitions and Controls WorkflowWorkflow Documentation ProcessDocumentation Process Password SecurityPassword Security MonitoringMonitoring Audit TrackingAudit Tracking Helpful LinksHelpful Links Q & AQ & A

4 3DEFINITONS Logical Access: Process by which individuals are permitted to use computer systems and the networks to which these systems are attached. Applications and networks, and the services they provide, are available only to those individuals who are entitled to use them. Entitlement is typically based on some sort of predetermined relationship between the network or system owner and the user

5 4DEFINITIONS Access Form – Used in the Logical Access process to document and approve authorized access to systems/applications (see “HelpFul Links” for examples) Product Managers – Responsible for the access management of the system or application (also referred to as Tech. Coordinators, Application Analyst or other title) Business Process Owner (BPO) – Person (s) who have been authorized by UMG and ITS to approve access to systems/applications for a department. Key Controls (LA #) - Denotes the key process controls within Logical Access identified and approved by the University. ITS – Saint Louis University, Information Technology Services SLU-Care Service Desk – UMG/ITS help desk which creates Remedy tickets for service requests Quality Assurance Administrator – Monitors and reviews for compliance all logical access management policies and processes Remedy Management System (Remedy) – Request tracking system used to record and document service requests

6 5 Segregation of Duties : Prevents a single person from performing two or more incompatible functions. Failure to adequately segregate, or implement compensating controls, increases the risk that errors or unauthorized actions may occur and not be detected in a timely manner. Examples of inadequate segregation: One person has access rights to: One person has access rights to: Perform billings/invoicing, receive the corresponding payments, and record the corresponding cash receipts entries.Perform billings/invoicing, receive the corresponding payments, and record the corresponding cash receipts entries. Authorize disbursements, issue corresponding disbursements, and record corresponding disbursements entries.Authorize disbursements, issue corresponding disbursements, and record corresponding disbursements entries. Set up a new employee, input pay rates/salary, and issue pay checks.Set up a new employee, input pay rates/salary, and issue pay checks.DEFINITIONS

7 6CONTROLS LA1 A formalized documented system for user access is established LA2 Full user Account information is documented and retained LA3 Authorized approval and documentation LA4 User access is verified by Process Owners LA5 Segregation of duties analysis LA6 Segregation of duties analysis for administrative users LA7 User password requirements are established and enabled LA8 Application password requirements are established and enabled LA9 Automatic lock-out controls are established and enabled LA10 Documentation and control for Terminations LA11 Monitoring Access Reviews LA12 Auto-Logging established, tracked and reviewed

8 7 1.BPO approves the completed access forms 2.User completes required training 3.Product Manager reviews forms for completeness and approval, and documents into a Remedy ticket 4.Access is granted and confirmedWORKFLOW Four Step Process

9 8 ACCESS FORM - Basics User Information Type of Request Access Type- w/ specific details Statement of Approval –Accuracy of request –Knowledge of University policies and procedures –Required Training has been addressed –Segregation of duties has been considered Authorized Approver Signature LA CONTROLS 1-6 AND 10 DOCUMENTATION See “Helpful Links” for your specific application

10 9DOCUMENTATION For New or Change of Access: Attach Request Form (required) Verify and/or attach Confidentiality Agreement Verify User Current Access Notify Hiring Manager/Process Owner For Termination of Access: Attach Request Form or Termination Report (required) Lock/Disable User Account Notify Hiring Manager Product Managers record the following information into Remedy

11 10DOCUMENTATION 1.Change/Delete Access 1.Change/Delete Access Similar process as a new user request Requires an Access Form Segregation of Duties Analysis for Change Request All Changes recorded in Remedy 2.Termination Requests: submitted prior to users last day 3.Notification to Human Resources prior to users last day Key Points to Remember: LA CONTROLS 10

12 11 Password must be a minimum of 8 characters Password must not be the same as your “User Name” Password must be constructed using one of each of the following character types: –Uppercase alpha (A, B, C, D, E, …) –Lowercase alpha (a, b, c, d, e, …) –Numbers (1, 2, 3, 4, 5, 6, 7, 8, 9, 0) Passwords must not contain Special characters (!, #, $, %, &, *) Passwords must not be easily guessed: must not be names, dictionary words, phone numbers, birthdays or contain their “User Name” Passwords must be different from the previous 12. New Users will be forced to change their passwords after their initial log in After 3 unsuccessful log-in attempts: user account will be suspended All passwords will expire after a minimal 180 days. LA CONTROLS 7-9 PASSWORD SECURITY

