Download presentation
Presentation is loading. Please wait.
Published byEdmund Evans Modified over 8 years ago
1
ME CONTROLLING? CREATING A CONTROL SYSTEM YOU CAN LIVE WITH Kristi Olson Idaho State University Date Track Coeur d’Alene, Idaho
2
SESSION RULES OF ETIQUETTE Please turn off you cell phone/pager If you must leave the session early, please do so as discreetly as possible Please avoid side conversation during the session Thank you for your cooperation! Coeur d’Alene, Idaho
3
SESSION AGENDA 1. What are IT controls and why do we need them 2. Brief discussion on the 3 main control elements 3. Application change control 4. Account Provisioning Coeur d’Alene, Idaho
4
WHAT ARE IT CONTROLS By definition, General Computer Controls are control activities performed within the IT organization or the technology that they support that can be applied to every system that the organization relies upon; They are designed to encompass an organization's IT infrastructure rather than specific applications. Coeur d’Alene, Idaho
5
WHAT ARE IT CONTROLS AND WHY DO WE NEED THEM With ever increasing legal, security and financial risks associated with improper use and access of our institutions data of which is stored and accessed electronically. It is utmost critical that we employ basic general computing controls. In this presentation we will discuss some basic IT controls that will allow you, your customers and auditors to have reasonable assurance in your ERP system. Coeur d’Alene, Idaho
6
SO WHAT ARE GENERAL COMPUTER CONTROLS – AND WHY DO WE CARE Coeur d’Alene, Idaho
7
WHAT ARE IT CONTROLS By definition, General Computer Controls are control activities performed within the IT organization or the technology that they support that can be applied to every system that the organization relies upon; They are designed to encompass an organization's IT infrastructure rather than specific applications. Coeur d’Alene, Idaho
8
WHY DO WE NEED THESE CONTROLS? “IT controls are fundamental to the reliability and integrity of the information processed by the automated systems on which most organizations are dependent for their business and financial transaction processing — and overlooking or minimizing their importance creates a significant risk.” - CICA Information Technology Advisory Committee (2004) Coeur d’Alene, Idaho
9
WHY DO WE NEED THESE CONTROLS?. The controls provide assurance to organization as well as outsiders that IT systems process data appropriately and accurately, and that the output of the systems can be trusted Coeur d’Alene, Idaho
10
So basically With out effective controls - there can not be reliance on the applications or systems. Coeur d’Alene, Idaho
11
Kgo 06052005 Business Process Finance Business Process Manufacturing Business Process Logistics Business Process Etc. IT Services OS/Data/Telecom/Continuity/Networks Enterprise Management Company-level Controls Company-level controls set the tone for the organization. Examples include: System planning Operating style Enterprise policies Governance Collaboration Information sharing Codes of conduct Fraud prevention General Controls Controls embedded in shared services form general controls. Examples include: System maintenance Disaster recovery Application Controls Controls embedded in business process applications, designed to achieve completeness, accuracy, validity and recording assertions, are commonly referred to as application controls. Examples include: Authorizations Approvals Tolerance levels Reconciliations Input edits Source: C OBI T, 3 rd Edition Physical and logical security Data management Incident response
12
WE ARE GOING TO FOCUS ON, WHAT I FEEL, ARE THE 3 MAIN CONTROL ELEMENTS. Coeur d’Alene, Idaho Access to Programs and Data Computer Operations Change Management
13
ACCESS TO PROGRAMS AND DATA These controls deal with how both logical and physical access is managed to systems and data. - The objective is to reduce the risk of inappropriate or unauthorized access. Coeur d’Alene, Idaho
14
Primary controls for Access to Data IT Security Policy - A formalized security policy should be in place. This Policy should be made available and communicated to the campus. Data Center Access - Physical access to the data center should be restricted to as needed. Administrative accounts - restrict highly privileged accounts on all systems, databases and applications to only those who have an absolute need- (Banner - BANSECR) Coeur d’Alene, Idaho
15
Primary controls for Access to Data Account Provisioning – put a process in place for ensuring appropriate access is granted only after proper approval is obtained. Account De-provisioning - Put a process in place to ensure access is removed for terminations / position changes in a timely manner. Annual User Access review - Put a process in place to have all access – Operating system – Database – applications - reviewed. Coeur d’Alene, Idaho
16
Document Coeur d’Alene, Idaho
17
COMPUTER OPERATIONS This element groups the controls that deal with operational matters like backups and batch jobs. The objective of these controls are to ensure system or application processing is appropriately authorized and scheduled; and that deviations from the schedule processing is identified and resolved. The control areas relevant to this element include: Coeur d’Alene, Idaho
18
Computer Operation Controls to have in place Batch job Processing/Monitoring - attach emails for success or failure for any Batch job processing. Incident Management - Use your existing help desk ticketing system. Backup Policy - Implement an appropriate backup and recovery process. Have an agreement on how much data you could risk losing and develop your backup policy to meet this agreement. Test your backups. Do periodic restores to ensure your back up process works. Have you ever attempted a point in time restore?? Coeur d’Alene, Idaho
19
Document Coeur d’Alene, Idaho
20
