Post on 31-Dec-2015
description
Pressure Cooker: Access Controls in New and
Existing ERP Systems
Pressure Cooker: Access Controls in New and
Existing ERP Systems
OverviewOverview
Introduction: A story of contrasts
Motivations
Lifecycle Stage
Time
Motivations (UA)Motivations (UA)
Classification of Financial Audit Findings: Control deficiency: control does not prevent or detect
misstatements on a timely basis.
Significant Deficiency: one or a combination of control deficiencies. Written finding. Report to federal agencies.
Material Weakness: one or a combination of significant deficiencies, resulting in more than a remote likelihood of misstatement of financials. Serious concern to Regents.
Motivation (UA)Motivation (UA)
2009
Deputy CIO
Legacy System
Financial Auditor
Ad hoc preparation
2010
UISO
PeopleSoft HR
IT Auditor
Pre-validation and binder
Motivations (PCC)Motivations (PCC)• Banner implemented in 1999
• Variety of high risk issues
• Two pronged approach:
• Long term planning
• Security culture
Lifecycle (UA)Lifecycle (UA)
University Information
Security Officer
Enterprise Applications
Security and HR Technical
Teams
InfrastructureSys Admin and Environment
Teams
Business Analysts Program
Coordinators
Business Intelligence
Team
Lifecycle stage (UA)Lifecycle stage (UA)
• NetID• VPN• PeopleSoft• Business
Intelligence
Auditor Access
and Data• Roles• Initial Access• Access
Provisioning Application
Access Control
• Change Management System
• Infrastructure Controls
Change Control
Auditor Access and Data (UA)Auditor Access and Data (UA)
• Secure access on a protected remote connectionNetID and VPN
• Separate role, read only, restricted to meet requirementsPeopleSoft HR
• Reports limited to requirements and data files run by UA staffBusiness Intelligence
Access Control (UA)Access Control (UA)
• Password Policy, Authorization and Control of AccessUA Security Policies
• Roles and access by job functions with audit tables for role securityRole Construction
• Initial Provisioning, QA and transition to Provisioning ApplicationAccess Provisioning
Change Control (UA)Change Control (UA)
Dev
Test
Stage
Prod
Change Control (UA)Change Control (UA)
User
Ticket system
Bench test
Peer Review
Risk Assessment
UAT Fallback Plan
Mgmt Approval
Move to Prod
Lifecycle Stage (PCC)Lifecycle Stage (PCC)
Lifecycle Stage (PCC)Lifecycle Stage (PCC)
Timeline (UA)Timeline (UA)
Setup Auditor Access
Access ControlsPolicies Roles
Provisioning
Change Controls
Change MgmtInfrastructure
ResultsLessons Learned
Effort Timeline
Timeline (UA)Timeline (UA)
May
• File preparation, process validation• Set up auditor access accounts• Onsite meeting, web conferences, data feeds
June
• Coordination of reports and data feeds• Collection of info for follow-up questions• Web conferences, conference calls
July
• Access control and change management testing• Collection of info for follow-up questions• Onsite meetings, web conferences, conference calls
Timeline (UA) - what workedTimeline (UA) - what worked
Focus preparation on major controls Pre-validation of control processes Prepare documentation in advance for auditor
Ensure a team approach Know where and how to get information Share out knowledge quickly to teams to begin improvements
Develop rapport with auditors Be helpful, timely, check in on needs Keep them in scope while providing access Learn the standards they use to measure controls Represent best of what UA is doing and keep a good perspective
Time (PCC)Time (PCC)
ConclusionConclusion
Cathy BatesUniv. Information Security Off.University of Arizonacbates@email.arizona.edu520-626-2399
Brian BasgenInformation Security OfficerPima Community Collegebbasgen@pima.edu520-206-4873