Presentation is loading. Please wait.

Presentation is loading. Please wait.

ME CONTROLLING? CREATING A CONTROL SYSTEM YOU CAN LIVE WITH Kristi Olson Idaho State University Date Track Coeur d’Alene, Idaho.

Published byEdmund Evans Modified over 8 years ago

Similar presentations

Presentation on theme: "ME CONTROLLING? CREATING A CONTROL SYSTEM YOU CAN LIVE WITH Kristi Olson Idaho State University Date Track Coeur d’Alene, Idaho."— Presentation transcript:

1 ME CONTROLLING? CREATING A CONTROL SYSTEM YOU CAN LIVE WITH Kristi Olson Idaho State University Date Track Coeur d’Alene, Idaho

2 SESSION RULES OF ETIQUETTE  Please turn off you cell phone/pager  If you must leave the session early, please do so as discreetly as possible  Please avoid side conversation during the session Thank you for your cooperation! Coeur d’Alene, Idaho

3 SESSION AGENDA 1. What are IT controls and why do we need them 2. Brief discussion on the 3 main control elements 3. Application change control 4. Account Provisioning Coeur d’Alene, Idaho

4 WHAT ARE IT CONTROLS By definition, General Computer Controls are control activities performed within the IT organization or the technology that they support that can be applied to every system that the organization relies upon; They are designed to encompass an organization's IT infrastructure rather than specific applications. Coeur d’Alene, Idaho

5 WHAT ARE IT CONTROLS AND WHY DO WE NEED THEM  With ever increasing legal, security and financial risks associated with improper use and access of our institutions data of which is stored and accessed electronically. It is utmost critical that we employ basic general computing controls.  In this presentation we will discuss some basic IT controls that will allow you, your customers and auditors to have reasonable assurance in your ERP system. Coeur d’Alene, Idaho

6 SO WHAT ARE GENERAL COMPUTER CONTROLS – AND WHY DO WE CARE Coeur d’Alene, Idaho

7 WHAT ARE IT CONTROLS By definition, General Computer Controls are control activities performed within the IT organization or the technology that they support that can be applied to every system that the organization relies upon; They are designed to encompass an organization's IT infrastructure rather than specific applications. Coeur d’Alene, Idaho

8 WHY DO WE NEED THESE CONTROLS? “IT controls are fundamental to the reliability and integrity of the information processed by the automated systems on which most organizations are dependent for their business and financial transaction processing — and overlooking or minimizing their importance creates a significant risk.” - CICA Information Technology Advisory Committee (2004) Coeur d’Alene, Idaho

9 WHY DO WE NEED THESE CONTROLS?. The controls provide assurance to organization as well as outsiders that IT systems process data appropriately and accurately, and that the output of the systems can be trusted Coeur d’Alene, Idaho

10 So basically With out effective controls - there can not be reliance on the applications or systems. Coeur d’Alene, Idaho

11 Kgo 06052005 Business Process Finance Business Process Manufacturing Business Process Logistics Business Process Etc. IT Services OS/Data/Telecom/Continuity/Networks Enterprise Management Company-level Controls Company-level controls set the tone for the organization. Examples include: System planning Operating style Enterprise policies Governance Collaboration Information sharing Codes of conduct Fraud prevention General Controls Controls embedded in shared services form general controls. Examples include: System maintenance Disaster recovery Application Controls Controls embedded in business process applications, designed to achieve completeness, accuracy, validity and recording assertions, are commonly referred to as application controls. Examples include: Authorizations Approvals Tolerance levels Reconciliations Input edits Source: C OBI T, 3 rd Edition Physical and logical security Data management Incident response

12 WE ARE GOING TO FOCUS ON, WHAT I FEEL, ARE THE 3 MAIN CONTROL ELEMENTS. Coeur d’Alene, Idaho  Access to Programs and Data  Computer Operations  Change Management

13 ACCESS TO PROGRAMS AND DATA  These controls deal with how both logical and physical access is managed to systems and data. - The objective is to reduce the risk of inappropriate or unauthorized access. Coeur d’Alene, Idaho

14 Primary controls for Access to Data IT Security Policy - A formalized security policy should be in place. This Policy should be made available and communicated to the campus. Data Center Access - Physical access to the data center should be restricted to as needed. Administrative accounts - restrict highly privileged accounts on all systems, databases and applications to only those who have an absolute need- (Banner - BANSECR) Coeur d’Alene, Idaho

15 Primary controls for Access to Data Account Provisioning – put a process in place for ensuring appropriate access is granted only after proper approval is obtained. Account De-provisioning - Put a process in place to ensure access is removed for terminations / position changes in a timely manner. Annual User Access review - Put a process in place to have all access – Operating system – Database – applications - reviewed. Coeur d’Alene, Idaho

