Pressure Cooker: Access Controls in New and

Existing ERP Systems

Pressure Cooker: Access Controls in New and

Existing ERP Systems

OverviewOverview

Introduction: A story of contrasts

Motivations

Lifecycle Stage

Time

Motivations (UA)Motivations (UA)

Classification of Financial Audit Findings: Control deficiency: control does not prevent or detect

misstatements on a timely basis.

Significant Deficiency: one or a combination of control deficiencies. Written finding. Report to federal agencies.

Material Weakness: one or a combination of significant deficiencies, resulting in more than a remote likelihood of misstatement of financials. Serious concern to Regents.

Motivation (UA)Motivation (UA)

2009

Deputy CIO

Legacy System

Financial Auditor

Ad hoc preparation

2010

UISO

PeopleSoft HR

IT Auditor

Pre-validation and binder

Motivations (PCC)Motivations (PCC)• Banner implemented in 1999

• Variety of high risk issues

• Two pronged approach:

• Long term planning

• Security culture

Lifecycle (UA)Lifecycle (UA)

University Information

Security Officer

Enterprise Applications

Security and HR Technical

Teams

InfrastructureSys Admin and Environment

Teams

Business Analysts Program

Coordinators

Business Intelligence

Team

Lifecycle stage (UA)Lifecycle stage (UA)

• NetID• VPN• PeopleSoft• Business

Intelligence

Auditor Access

and Data• Roles• Initial Access• Access

Provisioning Application

Access Control

• Change Management System

• Infrastructure Controls

Change Control

Auditor Access and Data (UA)Auditor Access and Data (UA)

• Secure access on a protected remote connectionNetID and VPN

• Separate role, read only, restricted to meet requirementsPeopleSoft HR

• Reports limited to requirements and data files run by UA staffBusiness Intelligence

Access Control (UA)Access Control (UA)

• Password Policy, Authorization and Control of AccessUA Security Policies

• Roles and access by job functions with audit tables for role securityRole Construction

• Initial Provisioning, QA and transition to Provisioning ApplicationAccess Provisioning

Change Control (UA)Change Control (UA)

Dev

Test

Stage

Prod

Change Control (UA)Change Control (UA)

User

Ticket system

Bench test

Peer Review

Risk Assessment

UAT Fallback Plan

Mgmt Approval

Move to Prod

Lifecycle Stage (PCC)Lifecycle Stage (PCC)

Lifecycle Stage (PCC)Lifecycle Stage (PCC)

Timeline (UA)Timeline (UA)

Setup Auditor Access

Access ControlsPolicies Roles

Provisioning

Change Controls

Change MgmtInfrastructure

ResultsLessons Learned

Effort Timeline

Timeline (UA)Timeline (UA)

May

• File preparation, process validation• Set up auditor access accounts• Onsite meeting, web conferences, data feeds

June

• Coordination of reports and data feeds• Collection of info for follow-up questions• Web conferences, conference calls

July

• Access control and change management testing• Collection of info for follow-up questions• Onsite meetings, web conferences, conference calls

Timeline (UA) - what workedTimeline (UA) - what worked

Focus preparation on major controls Pre-validation of control processes Prepare documentation in advance for auditor

Ensure a team approach Know where and how to get information Share out knowledge quickly to teams to begin improvements

Develop rapport with auditors Be helpful, timely, check in on needs Keep them in scope while providing access Learn the standards they use to measure controls Represent best of what UA is doing and keep a good perspective

Time (PCC)Time (PCC)

ConclusionConclusion

Cathy BatesUniv. Information Security Off.University of Arizonacbates@email.arizona.edu520-626-2399

Brian BasgenInformation Security OfficerPima Community Collegebbasgen@pima.edu520-206-4873