CHANGE MANAGEMENT These are the controls put into place to ensure that any changes made are authorized, tested and approved. Coeur d’Alene, Idaho
21
Change management controls Change management Policy - Develop a change management Policy. This, at minimum, should describe – what is considered a change, what and where testing should occur, who approves and how is this said change promoted into production. Your Policy should dictate where this information is maintained. Segregation of Duties - If at all possible - there should be separation between who promotes changes to who develops them. Coeur d’Alene, Idaho
22
Document Coeur d’Alene, Idaho
23
BRIEF DESCRIPTION OF PROCESSES THAT WE HAVE IMPLEMENTED AT IDAHO STATE UNIVERSITY Change management or Request for Change RFC Account Provisioning or Banner Argos Access Request BAAR Coeur d’Alene, Idaho
24
Both processes have been developed based on the presumption that IT does not own the data. IT acts as the care takers and gate keepers. We have divided that data ownership up in six areas. Finance Student Financial Aid Admissions Human resources/Payroll General Coeur d’Alene, Idaho
25
Other facts to note about the set up at Idaho State University. Developers do not have access to manipulate code in our production Banner environment. Developers do not have access to release code in our scheduling software All code and scripts must be put in to production by someone on our DBA team. Developers have query access via sql to our production data. We have very limited access via sql to our production data – What we do have is query only. Coeur d’Alene, Idaho
26
REQUEST FOR CHANGE RFC What do we define as a change. Any new or modified application, database object, sql code or forms that will run in or against Banner. - (Basically - If someone from our DBA team is needed to promote the change - An RFC is required.) If data needs to be manipulated via sql – data fixes – process changes - An RFC is required. Coeur d’Alene, Idaho
27
What documentation is required for promotion Initial Request - This should document what needs to be changed, fixed, or created and who made the request. Authorization to begin work - For all new objects, forms, or applications we require our ERP manager to approve. Who did the testing - Testing documentation should at best include what was tested, by whom, when, what system. Approval for production. After testing is complete – documented approval must be obtained from the proper data owner or owners. Coeur d’Alene, Idaho
28
How to maintain RFC documentation Emails chains Electronic folders. Printed copies of testing documentation and Emails Electronic Workflow systems At Idaho State University - We use our Service Desk ticketing system – NUMERA - Coeur d’Alene, Idaho
29
BANNER ARGOS ACCESS REQUEST BAAR Any INB access requires an approved BAAR. Access to “sensitive reports” requires an approved BAAR. Note of explanation: IT grants access to forms and reports but we do not do functional security. We do not grant access to index codes (FOMPROF) We do not grant access to employee code rules (PTRUSER) We do not add Faculty or Advisors (SIAINST) Coeur d’Alene, Idaho
30
Brief description on how access security is designed in Banner at Idaho State University. Banner access to Forms or jobs can be granted directly to a user or grouped together via security classes. A user could then be granted many security classes. Access to Forms can be granted in query or modify mode. At Idaho Sate University – we have implemented a system using security classes. Each data custodian is responsible for how there security classes are developed and granted. Coeur d’Alene, Idaho
31
Examples of a few security classes ST_CASHIER_Q_C SFAREGFStudent Course/Fee Assessment QueryBAN_DEFAULT_Q SOAHOLD Hold InformationBAN_DEFAULT_Q FIN_CASHIER_APP_RECEIPTS_C TSAAREVAccount Detail Review Form – StudentBAN_DEFAULT_M TSADETLStudent Account DetailBAN_DEFAULT_M TSAMASSBilling Mass Data Entry Form – StudentBAN_DEFAULT_M TSASPAYStudent PaymentBAN_DEFAULT_M Coeur d’Alene, Idaho
32
A simplified approval chain for a BAAR. A request for access is made - description of job duties or - if known – specific security classes is entered in the request. Request is sent to Dean/Director of requestor to determine if request is appropriate in the requestors job responsibilities. Determine if training is needed. If new employee, we require a Welcome to Banner training. Forward to appropriate data custodians for approvals and descriptions of specific security classes to be granted. Once approvals are received - Application security analyst will grant approved security classes. Coeur d’Alene, Idaho
33
BANNER ACCESS – We do have approved certain job functions that do not require the full BAAR approval but only require the approval of the dean/director. Examples of those job functions are; Public Safety Student Access ReqMaster Access (given only after very specific training) Service Desk Student Access We also grant have general campus wide reporting set up in Argos. This access is granted by request and does not require any approval. For our BAAR requests we currently use Tigertracks, Coeur d’Alene, Idaho
34
Other controls we have in place for account provisioning. We do a yearly review with our data custodians for all security classes, all objects within those classes, and all users assigned access through security classes or direct object grants. We have weekly security reports for terminated employees. We have weekly reports to look for position changes. Coeur d’Alene, Idaho
35
SESSION SUMMARY Basic IT controls not only help you pass an audit but allows for a much more stable computing environment. If you have taken nothing else from this presentation please remember this : DOCUMENT DOCUMENT DOCUMENT Coeur d’Alene, Idaho
36
QUESTIONS & ANSWERS Coeur d’Alene, Idaho
37
THANK YOU! Kristi Olson olsokris@isu.edu Coeur d’Alene, Idaho
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.