1
LOGICAL ACCESSLOGICAL ACCESS
FORFOR
University Medical GroupUniversity Medical Group
Saint Louis UniversitySaint Louis University
Click the Speaker Icon for AudioClick the Speaker Icon for Audio
2
AgendaAgenda
• Logical Access: Definitions and ControlsLogical Access: Definitions and Controls• Workflow Workflow • Documentation ProcessDocumentation Process• Password SecurityPassword Security• Monitoring Monitoring • Audit TrackingAudit Tracking• Helpful LinksHelpful Links• Q & AQ & A
3
DEFINITONSDEFINITONS
Logical Access: Process by which individuals are permitted to use computer systems and the networks to which these systems are attached.
• Applications and networks, and the services they provide, are available only to those individuals who are entitled to use them.
• Entitlement is typically based on some sort of predetermined relationship between the network or system owner and the user
4
DEFINITIONSDEFINITIONS• Access Form – Used in the Logical Access process to document and approve authorized
access to systems/applications (see “HelpFul Links” for examples)
• Product Managers – Responsible for the access management of the system or application (also referred to as Tech. Coordinators, Application Analyst or other title)
• Business Process Owner (BPO) – Person (s) who have been authorized by UMG and ITS to approve access to systems/applications for a department.
• Key Controls (LA #) - Denotes the key process controls within Logical Access identified and approved by the University.
• ITS – Saint Louis University, Information Technology Services
• SLU-Care Service Desk – UMG/ITS help desk which creates Remedy tickets for service requests
• Quality Assurance Administrator – Monitors and reviews for compliance all logical access management policies and processes
• Remedy Management System (Remedy) – Request tracking system used to record and document service requests
5
Segregation of Duties : Prevents a single person from performing two or more incompatible functions. Failure to adequately segregate, or implement compensating controls, increases the risk that errors or unauthorized actions may occur and not be detected in a timely manner.
Examples of inadequate segregation:Examples of inadequate segregation:
One person has access rights to:One person has access rights to:
• Perform billings/invoicing, receive the corresponding payments, Perform billings/invoicing, receive the corresponding payments, and record the corresponding cash receipts entries.and record the corresponding cash receipts entries.
• Authorize disbursements, issue corresponding disbursements, Authorize disbursements, issue corresponding disbursements, and record corresponding disbursements entries.and record corresponding disbursements entries.
• Set up a new employee, input pay rates/salary, and issue pay Set up a new employee, input pay rates/salary, and issue pay checks. checks.
DEFINITIONSDEFINITIONS
6
CONTROLSCONTROLS
LA1 A formalized documented system for user access is established
LA2 Full user Account information is documented and retained
LA3 Authorized approval and documentation
LA4 User access is verified by Process Owners
LA5 Segregation of duties analysis
LA6 Segregation of duties analysis for administrative users
LA7 User password requirements are established and enabled
LA8 Application password requirements are established and enabled
LA9 Automatic lock-out controls are established and enabled
LA10 Documentation and control for Terminations
LA11 Monitoring Access Reviews
LA12 Auto-Logging established, tracked and reviewed
7
1. BPO approves the completed access forms
2. User completes required training
3. Product Manager reviews forms for completeness and approval, and documents into a Remedy ticket
4. Access is granted and confirmed
WORKFLOWWORKFLOW
Four Step Process
8
ACCESS FORM - BasicsACCESS FORM - Basics
• User Information • Type of Request• Access Type- w/ specific details• Statement of Approval
– Accuracy of request– Knowledge of University policies and procedures– Required Training has been addressed– Segregation of duties has been considered
• Authorized Approver Signature
LA CONTROLS 1-6 AND 10LA CONTROLS 1-6 AND 10
DOCUMENTATIONDOCUMENTATION
See “Helpful Links” for your specific application
9
DOCUMENTATIONDOCUMENTATION
For New or Change of Access:
• Attach Request Form (required)• Verify and/or attach Confidentiality Agreement• Verify User Current Access • Notify Hiring Manager/Process Owner
For Termination of Access:
• Attach Request Form or Termination Report (required)
• Lock/Disable User Account• Notify Hiring Manager
Product Managers record the following information into Remedy
10
DOCUMENTATIONDOCUMENTATION
1.1. Change/Delete AccessChange/Delete Access Similar process as a new user request
• Requires an Access Form• Segregation of Duties Analysis for Change Request• All Changes recorded in Remedy
2. Termination Requests: submitted prior to users last day
3. Notification to Human Resources prior to users last day
Key Points to Remember:Key Points to Remember:
LA CONTROLS 10
11
• Password must be a minimum of 8 characters• Password must not be the same as your “User Name”• Password must be constructed using one of each of the following
character types: – Uppercase alpha (A, B, C, D, E, …)– Lowercase alpha (a, b, c, d, e, …)– Numbers (1, 2, 3, 4, 5, 6, 7, 8, 9, 0)
• Passwords must not contain Special characters (!, #, $, %, &, *) • Passwords must not be easily guessed: must not be names,
dictionary words, phone numbers, birthdays or contain their “User Name”
• Passwords must be different from the previous 12. • New Users will be forced to change their passwords after their
initial log in• After 3 unsuccessful log-in attempts: user account will be
suspended• All passwords will expire after a minimal 180 days.
LA CONTROLS 7-9
PASSWORD SECURITYPASSWORD SECURITY
12
Accessing or Changing your “MYSLU” ID Password
• Log into password.slu.edu with your SLUNET ID and temporary or existing password
• Go to “Change Password”• Change your password to meet new security
standards• Confirm by logging into your MYSLU page
PASSWORD SECURITYPASSWORD SECURITY
LA CONTROLS 7-9
Refer to the specific application for more information
13
MONITORING MONITORING
Monitoring involves reviews of reports to ensure that users have appropriate and authorized access rights. There are three types of reports:
1. Service Access Report
• A comprehensive listing of user access rights• Review Timing: Bi-Annually
2. Termination Report
• Lists users who have separated from the university, but who may still have access rights.
• Review Timing: Weekly
3. Position Change Report
• Lists users who have changed positions, which may require updates to access rights.
• Review Timing: Weekly
LA CONTROL #11
14
MONITORINGMONITORING
The Monitoring Process
• Product Mangers, with assistance from department management, ensure reviews are completed for respective areas.
• User access changes resulting from these reviews should be requested on an Access Form
• Reviews of the Service Access Report, Termination Reports and Position Change Reports must be documented and retained.
15
Utilization of operating systems built-in auditing capabilities to monitor various events:
1. Logon and Logoff
2. Use of user rights
3. User & Group Management
4. Security Policy Changes
5. Restart, Shutdown, & System Failure
6. Changes, additions, deletions to tables, program codes, security tables
AUDIT TRACKINGAUDIT TRACKINGLA Control #12
16
HELPFUL LINKSHELPFUL LINKS
Banner Products Logical Access Information:http://www.slu.edu/services/HR/university_security_forms.html
IDX Products Logical Access Information: http://pmoweb.slu.edu/
EHR Products Logical Access Information: http://ehr.slucare.edu/
eRS Products Logical Access Information:
http://ers.slu.edu/
Logical Access Change Management Initiative:http://www.slu.edu/x20377.xml
Refer to Product Manager for all other products
17
THANK YOUTHANK YOU
Q & AQ & A