16 Document Coeur d’Alene, Idaho

17 COMPUTER OPERATIONS  This element groups the controls that deal with operational matters like backups and batch jobs. The objective of these controls are to ensure system or application processing is appropriately authorized and scheduled; and that deviations from the schedule processing is identified and resolved. The control areas relevant to this element include: Coeur d’Alene, Idaho

18 Computer Operation Controls to have in place Batch job Processing/Monitoring - attach emails for success or failure for any Batch job processing. Incident Management - Use your existing help desk ticketing system. Backup Policy - Implement an appropriate backup and recovery process. Have an agreement on how much data you could risk losing and develop your backup policy to meet this agreement. Test your backups. Do periodic restores to ensure your back up process works. Have you ever attempted a point in time restore?? Coeur d’Alene, Idaho

19 Document Coeur d’Alene, Idaho

20 CHANGE MANAGEMENT  These are the controls put into place to ensure that any changes made are authorized, tested and approved. Coeur d’Alene, Idaho

21 Change management controls Change management Policy - Develop a change management Policy. This, at minimum, should describe – what is considered a change, what and where testing should occur, who approves and how is this said change promoted into production. Your Policy should dictate where this information is maintained. Segregation of Duties - If at all possible - there should be separation between who promotes changes to who develops them. Coeur d’Alene, Idaho

22 Document Coeur d’Alene, Idaho

23 BRIEF DESCRIPTION OF PROCESSES THAT WE HAVE IMPLEMENTED AT IDAHO STATE UNIVERSITY Change management or Request for Change RFC Account Provisioning or Banner Argos Access Request BAAR  Coeur d’Alene, Idaho

24 Both processes have been developed based on the presumption that IT does not own the data. IT acts as the care takers and gate keepers. We have divided that data ownership up in six areas. Finance Student Financial Aid Admissions Human resources/Payroll General Coeur d’Alene, Idaho

25 Other facts to note about the set up at Idaho State University. Developers do not have access to manipulate code in our production Banner environment. Developers do not have access to release code in our scheduling software All code and scripts must be put in to production by someone on our DBA team. Developers have query access via sql to our production data. We have very limited access via sql to our production data – What we do have is query only. Coeur d’Alene, Idaho

26 REQUEST FOR CHANGE RFC What do we define as a change. Any new or modified application, database object, sql code or forms that will run in or against Banner. - (Basically - If someone from our DBA team is needed to promote the change - An RFC is required.) If data needs to be manipulated via sql – data fixes – process changes - An RFC is required. Coeur d’Alene, Idaho

27 What documentation is required for promotion Initial Request - This should document what needs to be changed, fixed, or created and who made the request. Authorization to begin work - For all new objects, forms, or applications we require our ERP manager to approve. Who did the testing - Testing documentation should at best include what was tested, by whom, when, what system. Approval for production. After testing is complete – documented approval must be obtained from the proper data owner or owners. Coeur d’Alene, Idaho

28 How to maintain RFC documentation Emails chains Electronic folders. Printed copies of testing documentation and Emails Electronic Workflow systems At Idaho State University - We use our Service Desk ticketing system – NUMERA - Coeur d’Alene, Idaho

29 BANNER ARGOS ACCESS REQUEST BAAR Any INB access requires an approved BAAR. Access to “sensitive reports” requires an approved BAAR. Note of explanation: IT grants access to forms and reports but we do not do functional security. We do not grant access to index codes (FOMPROF) We do not grant access to employee code rules (PTRUSER) We do not add Faculty or Advisors (SIAINST) Coeur d’Alene, Idaho

30 Brief description on how access security is designed in Banner at Idaho State University. Banner access to Forms or jobs can be granted directly to a user or grouped together via security classes. A user could then be granted many security classes. Access to Forms can be granted in query or modify mode. At Idaho Sate University – we have implemented a system using security classes. Each data custodian is responsible for how there security classes are developed and granted. Coeur d’Alene, Idaho

31 Examples of a few security classes ST_CASHIER_Q_C SFAREGFStudent Course/Fee Assessment QueryBAN_DEFAULT_Q SOAHOLD Hold InformationBAN_DEFAULT_Q FIN_CASHIER_APP_RECEIPTS_C TSAAREVAccount Detail Review Form – StudentBAN_DEFAULT_M TSADETLStudent Account DetailBAN_DEFAULT_M TSAMASSBilling Mass Data Entry Form – StudentBAN_DEFAULT_M TSASPAYStudent PaymentBAN_DEFAULT_M Coeur d’Alene, Idaho

32 A simplified approval chain for a BAAR. A request for access is made - description of job duties or - if known – specific security classes is entered in the request. Request is sent to Dean/Director of requestor to determine if request is appropriate in the requestors job responsibilities. Determine if training is needed. If new employee, we require a Welcome to Banner training. Forward to appropriate data custodians for approvals and descriptions of specific security classes to be granted. Once approvals are received - Application security analyst will grant approved security classes. Coeur d’Alene, Idaho