13 12 Accessing or Changing your “MYSLU” ID Password Log into password.slu.edu with your SLUNET ID and temporary or existing password Go to “Change Password” Change your password to meet new security standards Confirm by logging into your MYSLU page PASSWORD SECURITY LA CONTROLS 7-9 Refer to the specific application for more information

14 13 MONITORING Monitoring involves reviews of reports to ensure that users have appropriate and authorized access rights. There are three types of reports: 1.Service Access Report A comprehensive listing of user access rights Review Timing: Bi-Annually 2.Termination Report Lists users who have separated from the university, but who may still have access rights. Review Timing: Weekly 3.Position Change Report Lists users who have changed positions, which may require updates to access rights. Review Timing: Weekly LA CONTROL #11

15 14 MONITORING The Monitoring Process Product Mangers, with assistance from department management, ensure reviews are completed for respective areas. User access changes resulting from these reviews should be requested on an Access Form Reviews of the Service Access Report, Termination Reports and Position Change Reports must be documented and retained.

16 15 Utilization of operating systems built-in auditing capabilities to monitor various events: 1.Logon and Logoff 2.Use of user rights 3.User & Group Management 4.Security Policy Changes 5.Restart, Shutdown, & System Failure 6.Changes, additions, deletions to tables, program codes, security tables AUDIT TRACKING LA Control #12

17 16 HELPFUL LINKS Banner Products Logical Access Information: http://www.slu.edu/services/HR/university_security_forms.html IDX Products Logical Access Information: http://pmoweb.slu.edu/ EHR Products Logical Access Information: http://ehr.slucare.edu/ eRS Products Logical Access Information: http://ers.slu.edu/ Logical Access Change Management Initiative: http://www.slu.edu/x20377.xml Refer to Product Manager for all other products

18 17 THANK YOU Q & A

Download ppt "1 LOGICAL ACCESS FOR University Medical Group Saint Louis University Click the Speaker Icon for Audio."

Similar presentations

Home This training presentation is designed to introduce the Residency Management Suite to new users. This presentation covers the following topics: Login.

Home This training presentation is designed to introduce the Residency Management Suite to new users. This presentation covers the following topics: Login.
DHRS – KRONOS SCREEN USER GUIDE.

DHRS – KRONOS SCREEN USER GUIDE.
Employee Self Service August 2010 InSITE Self Service Employee Self Service Presentation This presentation is approximately 15 minutes in length. This.

Employee Self Service August 2010 InSITE Self Service Employee Self Service Presentation This presentation is approximately 15 minutes in length. This.
Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.

Information Systems Audit Program (cont.). PHYSICAL SECURITY CONTROLS.
Welcome to P.A.S.S. People Advantage Self Service March 1, 2007.

Welcome to P.A.S.S. People Advantage Self Service March 1, 2007.
Auditing Computer Systems

Auditing Computer Systems
Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.

Information Systems Audit Program. Benefit Audit programs are necessary to perform an effective and efficient audit. Audit programs are essentially checklists.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
MODULE 8 MONITORING INDIANA HPRP Training 1. Role of Independent Financial Monitors 2 IHCDA is retaining an independent accounting firm to monitor its.

MODULE 8 MONITORING INDIANA HPRP Training 1. Role of Independent Financial Monitors 2 IHCDA is retaining an independent accounting firm to monitor its.
Audits: How to Prepare and What to Expect Council of Senior Business Administrators Focus Session April 21, 2004 James Laird Assistant Dean for Finance.

Audits: How to Prepare and What to Expect Council of Senior Business Administrators Focus Session April 21, 2004 James Laird Assistant Dean for Finance.
Database Management System

Database Management System
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.

1 For System Administrators INFORMATION INFORMATION SYSTEM SECURITY INFORMATION INFORMATION SYSTEM SECURITY.
Tom Parker Project Manager Identity Management Team IT Security Group.

Tom Parker Project Manager Identity Management Team IT Security Group.
Chapter 14 System Controls. A Quote “The factory of the future will have only two employees, a man and a dog. The man will be there to feed the dog. The.

Chapter 14 System Controls. A Quote “The factory of the future will have only two employees, a man and a dog. The man will be there to feed the dog. The.
Procurement Card Training Strategic Account Management (SAM)

Procurement Card Training Strategic Account Management (SAM)
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
1 Change Management FOR University Medical Group Saint Louis University Click this icon for Audio.

1 Change Management FOR University Medical Group Saint Louis University Click this icon for Audio.

Similar presentations

Ads by Google