ME CONTROLLING? CREATING A CONTROL SYSTEM YOU CAN LIVE WITH Kristi Olson Idaho State University Date...

NWEUG2015

ME CONTROLLING?CREATING A CONTROL

SYSTEM YOU CAN LIVE WITH

Kristi Olson

Idaho State University

DateTrack

Coeur d’Alene, Idaho

NWEUG2015

SESSION RULES OF ETIQUETTE

Please turn off you cell phone/pager

If you must leave the session early, please do so as discreetly as possible

Please avoid side conversation during the session

Thank you for your cooperation!


NWEUG2015

SESSION AGENDA

1. What are IT controls and why do we need them

2. Brief discussion on the 3 main control elements

3. Application change control

4. Account Provisioning


NWEUG2015

WHAT ARE IT CONTROLS

By definition, General Computer Controls are control activities performed within the IT organization or the technology that they support that can be applied to every system that the organization relies upon; They are designed to encompass an organization's IT infrastructure rather than specific applications.


NWEUG2015

WHAT ARE IT CONTROLS AND WHY DO WE NEED THEM

With ever increasing legal , security and financial risks associated with improper use and access of our institutions data of which is stored and accessed electronically. It is utmost critical that we employ basic general computing controls.

In this presentation we will discuss some basic IT controls that will allow you, your customers and auditors to have reasonable assurance in your ERP system.


NWEUG2015

SO WHAT ARE GENERAL COMPUTER CONTROLS – AND WHY DO WE CARE


NWEUG2015

WHAT ARE IT CONTROLS

By definition, General Computer Controls are control activities performed within the IT organization or the technology that they support that can be applied to every system that the organization relies upon; They are designed to encompass an organization's IT infrastructure rather than specific applications.


NWEUG2015

WHY DO WE NEED THESE CONTROLS?

“IT controls are fundamental to the reliability and integrity of the information processed by the automated systems on which most organizations are dependent for their business and financial transaction processing — and overlooking or minimizing their importance creates a significant risk.”

- CICA Information Technology Advisory Committee (2004)


NWEUG2015

WHY DO WE NEED THESE CONTROLS?

. The controls provide assurance to organization as well as outsiders that IT systems process data appropriately and accurately, and that the output of the systems can be trusted


NWEUG2015

So basically

With out effective controls - there can not be reliance on the applications or systems.


NWEUG2015Coeur d’Alene, Idaho

Kgo 06052005

Bus

ines

s Pr

oces

s Fi

nanc

e

Bus

ines

s Pr

oces

s M

anuf

actu

ring

Bus

ines

s Pr

oces

s Lo

gist

ics

Bus

ines

s Pr

oces

s Et

c.

IT ServicesOS/Data/Telecom/Continuity/Networks

Enterprise Management

Company-level ControlsCompany-level controls set the tone for the organization. Examples include:• System planning• Operating style• Enterprise policies• Governance• Collaboration• Information sharing• Codes of conduct• Fraud prevention

General ControlsControls embedded in shared services form general controls. Examples include:• System maintenance• Disaster recovery

Application ControlsControls embedded in business process applications, designed to achieve completeness, accuracy, validity and recording assertions, are commonly referred to as application controls. Examples include:• Authorizations• Approvals• Tolerance levels• Reconciliations• Input edits

Source: COBIT, 3rd Edition

• Physical and logical security• Data management• Incident response

NWEUG2015

WE ARE GOING TO FOCUS ON , WHAT I FEEL, ARE THE 3 MAIN CONTROL ELEMENTS.


Access to Programs and Data

Computer Operations

Change Management

NWEUG2015

ACCESS TO PROGRAMS AND DATA

These controls deal with how both logical and physical access is managed to systems and data. - The objective is to reduce the risk of inappropriate or unauthorized access .


NWEUG2015

Primary controls for Access to Data

IT Security Policy - A formalized security policy should be in place. This Policy should be made available and communicated to the campus.

Data Center Access - Physical access to the data center should be restricted to as needed.

Administrative accounts - restrict highly privileged accounts on all systems , databases and applications to only those who have an absolute need- (Banner - BANSECR)


NWEUG2015

Primary controls for Access to Data

Account Provisioning – put a process in place for ensuring appropriate access is granted only after proper approval is obtained.

Account De-provisioning - Put a process in place to ensure access is removed for terminations / position changes in a timely manner.

Annual User Access review - Put a process in place to have all access – Operating system – Database – applications - reviewed.


NWEUG2015

Document

Document

DocumentCoeur d’Alene, Idaho

NWEUG2015

COMPUTER OPERATIONS

This element groups the controls that deal with operational matters like backups and batch jobs. The objective of these controls are to ensure system or application processing is appropriately authorized and scheduled; and that deviations from the schedule processing is identified and resolved. The control areas relevant to this element include:


NWEUG2015

Computer Operation Controls to have in place

Batch job Processing/Monitoring - attach emails for success or failure for any Batch job processing.

Incident Management - Use your existing help desk ticketing system .

Backup Policy - Implement an appropriate backup and recovery process. Have an agreement on how much data you could risk losing and develop your backup policy to meet this agreement.

Test your backups. Do periodic restores to ensure your back up process works. Have you ever attempted a point in time restore??