33 BANNER ACCESS – We do have approved certain job functions that do not require the full BAAR approval but only require the approval of the dean/director. Examples of those job functions are; Public Safety Student Access ReqMaster Access (given only after very specific training) Service Desk Student Access We also grant have general campus wide reporting set up in Argos. This access is granted by request and does not require any approval. For our BAAR requests we currently use Tigertracks, Coeur d’Alene, Idaho

34 Other controls we have in place for account provisioning. We do a yearly review with our data custodians for all security classes, all objects within those classes, and all users assigned access through security classes or direct object grants. We have weekly security reports for terminated employees. We have weekly reports to look for position changes. Coeur d’Alene, Idaho

35 SESSION SUMMARY Basic IT controls not only help you pass an audit but allows for a much more stable computing environment. If you have taken nothing else from this presentation please remember this : DOCUMENT DOCUMENT DOCUMENT Coeur d’Alene, Idaho

36 QUESTIONS & ANSWERS Coeur d’Alene, Idaho

37 THANK YOU! Kristi Olson olsokris@isu.edu Coeur d’Alene, Idaho

Download ppt "ME CONTROLLING? CREATING A CONTROL SYSTEM YOU CAN LIVE WITH Kristi Olson Idaho State University Date Track Coeur d’Alene, Idaho."

Similar presentations

Pennsylvania BANNER Users Group 2006 Integrate Your Decision Support with Cognos 8.

Pennsylvania BANNER Users Group 2006 Integrate Your Decision Support with Cognos 8.
All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1.

All Rights Reserved, Duke Medicine 2007 IT Security Presented by: Trisha Craig and Don Elsner Principal Auditors – IT Audit Duke University 1.
Workflow Basics Tommy Parker Sr. Systems Analyst & Team Leader Mississippi State University 1 MBUG – September 17, 2012.

Workflow Basics Tommy Parker Sr. Systems Analyst & Team Leader Mississippi State University 1 MBUG – September 17, 2012.
Information Technology Control Day IV Afternoon Sessions.

Information Technology Control Day IV Afternoon Sessions.
Auditing Computer Systems

Auditing Computer Systems
1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.

1 INTERNAL CONTROLS A PRACTICAL GUIDE TO HELP ENSURE FINANCIAL INTEGRITY.
OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.

OMB Circular A-123 – Management’s Responsibility for Internal Control Policy Applicability Sources of Information Assessment, Documentation and Reporting.
Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.

Chapter 7 Control and AIS Copyright © 2012 Pearson Education, Inc. publishing as Prentice Hall 7-1.
Best Practices – Overview

Best Practices – Overview
Concepts of Database Management Seventh Edition

Concepts of Database Management Seventh Edition
Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.

Chapter 4 IDENTIFYING RISKS AND CONTROLS IN BUSINESS PROCESSES.
Auditing 81.3550 Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.

Auditing Auditing & Automated Systems Chapter 22 Auditing & Automated Systems Chapter 22.
©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley 11 - 1 The Impact of Information Technology on the Audit.

©2003 Prentice Hall Business Publishing, Auditing and Assurance Services 9/e, Arens/Elder/Beasley The Impact of Information Technology on the Audit.
GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 Dotting Your I’s and Crossing Your T’s: Preparing for an IT Audit David.

GALILEO GeorgiaBEST GeorgiaFIRST Georgia ONmyLINE GeorgiaVIEW GIL PeachNet USG123 Dotting Your I’s and Crossing Your T’s: Preparing for an IT Audit David.
Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?

Achieving our mission Presented to Line Staff. INTERNAL CONTROLS What are they?
Chapter Lead Black Slide © 2001 Business & Information Systems 2/e.

Chapter Lead Black Slide © 2001 Business & Information Systems 2/e.
SESSION TITLE SESSION SUBTITLE Presenter Name(s) Presenter Institution(s) Date Track Coeur d’Alene, Idaho.

SESSION TITLE SESSION SUBTITLE Presenter Name(s) Presenter Institution(s) Date Track Coeur d’Alene, Idaho.
Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.

Chapter 10 Information Systems Controls for System Reliability—Part 3: Processing Integrity and Availability Copyright © 2012 Pearson Education, Inc.
Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.

Elements of Internal Controls Preventing Fraud, Waste, and Abuse in Urban and Rural Transit Systems.
1 LOGICAL ACCESS FOR University Medical Group Saint Louis University Click the Speaker Icon for Audio.

1 LOGICAL ACCESS FOR University Medical Group Saint Louis University Click the Speaker Icon for Audio.

Similar presentations

Ads by Google