NWEUG 2015 ME CONTROLLING? CREATING A CONTROL SYSTEM YOU CAN LIVE WITH Kristi Olson Idaho State University Date Track Coeur d’Alene, Idaho
Dec 28, 2015
NWEUG2015
ME CONTROLLING?CREATING A CONTROL
SYSTEM YOU CAN LIVE WITH
Kristi Olson
Idaho State University
DateTrack
Coeur d’Alene, Idaho
NWEUG2015
SESSION RULES OF ETIQUETTE
Please turn off you cell phone/pager
If you must leave the session early, please do so as discreetly as possible
Please avoid side conversation during the session
Thank you for your cooperation!
Coeur d’Alene, Idaho
NWEUG2015
SESSION AGENDA
1. What are IT controls and why do we need them
2. Brief discussion on the 3 main control elements
3. Application change control
4. Account Provisioning
Coeur d’Alene, Idaho
NWEUG2015
WHAT ARE IT CONTROLS
By definition, General Computer Controls are control activities performed within the IT organization or the technology that they support that can be applied to every system that the organization relies upon; They are designed to encompass an organization's IT infrastructure rather than specific applications.
Coeur d’Alene, Idaho
NWEUG2015
WHAT ARE IT CONTROLS AND WHY DO WE NEED THEM
With ever increasing legal , security and financial risks associated with improper use and access of our institutions data of which is stored and accessed electronically. It is utmost critical that we employ basic general computing controls.
In this presentation we will discuss some basic IT controls that will allow you, your customers and auditors to have reasonable assurance in your ERP system.
Coeur d’Alene, Idaho
NWEUG2015
SO WHAT ARE GENERAL COMPUTER CONTROLS – AND WHY DO WE CARE
Coeur d’Alene, Idaho
NWEUG2015
WHAT ARE IT CONTROLS
By definition, General Computer Controls are control activities performed within the IT organization or the technology that they support that can be applied to every system that the organization relies upon; They are designed to encompass an organization's IT infrastructure rather than specific applications.
Coeur d’Alene, Idaho
NWEUG2015
WHY DO WE NEED THESE CONTROLS?
“IT controls are fundamental to the reliability and integrity of the information processed by the automated systems on which most organizations are dependent for their business and financial transaction processing — and overlooking or minimizing their importance creates a significant risk.”
- CICA Information Technology Advisory Committee (2004)
Coeur d’Alene, Idaho
NWEUG2015
WHY DO WE NEED THESE CONTROLS?
. The controls provide assurance to organization as well as outsiders that IT systems process data appropriately and accurately, and that the output of the systems can be trusted
Coeur d’Alene, Idaho
NWEUG2015
So basically
With out effective controls - there can not be reliance on the applications or systems.
Coeur d’Alene, Idaho
NWEUG2015Coeur d’Alene, Idaho
Kgo 06052005
Bus
ines
s Pr
oces
s Fi
nanc
e
Bus
ines
s Pr
oces
s M
anuf
actu
ring
Bus
ines
s Pr
oces
s Lo
gist
ics
Bus
ines
s Pr
oces
s Et
c.
IT ServicesOS/Data/Telecom/Continuity/Networks
Enterprise Management
Company-level ControlsCompany-level controls set the tone for the organization. Examples include:• System planning• Operating style• Enterprise policies• Governance• Collaboration• Information sharing• Codes of conduct• Fraud prevention
General ControlsControls embedded in shared services form general controls. Examples include:• System maintenance• Disaster recovery
Application ControlsControls embedded in business process applications, designed to achieve completeness, accuracy, validity and recording assertions, are commonly referred to as application controls. Examples include:• Authorizations• Approvals• Tolerance levels• Reconciliations• Input edits
Source: COBIT, 3rd Edition
• Physical and logical security• Data management• Incident response
NWEUG2015
WE ARE GOING TO FOCUS ON , WHAT I FEEL, ARE THE 3 MAIN CONTROL ELEMENTS.
Coeur d’Alene, Idaho
Access to Programs and Data
Computer Operations
Change Management
NWEUG2015
ACCESS TO PROGRAMS AND DATA
These controls deal with how both logical and physical access is managed to systems and data. - The objective is to reduce the risk of inappropriate or unauthorized access .
Coeur d’Alene, Idaho
NWEUG2015
Primary controls for Access to Data
IT Security Policy - A formalized security policy should be in place. This Policy should be made available and communicated to the campus.
Data Center Access - Physical access to the data center should be restricted to as needed.
Administrative accounts - restrict highly privileged accounts on all systems , databases and applications to only those who have an absolute need- (Banner - BANSECR)
Coeur d’Alene, Idaho
NWEUG2015
Primary controls for Access to Data
Account Provisioning – put a process in place for ensuring appropriate access is granted only after proper approval is obtained.
Account De-provisioning - Put a process in place to ensure access is removed for terminations / position changes in a timely manner.
Annual User Access review - Put a process in place to have all access – Operating system – Database – applications - reviewed.
Coeur d’Alene, Idaho
NWEUG2015
Document
Document
DocumentCoeur d’Alene, Idaho
NWEUG2015
COMPUTER OPERATIONS
This element groups the controls that deal with operational matters like backups and batch jobs. The objective of these controls are to ensure system or application processing is appropriately authorized and scheduled; and that deviations from the schedule processing is identified and resolved. The control areas relevant to this element include:
Coeur d’Alene, Idaho
NWEUG2015
Computer Operation Controls to have in place
Batch job Processing/Monitoring - attach emails for success or failure for any Batch job processing.
Incident Management - Use your existing help desk ticketing system .
Backup Policy - Implement an appropriate backup and recovery process. Have an agreement on how much data you could risk losing and develop your backup policy to meet this agreement.