NWEUG2015

Document

Document


NWEUG2015

CHANGE MANAGEMENT

These are the controls put into place to ensure that any changes made are authorized, tested and approved.


NWEUG2015

Change management controls

Change management Policy - Develop a change management Policy. This, at minimum, should describe – what is considered a change, what and where testing should occur, who approves and how is this said change promoted into production . Your Policy should dictate where this information is maintained.

Segregation of Duties - If at all possible - there should be separation between who promotes changes to who develops them.


NWEUG2015

Document

Document


NWEUG2015

BRIEF DESCRIPTION OF PROCESSES THAT WE HAVE IMPLEMENTED AT

IDAHO STATE UNIVERSITY

Change management or Request for Change RFC

Account Provisioning or Banner Argos Access Request

BAAR


NWEUG2015

Both processes have been developed based on the presumption that IT does not own the data. IT acts as the care takers and gate keepers.

We have divided that data ownership up in six areas.

Finance

Student

Financial Aid

Admissions

Human resources/Payroll

General


NWEUG2015

Other facts to note about the set up at Idaho State University.

Developers do not have access to manipulate code in our production Banner environment.

Developers do not have access to release code in our scheduling software

All code and scripts must be put in to production by someone on our DBA team.

Developers have query access via sql to our production data.

We have very limited access via sql to our production data – What we do have is query only.


NWEUG2015

REQUEST FOR CHANGERFC

What do we define as a change.

Any new or modified application , database object, sql code or forms that will run in or against Banner. -

(Basically - If someone from our DBA team is needed to promote the change - An RFC is required.)

If data needs to be manipulated via sql – data fixes – process changes - An RFC is required.


NWEUG2015

What documentation is required for promotion

Initial Request - This should document what needs to be changed, fixed, or created and who made the request.

Authorization to begin work - For all new objects, forms, or applications we require our ERP manager to approve.

Who did the testing - Testing documentation should at best include what was tested, by whom, when, what system.

Approval for production. After testing is complete – documented approval must be obtained from the proper data owner or owners.


NWEUG2015

How to maintain RFC documentation

Emails chains

Electronic folders.

Printed copies of testing documentation and Emails

Electronic Workflow systems

At Idaho State University - We use our Service Desk ticketing system – NUMERA -


NWEUG2015

BANNER ARGOS ACCESS REQUESTBAAR

Any INB access requires an approved BAAR.

Access to “sensitive reports” requires an approved BAAR.

Note of explanation: IT grants access to forms and reports but we do not do functional security.

We do not grant access to index codes (FOMPROF)

We do not grant access to employee code rules (PTRUSER)

We do not add Faculty or Advisors (SIAINST)


NWEUG2015

Brief description on how access security is designed in Banner at Idaho State University.

Banner access to Forms or jobs can be granted directly to a user or grouped together via security classes. A user could then be granted many security classes.

Access to Forms can be granted in query or modify mode.

At Idaho Sate University – we have implemented a system using security classes.

Each data custodian is responsible for how there security classes are developed and granted.


NWEUG2015

Examples of a few security classes

ST_CASHIER_Q_C

SFAREGF Student Course/Fee Assessment QueryBAN_DEFAULT_Q

SOAHOLD Hold InformationBAN_DEFAULT_Q

FIN_CASHIER_APP_RECEIPTS_C

TSAAREV Account Detail Review Form – StudentBAN_DEFAULT_M

TSADETL Student Account DetailBAN_DEFAULT_M

TSAMASS Billing Mass Data Entry Form – StudentBAN_DEFAULT_M

TSASPAY Student PaymentBAN_DEFAULT_M


NWEUG2015

A simplified approval chain for a BAAR.

A request for access is made - description of job duties or - if known – specific security classes is entered in the request.

Request is sent to Dean/Director of requestor to determine if request is appropriate in the requestors job responsibilities.

Determine if training is needed. If new employee, we require a Welcome to Banner training.

Forward to appropriate data custodians for approvals and descriptions of specific security classes to be granted.

Once approvals are received - Application security analyst will grant approved security classes.


NWEUG2015

BANNER ACCESS –

We do have approved certain job functions that do not require the full BAAR approval but only require the approval of the dean/director.

Examples of those job functions are;

Public Safety Student Access

ReqMaster Access (given only after very specific training)

Service Desk Student Access

We also grant have general campus wide reporting set up in Argos. This access is granted by request and does not require any approval.

For our BAAR requests we currently use Tigertracks,


NWEUG2015

Other controls we have in place for account provisioning.

We do a yearly review with our data custodians for all security classes, all objects within those classes, and all users assigned access through security classes or direct object grants.

We have weekly security reports for terminated employees.

We have weekly reports to look for position changes.


NWEUG2015

SESSION SUMMARY

Basic IT controls not only help you pass an audit but allows for a much more stable computing environment.

If you have taken nothing else from this presentation please remember this :

DOCUMENT DOCUMENT DOCUMENT


NWEUG2015

QUESTIONS & ANSWERS


NWEUG2015

THANK YOU!Kristi Olson

[email protected]


ME CONTROLLING? CREATING A CONTROL SYSTEM YOU CAN LIVE WITH Kristi Olson Idaho State University Date...

Documents

Transcript of ME CONTROLLING? CREATING A CONTROL SYSTEM YOU CAN LIVE WITH Kristi Olson Idaho State University Date...