Test your backups. Do periodic restores to ensure your back up process works. Have you ever attempted a point in time restore??
Coeur d’Alene, Idaho
NWEUG2015
Document
Document
DocumentCoeur d’Alene, Idaho
NWEUG2015
CHANGE MANAGEMENT
These are the controls put into place to ensure that any changes made are authorized, tested and approved.
Coeur d’Alene, Idaho
NWEUG2015
Change management controls
Change management Policy - Develop a change management Policy. This, at minimum, should describe – what is considered a change, what and where testing should occur, who approves and how is this said change promoted into production . Your Policy should dictate where this information is maintained.
Segregation of Duties - If at all possible - there should be separation between who promotes changes to who develops them.
Coeur d’Alene, Idaho
NWEUG2015
Document
Document
DocumentCoeur d’Alene, Idaho
NWEUG2015
BRIEF DESCRIPTION OF PROCESSES THAT WE HAVE IMPLEMENTED AT
IDAHO STATE UNIVERSITY
Change management or Request for Change RFC
Account Provisioning or Banner Argos Access Request
BAAR
Coeur d’Alene, Idaho
NWEUG2015
Both processes have been developed based on the presumption that IT does not own the data. IT acts as the care takers and gate keepers.
We have divided that data ownership up in six areas.
Finance
Student
Financial Aid
Admissions
Human resources/Payroll
General
Coeur d’Alene, Idaho
NWEUG2015
Other facts to note about the set up at Idaho State University.
Developers do not have access to manipulate code in our production Banner environment.
Developers do not have access to release code in our scheduling software
All code and scripts must be put in to production by someone on our DBA team.
Developers have query access via sql to our production data.
We have very limited access via sql to our production data – What we do have is query only.
Coeur d’Alene, Idaho
NWEUG2015
REQUEST FOR CHANGERFC
What do we define as a change.
Any new or modified application , database object, sql code or forms that will run in or against Banner. -
(Basically - If someone from our DBA team is needed to promote the change - An RFC is required.)
If data needs to be manipulated via sql – data fixes – process changes - An RFC is required.
Coeur d’Alene, Idaho
NWEUG2015
What documentation is required for promotion
Initial Request - This should document what needs to be changed, fixed, or created and who made the request.
Authorization to begin work - For all new objects, forms, or applications we require our ERP manager to approve.
Who did the testing - Testing documentation should at best include what was tested, by whom, when, what system.
Approval for production. After testing is complete – documented approval must be obtained from the proper data owner or owners.
Coeur d’Alene, Idaho
NWEUG2015
How to maintain RFC documentation
Emails chains
Electronic folders.
Printed copies of testing documentation and Emails
Electronic Workflow systems
At Idaho State University - We use our Service Desk ticketing system – NUMERA -
Coeur d’Alene, Idaho
NWEUG2015
BANNER ARGOS ACCESS REQUESTBAAR
Any INB access requires an approved BAAR.
Access to “sensitive reports” requires an approved BAAR.
Note of explanation: IT grants access to forms and reports but we do not do functional security.
We do not grant access to index codes (FOMPROF)
We do not grant access to employee code rules (PTRUSER)
We do not add Faculty or Advisors (SIAINST)
Coeur d’Alene, Idaho
NWEUG2015
Brief description on how access security is designed in Banner at Idaho State University.
Banner access to Forms or jobs can be granted directly to a user or grouped together via security classes. A user could then be granted many security classes.
Access to Forms can be granted in query or modify mode.
At Idaho Sate University – we have implemented a system using security classes.
Each data custodian is responsible for how there security classes are developed and granted.
Coeur d’Alene, Idaho
NWEUG2015
Examples of a few security classes
ST_CASHIER_Q_C
SFAREGF Student Course/Fee Assessment QueryBAN_DEFAULT_Q
SOAHOLD Hold InformationBAN_DEFAULT_Q
FIN_CASHIER_APP_RECEIPTS_C
TSAAREV Account Detail Review Form – StudentBAN_DEFAULT_M
TSADETL Student Account DetailBAN_DEFAULT_M
TSAMASS Billing Mass Data Entry Form – StudentBAN_DEFAULT_M
TSASPAY Student PaymentBAN_DEFAULT_M
Coeur d’Alene, Idaho
NWEUG2015
A simplified approval chain for a BAAR.
A request for access is made - description of job duties or - if known – specific security classes is entered in the request.
Request is sent to Dean/Director of requestor to determine if request is appropriate in the requestors job responsibilities.
Determine if training is needed. If new employee, we require a Welcome to Banner training.
Forward to appropriate data custodians for approvals and descriptions of specific security classes to be granted.
Once approvals are received - Application security analyst will grant approved security classes.
Coeur d’Alene, Idaho
NWEUG2015
BANNER ACCESS –
We do have approved certain job functions that do not require the full BAAR approval but only require the approval of the dean/director.
Examples of those job functions are;
Public Safety Student Access
ReqMaster Access (given only after very specific training)
Service Desk Student Access
We also grant have general campus wide reporting set up in Argos. This access is granted by request and does not require any approval.
For our BAAR requests we currently use Tigertracks,
Coeur d’Alene, Idaho
NWEUG2015
Other controls we have in place for account provisioning.
We do a yearly review with our data custodians for all security classes, all objects within those classes, and all users assigned access through security classes or direct object grants.
We have weekly security reports for terminated employees.
We have weekly reports to look for position changes.
Coeur d’Alene, Idaho
NWEUG2015
SESSION SUMMARY
Basic IT controls not only help you pass an audit but allows for a much more stable computing environment.
If you have taken nothing else from this presentation please remember this :
DOCUMENT DOCUMENT DOCUMENT
Coeur d’Alene, Idaho
NWEUG2015
QUESTIONS & ANSWERS
Coeur d’Alene, Idaho