Information Technology Services Logical Access Procedure. Prepared by: Jefferson Wells. Desk Procedure - Logical Access Final Draft Last Modified:

Transcription

1 Infrmatin Technlgy Services Lgical Access Prcedure Prepared by: Jeffersn Wells Desk Prcedure - Lgical Access Final Draft Last Mdified:

2 Saint Luis University Lgical Access Prcedure Table f Cntents I. Intrductin. 3 II. Plicy.. 3 III. Purpse... 3 IV. Scpe. 3 V. Rles, Respnsibilities and Definitins.. 4 VI. Lgical Access Flwchart General Access 6 VII. User Accunt Set Up.. 7 A. Initial Accunt Setup... 7 B. Magis Identity Management System and Passwrd Security.. 7 C. Autmatic Accunt Lckut... 8 VIII. Restricted Applicatin Access.. 8 A. Eligibility fr Access. 8 B. Frmal Request fr Access. 8 C. Segregatin f Duties.. 9 D. Access Request Types E. Standard Access Access t Multiple Academic Units Data 11 ITS Access 12 Access Appeal Prcess. 13 Perfrmance Standard 13 F. New Implementatin 13 G. Emergency Access. 14 IX. Changes t User Access 14 A. Changes t Duties.. 14 User Remains in Same Department. 14 User Transfers t Anther Department 14 B. System Class/Grup Change 15 X. Access Terminatin Prcedures.. 15 A. User Resignatins/Terminatins 16 ITS and Human Resurce Ntificatin. 16 Remval f Access and Accunt Verificatin. 16 Remving Access t Multiple Academic Units Data. 17 Remving IT User Access. 18 B. Emergency Terminatins 18 C. Lck Accunts. 19 XI. Dcument Retentin 19 XII. Mnitring. 19 A. Service Access and Accunt Inactivity Reprts.. 19 B. Psitin Change Reprts 20 C. Terminatin Reprts 21 D. Dcumentatin f Mnitring 22 XIII. Netwrk Operating System Lgging. 22 Appendices Desk Prcedure - Lgical Access Final Draft Page 2 f 26 Last Mdified:

3 Saint Luis University Lgical Access Prcedure I. INTRODUCTION The verall gal f lgical access is enfrce and track the level f access t cmputer resurces, preserving bth data integrity and data cnfidentially. Several General Cmputer Cntrls fr applicatin security are essential t achieve this gal and they are: the use f a unique userid fr each cmputer user a strng passwrd prper authrizatin t access cmputer resurces the mnitring f userids, passwrds and lgical access II. POLICY It is the plicy f Saint Luis University s Infrmatin Technlgy Services (ITS) department t prvide all emplyees with system access t infrmatin resurces cnsistent with business needs. The ITS department s functin will prvide a mechanism fr authenticated and secure access t the University s infrmatin systems resurces. III. PURPOSE The purpse f this dcumented prcess is t utline the prcedure in which user access accunts are created, changed, terminated, and mnitred within the Saint Luis University primary applicatin architecture. The gal f the lgical access prcess is t ensure standardizatin acrss all infrmatin technlgy systems and ensure the apprpriate data wners are cntacted, infrmed and apprve each user access request. All user access requests must be dcumented using prcedures utlined in this prcess. Implementatin f this prcedure minimizes unauthrized access t prprietary infrmatin and technlgy. This prcedure will be fllwed t request and apprve access t University applicatins, create user accunts including passwrds, and prvide nging maintenance f user accunts. IV. SCOPE This plicy applies t Banner (INB and Self Service) and its assciated integrated systems (WebFOCUS, Xtender, Axim, Wrkflw), Magis IDMS and underlying databases. This plicy applies t students and permanent, temprary, and part-time faculty and staff, cntractrs, cnsultants, guests, and all ther authrized users f any electrnic cmmunicatin system, including all persnnel affiliated with third parties, at Saint Luis University. This plicy als applies t all equipment that is wned r leased. In additin, this prcedure will be utilized fr user level and develper access accunts. A user accunt is defined as an accunt which des nt have the permissin t install, maintain, r alter in a material way any netwrk, applicatin, service r wrkstatin resurce. Develper access accunts are defined as accunts which can mdify, cnfigure and install sftware and/r hardware fr an applicatin. Develpers can typically create new features and prcesses within an applicatin and update and/r access data utside the standard applicatin interface. Desk Prcedure - Lgical Access Final Draft Page 3 f 26 Last Mdified:

4 Saint Luis University Lgical Access Prcedure V. ROLES, RESPONSIBILITIES AND DEFINITIONS Rle User Business Prcess Owner (BPO) Als, may be referred t as Data Prcess Owner, Business Manager r Authrized Apprver Academic Security Officer (ASO) (See Appendix 1) Quality Assurance (QA) Administratr University ITS (Prduct Managers) (See Appendix 2) Respnsibility Has access t r requests access t prjects, prgrams r applicatin data via the Prcess Owner r Authrized Apprver. Apprves access fr users t specific prjects, prgrams r applicatin data. Prvides guidance t ITS relative t user access levels. Identifies and prvides required verificatins fr designated apprvers and ensure these persns cmprehend the significance f their rle in granting access t the University s Infrmatin Systems. Ensures the security f infrmatin which users have access and that user access is prperly administered and cntrlled. Respnsibility t reprt any ptential r actual risks r incidents affecting the security f infrmatin. Mnitrs cmpliance with University infrmatin security plicies and prcedures, making recmmendatins fr imprved security and fr mnitring the ccurrence f security incidents. Mnitrs and reviews verall lgical access management prcess. Ensure cntinued cmpliance with University infrmatin security plicies and prcedures; ensure lgical access prcesses remain frzen. Reviews lgical access and user accunt recnciliatin reprts. Prvides impartial 3 rd party input fr user access request denial appeal prcess. Reviews user settings and establishes prper dmain access based n requests frm Academic Security Officers. Creates user accunt and lg in passwrd. Definitins Academic Security Officer (ASO) Individual within an academic unit assigned the rle f ensuring the security f infrmatin which users have access and that user access is prperly administered and cntrlled. Access Frm Abbreviated name f Access Security Request Frm Business Prcess Owners (BPO) r Authrized Apprvers Certain persn(s) f authrity within a faculty/department/unit wh have been identified t University ITS as having the pwer t apprve bth user access t University applicatins and specifically what prcesses that user is allwed access. The Prcess Owners r Authrized Desk Prcedure - Lgical Access Final Draft Page 4 f 26 Last Mdified:

5 Saint Luis University Lgical Access Prcedure Apprvers may be Business Managers, Department Supervisrs, Hiring Managers, Vice Presidents, Spnsrs (in the case f guests, cntractrs), IT Administratrs r thers as designated by plicy. Infrmatin Security Officer Mnitrs verall cmpliance with University infrmatin security plicies and prcedures, making recmmendatins fr imprved security and fr mnitring the ccurrence f security incidents. ITS Acrnym fr Saint Luis University, Infrmatin Technlgy Services. ITS Management Fr purpses f this prcedure, ITS Management refers t IT Administratrs and ther key ITS persnnel in management/supervisry rles f ITS units (i.e., IT Administratrs fr TLRC, Enterprise Resurces, Academic Technlgies, Business Intelligence, etc). ITS Prduct Managers ITS persnnel respnsible fr physically granting access t the varius applicatins r databases, such as Banner INB, Banner Self Service, WebFOCUS, Xtender, Axim, Wrkflw, Oracle. LAN A lcal area netwrk (LAN) is a grup f cmputers and assciated devices that share a cmmn cmmunicatins line r wireless link. Typically, cnnected devices share the resurces f a single prcessr r server within a small gegraphic area (fr example, within an ffice building). Magis Identity Management System A service which allws users t prvide their username and passwrd nce t a trusted service and t have their identity securely, cnsistently and seamlessly prvided t many web applicatins. Integrated Sign-On acrnym is ISO. QA Quality Assurance Remedy Remedy is SLU s primary prblem/request tracking system. It allws SLU ITS t track infrmatin as well as internal and external requests placed upn the rganizatin. The infrmatin tracks varius Remedy applicatins such as the Asset Management, Service Level Agreements, Change Request, Lgical Access requests and Help Desk applicatins. Remte Access An encrypted channel r methd is required fr private access t internal cmputer applicatins and systems. SLU Acrnym fr Saint Luis University University Infrmatin Systems Includes systems and equipment (wrkstatins, servers, printers, telephnes, switches, ruters, wiring, hubs, wireless and cellular cmpnents, persnal digital assistants (PDAs), and ther devices and sftware cmpnents that access the University netwrk) and sftware (applicatins, databases, ERS). User, Username r SLUNet ID Refers t any persn accessing the University netwrk, including, but nt limited t, students, faculty, staff, cntractrs, clients, cnsultants, invited guests, and thers wrking at the University. User Accunt The user identificatin, lgn/lgin identificatin, r ther systemspecific means granted t a user permitting access t the University netwrk. Wireless Access Terminal access t the university netwrk using wireless technlgy r technlgy that accesses the netwrk withut the use f hard wires r cables. Desk Prcedure - Lgical Access Final Draft Page 5 f 26 Last Mdified:

6 Saint Luis University Lgical Access Prcedure VI. LOGICAL ACCESS FLOWCHART GENERAL ACCESS Desk Prcedure - Lgical Access Final Draft Page 6 f 26 Last Mdified:

7 Saint Luis University Lgical Access Prcedure VII. USER ACCOUNT SETUP A. Initial Accunt Setup In rder t gain access t University cmputer applicatins and infrastructure, ne must have a Banner SLU netid as established by Human Resurces r in accrdance with ITS Guest Accunt Plicy and Prcedures. B. Magis Identity Management System and Passwrd Security The University uses Magis Identity Management System (IDMS) t prvide a single surce f sign-n fr enterprise applicatins. All members f the University with SLU access will use Magis IDMS. Individual web applicatins using Magis IDMS fr authenticatin may nly be accessible t key persnnel depending upn the nature f the applicatin and user requirements. The Magis IDMS service prvides several benefits: The same username and passwrd allws access t all apprved services The user prvides their passwrd t ne trusted applicatin The username and passwrd nly has t be validated nce per sessin Username and passwrds are treated securely Fr Magis IDMS and Oracle (including thse applicatins that validate thrugh Magis IDMS and Oracle), the username assigned t a unique user name and passwrd will be established in accrdance t the fllwing user passwrd and security mdel structure: Passwrds must be a minimum f 8 characters in length; Passwrds must nt be the same as the lgin accunt; Temprary passwrds must be changed after initial lg in; Passwrds must be cnstructed using at least ne f each f the fllwing 3 character types: uppercase alpha (A, B, C, D, E, etc.) lwercase alpha (A, b, c, d, e, etc.) numbers (0, 1, 2, 3, 4, 5, 6, 7, 8, 9) Nte: Special characters are nt allwed. Passwrds will expire every 180 days and users will be required t change their passwrd upn this expiratin. ITS will run a quarterly reprt t mnitr user accunt inactivity. Passwrds must nt be easily guessed; must nt be names, dictinary wrds, phne numbers, r birthdays; Passwrds must be different frm the previus 12 passwrds. Passwrds must be stred in encrypted frmat t prevent tampering. Access f privileged users wh perfrm administrative tasks must be restricted and prperly apprved. If a particular University system des nt validate thrugh Magis IDMS r Oracle, r des nt supprt the minimum structure and cmplexity detailed in the afrementined guidelines, University ITS must ensure that ne f the fllwing prcedures be manually implemented: The passwrd assigned must be adequately cmplex t insure that it is nt easily guessed and the cmplexity f the chsen alternative must be defined and dcumented. The legacy system must be upgraded t supprt the requirements f this prcedure as sn as administratively pssible. Desk Prcedure - Lgical Access Final Draft Page 7 f 26 Last Mdified:

8 Saint Luis University Lgical Access Prcedure All applicatins shuld be islated frm the main university netwrks r relcated t a system that supprts the freging security passwrd structure. Initial and temprary user accunt passwrds that are systemically generated will be cmmunicated t the BPO via a secured methd per best business practices. It is the BPO s respnsibility t ensure apprpriate user applicatin training and facilitating the initial passwrd change prcess. The BPO shuld specifically instruct the user n the passwrd change/use plicy, in additin t directing them t the lcatin f all University plicies and prcedures. C. Autmatic Accunt Lckut ITS will enable the autmatic lckut capabilities t ensure that all SLUNET IDs are temprarily suspended r lcked ut after three cnsecutive unsuccessful lgin attempts. VIII. RESTRICTED APPLICATION ACCESS In rder t enfrce security f sensitive and cnfidential data and data netwrks, a number f SLU business applicatins have restricted access. It is imprtant t ensure that users have access nly t the areas required t perfrm their functins at the University. The prcess f requesting, mnitring and mdifying access t key applicatins, Banner financial infrmatin and Human Resurces applicatins invlves having prper eligibility fr access, prper segregatin f duties analysis, frmal request fr access, accunt verificatin and fllw prper dcumentatin retentin standards. The remaining sectins describe prcedures fr requesting, changing and deleting user access t key applicatins, including Banner financial infrmatin and Human Resurce applicatins. A. Eligibility fr Access Individuals (faculty, staff, student, r ther) may btain access if apprpriate apprval(s) frm the Business Prcess Owner (BPO) is btained. Additinally, fr access t mst Financial, Human Resurces and Student applicatins, cmpletin f a designated training curse may be required. In rder t btain access, the individual must be an active emplyee and have an active Banner accunt recrd in the Human Resurces database and an active accunt r cmply with the ITS Guest Accunt Plicy and Prcedures (see User Accunt Setup). The BPO fr each user request must cnfirm apprpriate eligibility befre apprving the request fr access. It is imperative that the BPO (r ther persnnel respnsible fr the hiring prcess within a department/academic unit), ensure that the necessary dcumentatin is submitted t Human Resurces s that the Banner SLUNet ID can be established in a timely manner. The BPO shuld verify that the Banner SLUNet ID is established befre submitting a request fr user access t University systems as discussed belw. B. Frmal Request fr Access After an emplyee s eligibility is cnfirmed, an Access Security Request Frm (hereafter referred t as Access Frm) shuld be cmpleted by the BPO. The BPO shuld generally submit the Access Security Request Frm at least tw days prir t the users first day at wrk. At a minimum, the fllwing infrmatin shuld be cntained and cmpleted n the Access Security Request Frm: User s full name; SLUNET ID (username), and Banner ID Desk Prcedure - Lgical Access Final Draft Page 8 f 26 Last Mdified:

9 Saint Luis University Lgical Access Prcedure User s telephne number (If Assigned) Jb title and/r cntractr name Emplyment status (e.g., Emplyee, Cntractr) Emplyment (cntractr/prject) start and end dates Department Name and Number Type f Request (new user, change t existing access, delete user, develper) Systems t be accessed, including classes, frms, etc. (If necessary, include additinal attachments t the Access Frm) Type(s) f access requested (e.g., read, write, delete, change r execute) Other infrmatin as necessary t identify level/type f access requested (e.g., user, pwer user, administratr, develper) Segregatin f Duties analysis Apprval signature f the BPO (See Appendix 3 fr required apprval levels). (Nte: The start date n the Access Frm shuld be included as a means t ensure access is established upn the users expected start date. The end date shuld be cmpleted, particularly fr all guests/cntractrs, temprary persnnel and nn-university users when a terminatin date is knwn r stipulated. The ASOs and ITS is strngly encuraged t mnitr this end date t ensure timely remval f user access). The Access Frm has sectins fr data belnging t each f the fllwing Academic units: Advancement Business & Finance Human Resurces Student Student Financial Services The BPO shuld select the access t the data required fr its users jb functins. The frm is lcated at the fllwing: C. Segregatin f Duties The BPO shuld determine the specific functins and respnsibilities fr which the individual needs access, specifically access t key Financial and Human Resurces applicatins. The BPO must perfrm a segregatin f duties review. Segregatin f duties prevents a single persn frm perfrming tw r mre incmpatible functins. Failure t segregate incmpatible duties, r t implement cmpensating cntrls when such separatin f duties is nt pssible, increases the risk that errrs r unauthrized actins may ccur and nt be detected in a timely manner. Sme examples f incmpatible duties include users having systems access enabling them t: Perfrm billings/invicing, receive the crrespnding payments, and recrd the crrespnding cash receipts entries. Authrize disbursements, issue crrespnding disbursements, and recrd crrespnding disbursements entries. Set up a new emplyee, input pay rates/salary, and issue pay checks. Sme special aspects f segregatin f duties apply t IT functins themselves. There shuld be segregatin between systems develpment and peratins, peratins and data cntrl, and data base administratin and system develpment. Desk Prcedure - Lgical Access Final Draft Page 9 f 26 Last Mdified:

10 Saint Luis University Lgical Access Prcedure Access can be restricted t specific functins within sme applicatins. Fr example, a user may be given access t prepare requisitins, but nt t apprve requisitins. In additin, a user may be given ne f the fllwing levels f access t sme applicatins: Mdify (read/write) access: the ability t enter and update data and submit transactins r Query (read-nly) access: the ability nly t view infrmatin withut being able t enter r change data. The Access Frm includes a statement nting that the access rights being granted are apprpriate fr the user s jb functins and that segregatin f duties has been cnsidered. By signing/apprving the Access Frm, the BPO is nting that the apprpriateness f the access rights and segregatin f duties has been evaluated and the access is justified. As necessary, the BPO shuld prvide any additinal cmments regarding the access rights and the apprpriateness f the access rights t the user s jb functins. In thse instances where duties cannt be fully segregated, mitigating r cmpensating cntrls must be established and dcumented with the Access Frm, r access rights t be granted shuld be adjusted. Mitigating r cmpensating cntrls are additinal prcedures designed t reduce the risk f errrs r irregularities. D. Access Request Types Access granted will fall int ne f the fllwing categries: Standard Access A general new r change request Emergency A requirement f immediate access r change that des nt fllw the standard access prcedure, where access may need t be granted withut befre Access Frm can be initiated. New Implementatin Prvides fr new implementatin f a prduct, service r functin that affects multiple users. Generally the same access rights are being granted t the user grup. These access scenaris are further discussed belw. E. Standard Access The BPO will submit the apprved Access Frm t the apprpriate Academic Security Officer (ASO). The ASO shuld review the Access Frm t ensure all applicable details are cmpleted. The ASO shuld als ensure the Frm is prperly apprved by an authrized BPO. (See Appendix 3 fr required minimum apprval levels) Incmplete r denied requests will be returned t the apprver f the frm, requesting cmplete details befre the request will be fulfilled and/r nting why the requests is denied. Denied requests shuld be prperly dcumented and retained (i.e., cmmunicatin is stred with cpy f denied Access Frm). Once a prperly cmpleted Access Frm is received, the ASO will initiate a Remedy Change Request Ticket t input the request fr access. (Nte: Security Officers shuld review the Pwer Pint Slide Presentatin, Remedy Management System fr Lgical Access ). Within Remedy, tasks will be created t distribute the request t the apprpriate ITS Grups and t establish ther tasks necessary fr granting and dcumenting access. The apprved Access Desk Prcedure - Lgical Access Final Draft Page 10 f 26 Last Mdified:

11 Saint Luis University Lgical Access Prcedure Frm and any ther applicable dcuments will be included in the Remedy Ticket. The submissin f the Remedy Ticket will serve as dcumentatin f the ASO s review and apprval. The ITS Prduct Manager(s) (within each ITS Grup) will review the request, ensure cmpleteness and verify an apprved Access Frm is included in the Remedy Ticket and that the Remedy Ticket was generated by an authrized ASO. If the ITS Prduct Manager has any cncerns regarding the legitimacy f the request, the ITS Prduct Manager must verify the request with the apprpriate ASO and/r BPO, as necessary. Once the request has been prperly verified, user access may be granted. The ASO and ITS Prduct Manager shuld pay clse attentin t the user start date nted n the Access Frm. This date is intended t nte the date access shuld be available t the user. The ASO and ITS Prduct Manager shuld ensure that the user s access is available by this date. The ITS Prduct Managers will grant the apprpriate access and clse the apprpriate tasks within the Remedy Ticket. The ASO shuld review the Remedy Ticket t verify that all tasks have been cmpleted. The ASO shuld generate a user access prfile frm the WebFOCUS Dashbard (Lgical Access Super Reprt) t verify that the access granted is in accrdance with the request. The user access prfile shuld be attached t the Remedy Ticket. Nte: The ASO may grant access t additinal mdules (i.e., funds/rganizatins) within the scpe f the ASO s authrity. The Banner Finance, fund security, is a unique additinal access rights. There are tw circumstances that require additin f a new r existing fund t a user s access. In the first scenari, a new fund is established in Business & Finance whereby there must be a Financial Manager r an existing fund is assigned t a Financial Manager. As these funds are established by the ASO f Business & Finance, submissin f an Access Frm is nt warranted. In the secnd scenari, the user in Business & Finance needs access t a fund f anther department. This requires the submissin f an Access Frm. The ASO may als perfrm additinal tasks as identified in the Remedy Ticket. The ASO will ntify the BPO that the access request has been cmpleted and cnfirm that the access rights are as requested. The ASO may chse t prvide the BPO with a cpy f the user access prfile t cnfirm the access granted. Cnfirmatin received frm the BPO shuld be attached t the Remedy Ticket. The ASO will perfrm final clseut f the Remedy Ticket. If it is determined, after the initial Remedy ticket t set up access has been clsed, that the user shuld have additinal access rights, the BPO shuld submit a separate Access Frm t request these additinal access rights. It will be treated as a new request and nt as an extensin f the riginal request. Therefre, it is imperative that the BPO review and prperly cnfirm the initial access rights t the ASO. Access t Multiple Academic Units Data In sme instances, a user s jb functin may require the user have access rights t data f several Academic Units. In this instance, the BPO shuld cmplete the apprpriate sectins n the Access Frm fr each Academic Units data. A cpy f the Access Cntrls Frm shuld be submitted t the respective ASOs. Each ASO will prcess the request thrugh Remedy in the same manner as ther requests. Example 1: A user emplyed in Human Resurces needs access t data in Human Resurces and Finance. The BPO in Human Resurces will cmplete the apprpriate sectins n the Access Frm fr Human Resurces and Business & Finance. A cpy f the Frm wuld be submitted t the Human Resurce and Finance ASO. Desk Prcedure - Lgical Access Final Draft Page 11 f 26 Last Mdified:

12 Saint Luis University Lgical Access Prcedure Example 2: A user emplyed in Missin & Ministry needs access t data in Human Resurces, Business & Finance, and Students. The BPO in Missin & Ministry will cmplete the apprpriate sectins n the Access Frm fr Human Resurces, Business & Finance, and Students. A cpy f the Frm wuld be submitted t the ASOs in Human Resurce, Business & Finance, and Students. ITS Access - ITS Staff The user s direct supervisr (IT Prduct Manager r IT Administratr) serves as the requestr and is respnsible fr preparing and submitting an ITS Access Security Request Frm fr access requests. The Frm applies t Banner and cmpanin prducts, their underlying databases and servers, (including, but nt limited t: WebFOCUS, Xtender, Axim, Wrkflw, ODS and EDW). The direct supervisr (requestr) prepares the frm and rutes t the apprpriate sectin IT Administratr fr apprvals and implementatin, depending n the type f access, as fllws: OS Level Access t a Hst r Netwrk Drive Direct Database Access Applicatin Access After the apprpriate IT Administratr apprvals, the user s IT Administratr will apprve the Frm and submit t the Enterprise Resurce Administratr fr secndary apprval. After all apprvals have been received, the requestr will initiate the Remedy ticket, attach the Frm, and rute tasks t the respective ITS Administratr r ITS Prduct Managers, wh will cmplete the tasks t grant the user access and prvide a reply in the Remedy ticket t the requestr. (Nte: IT Administratrs and Prduct Managers shuld review the Pwer Pint Slide Presentatin, Remedy Management System fr Lgical Access.) Specific tasks shuld be initiated t grant access t IT staff. The frm is lcated at the fllwing: Example 1: There is a new hire (r additinal access needs) fr a staff psitin reprting t the WebFOCUS ITS Prduct Manager. The WebFOCUS ITS Prduct Manager will prepare the frm (requestr) and rute t the IT Administratr fr each sectin requiring access (OS access, Direct Database and/r Applicatin access). The frm will then be ruted t the ITS Administratr Business Intelligence, fr apprval and t the Enterprise Resurces Administratr fr secndary apprval. After all apprvals, the WebFOCUS ITS Prduct Manager will initiate a Remedy ticket t grant/request the apprpriate access rights. Example 2: There is a new hire (r additinal access needs) fr the psitin Banner INB ITS Prduct Manager. The IT Administratr Applied Administrative Technlgy (AAT), will prepare the frm (requestr) and apprve as the IT Administratr fr Applicatins Access. If OS access r Direct Database access is needed, the frm will be ruted t thse IT Administratrs fr apprvals. The IT Administratr AAT then apprves the frm and submits t the Enterprise Resurces Administratr fr secndary apprval. After all apprvals, the IT Administratr AAT will initiate a Remedy ticket t grant/request the apprpriate access rights. Example 3: There is a new hire (r additinal access) needs fr the psitin IT Administratr (AAT, Business Intelligence, Infrastructure Services, r SSDD). The Enterprise Resurces Administratr will prepare and apprve the Frm and submit t the Desk Prcedure - Lgical Access Final Draft Page 12 f 26 Last Mdified:

13 Saint Luis University Lgical Access Prcedure Chief Infrmatin Officer fr secndary apprval. The Enterprise Resurces Administratr will initiate the Remedy tickets. Access Appeals Prcess The requester s Department Head (r designee) and the Data Owner (r designee) shuld discuss the request t determine if they can agree t a reslutin (i.e., bth agree t grant r deny access). If a mutual agreement is nt reached, the access request details shuld be submitted t the QA Administratr fr review. The QA Administratr, acting as an impartial 3 rd party, will cnsult with bth the requester s Department Head and the Data Owner. A final reslutin and decisin will be determined by these three. This reslutin shuld be dcumented and retained with the riginal access request. Perfrmance Standard Fr thse cmplete access requests received by the ASO n r after the day the user has began wrk, access shuld be granted within 48 hurs f receipt f the cmplete request by the ASO. This includes a 24 hur turnarund fr the ASO and a 24 hur turnarund fr ITS. Nte: New hire access requests (r change requests fr transferring emplyees) that are submitted in a timely manner (at least 2 days prir t the users first day f wrk in the department) shuld be prcessed by the users first day at wrk. F. New Implementatin There may be instances where systems access will be required fr a large grup f peple needing the same access rights. (Example: Self-service EPAF rllut t all business units r the implementatin f a new Xtender applicatin in a particular business unit). In these situatins, preparing a user access frm fr each user request may be cunter prductive. The BPO r ASO shuld cmplete an Access Frm t dcument the access t be prvided and include the prper apprval. User infrmatin may nt be filled ut directly n the frm due t multiple users included in the request. Hwever, the BPO will need t clearly nte n the frm that this is a mass access request and include/attach the fllwing dcumentatin: Brief explanatin f the nature f the access request Any additinal dcumentatin regarding the access rights t be granted A reprt r listing f all users, cntaining the user infrmatin that wuld generally be nted n the Access Frm (i.e., name, SLU NETID, Department, etc) r a listing f the rganizatinal units t be affected (discuss with ITS the best manner t cmmunicate affected users). It is imperative that the BPO r ASO cnsiders segregatin f duties fr each user in the grup request. The ASO shuld ensure a thrugh review f the request and must clearly nte in Remedy that this includes a reprt f users. This prcess is general and may nt address specific aspects f all new implementatins. Hwever, BPO and ASO shuld ensure dcumentatin f the fllwing key items: Apprpriate apprval Clear descriptin f the affected users In sme situatins, a department may hire a large grup f peple wh are starting n the same day (Example: Student wrkers at the beginning f a semester). If these users will need the same access rights, the use f new implementatin may be warranted. Submitting grup access requests shuld nly be dne in rare r extreme situatins. Desk Prcedure - Lgical Access Final Draft Page 13 f 26 Last Mdified:

14 Saint Luis University Lgical Access Prcedure G. Emergency Access Situatins may arise where immediate access rights are required. In these instances, a member f University management may find it necessary t temprarily by-pass preparatin f the Access Frm and verbally cmmunicate (r ) the need fr access t the ASO r ITS Prduct Manager (i.e., an emplyee r cnsultant is asked t start immediately and needs access rights t begin prject). T ensure the emergency is prperly dcumented, reviewed and eventually apprved, the ASO r ITS Prduct Manager wuld initiate the Remedy ticket and select Emergency. The preparer f the ticket wuld include an apprpriate task t ensure an apprved Access Frm is btained and included in Remedy. Nte: The absence f the primary ASO des nt autmatically warrant the use f the Emergency Access prcess. The BPO shuld refer t the designated ASO Backup (See Appendix 1). IX. CHANGES TO USER ACCESS Peridically, changes t user access becme necessary. Changes t user access may be determined by the BPO r ITS Management during the nrmal curse f business (i.e., determine that a user needs additinal access rights t perfrm his/her jb functins) r as part f peridic security access reviews. (See Mnitring Sectin belw). Changes t user access will fall int ne f the fllwing categries: Change f duties Nrmal access changes resulting frm a change in a user s duties. User changes psitin within department r transfers t anther department requiring change in access rights. System Class/Grup Change Changes t a class r grup nt individual. These Change scenaris are further discussed belw. A. Change f Duties User Remains in the Same Academic Unit/Department (Example: A user in Business & Finance changes psitin frm Accunting Clerk t Accunting Manager): Overall, the changes t user access will fllw the same prcess as that fr the initial granting f user access, including the cmpletin and submissin f an Access Frm. The BPO shuld determine the specific functins and respnsibilities fr which the individual needs access and whether the specific functins and respnsibilities that the user will have access t after the change will be apprpriate. The BPO must perfrm a segregatin f duties review. The BPO shuld identify n the Access Frm the access rights t be granted and/r remved. The Access Frm will be submitted, prcessed in Remedy and dcumentatin retained in the same manner as that fr Restricted Applicatin Access. User Transfers t anther Academic Unit/Department (Example: A user in Business & Finance changes psitin and mves t Human Resurces): The BPO f the frmer department shuld submit an Access Frm t its ASO in advance f the transfer. This will allw the ASO f the frmer department t crdinate effrts with the ASO and/r BPO f the new department. Since the user is nt leaving the University, the ASO shuld Desk Prcedure - Lgical Access Final Draft Page 14 f 26 Last Mdified:

15 Saint Luis University Lgical Access Prcedure ensure that the request is NOT submitted as a terminatin r resignatin as this wuld indicate the remval f all access t the University systems. The gal is t remve access rights related t the frmer department and establish access rights fr the new department, in a seamless manner t prevent gaps in access capabilities and reduce lss f prductivity. The ASOs f the frmer and new department shuld discuss the fllwing: Psitin change dates (last day in frmer department and first day in new department) Ensure that the BPO f the new department initiates the access request prcess in a timely manner fr any new access rights required. Identify cmmn access rights between the frmer and new psitin, whereby the access rights d nt have t be remved. (Utilize the access prfile n the WebFOCUS Dashbard Lgical Access Super Reprt, t evaluate current access rights). B. System Class/Grup Change A System Class/Grup Change is similar t a New Implementatin as discussed in the Restricted Applicatin Access New Implementatin sectin abve, in that it affects a large grup f peple needing the same access rights. In this situatin, new frms are added t already existing classes. Unlike ther access requests that are initiated by the BPO, this prcess is initiated by the ASO. The ASO shuld cmplete an Access Frm t dcument the access class/grup change t be perfrmed and include the prper apprval. The general user infrmatin sectin will nt apply. The ASO will need t clearly nte n the frm that this is a system/grup access request and include r attach the fllwing dcumentatin: Brief explanatin f the nature f the class/grup change Any additinal dcumentatin regarding the access rights t be granted A reprt r listing f all users, cntaining the user infrmatin that wuld generally be nted n the Access Frm (i.e., name, SLU NETID, Department, etc) r a listing f the rganizatinal units t affected (discuss with ITS the best manner t cmmunicate affected users). X. ACCESS TERMINATION PROCEDURES When a relatinship is discntinued between a persn and the University, the ITS department must revke that user s access t services and it may be necessary t reallcate ITS resurces used by that persn. Exactly hw that deletin and reallcatin ccur, hwever, depends n the circumstances under which the persn is leaving. When deleting user accunts, bth the BPO, ASOs and ITS shuld remember that user terminatins: Shuld nt be categrized as a standard change. Requires determinatin f why smene is leaving. That answer will help determine bth the categry and pririty f the change. Requires a risk assessment t identify any threat t the rganizatin. (This may be frmal r infrmal). Requires an evaluatin f the user s rle and respnsibilities, and a plan fr transitining thse t ther users identified, if such a transfer is required. Shuld nt be dne until all dependencies n the accunt have been remved. Accunts shuld be disabled when the user leaves, and deleted later. Desk Prcedure - Lgical Access Final Draft Page 15 f 26 Last Mdified:

16 Saint Luis University Lgical Access Prcedure Requires that access t all accunts a departing user might have such as Active Directry, line f business applicatins, and ther directry services must be disabled and eventually deleted. Changes t user access will fall int ne f the fllwing categries: Resignatin/Terminatin Defined as fllws: Resignatin - A vluntary separatin by the user, such as a retirement, r taking anther jb utside the University. The BPO will prbably want t maintain user access and privileges until the persn s departure. T be prcessed under nrmal circumstances. Terminatin A nn-vluntary separatin by a user, such as a firing, frced resignatin, layff, r wrk prject ends. While time is f the essence fr access remval, the circumstances warrant that the BPO still submit an Access Frm thrugh the standard prcess. Emergency Terminatin Similar t a Terminatin, but with a requirement f immediate access remval. The primary difference being the circumstances surrunding the terminatin r the nature f the user access rights, warrant the need t immediately cmmunicate (verbally r ) the access remval directly t ITS, rather than initiating an Access Frm. Lck Accunt An emergency suspensin f access rights, until apprpriate authrizatin f access rights is cnfirmed These Access Remval scenaris are further discussed belw. A. User Resignatins/Terminatin ITS and Human Resurces Ntificatin Unless circumstances prevent advance ntice r justify deferred ntice, the BPO shuld initiate the access remval prcess at least tw days prir t the user last day. This includes cntractr, temprary persnnel and nn-university emplyee access terminatin. Initiatin begins with the submittal f the Access Frm. The BPO shuld als give advance ntificatin t Human Resurces that the user is leaving the University. This will ensure that users, whse access rights have nt been remved, are recrded t the Terminatin Reprt, as discussed belw in Mnitring Terminatin Reprts. The BPO will prepare an Access Frm and send t the ASO requesting remval. The BPO shuld clearly nte the reasn fr the access remval (i.e., terminatin, resignatin). The BPO shuld clearly nte the date that access is t be remved (i.e., specific date r immediately). The ASO shuld ensure that this date is input int the tasks within the Remedy ticket. Als, if necessary, the BPO shuld indicate any temprary restrictins t be placed n the user s access rights until final remval. Remval Of Access and Accunt Verificatin The ASO will initiate a Remedy Change Request Ticket t input the request. Within Remedy, tasks will be created t distribute the request t the apprpriate ITS Grups and t establish ther tasks necessary fr granting and dcumenting access. The apprved Access Frm and any ther Desk Prcedure - Lgical Access Final Draft Page 16 f 26 Last Mdified:

17 Saint Luis University Lgical Access Prcedure applicable dcuments will be included in the Remedy Ticket. The submissin f the Remedy Ticket will serve as dcumentatin f the ASO s review. The ITS Prduct Manager(s) (within each ITS Grup) will review the request and ensure cmpleteness. The ITS Prduct Managers will disable the user accunt immediately upn receipt f the request and place int a null accunt status. The ITS Prduct Manager shuld clse the apprpriate tasks within the Remedy Ticket. The user accunt shuld be fully deleted within 30 days. By placing the accunt in null status, ITS Prduct Managers, ASOs and BPOs have the pprtunity t cmplete an evaluatin f the user s rles and respnsibilities, determine whether accunt respnsibilities need t be reassigned t anther user, and evaluate the dispsitin f the user s files. The ASO shuld review the Remedy Ticket t verify that all tasks have been cmpleted. The ASO shuld generate a user access prfile frm the WebFOCUS Dashbard t verify that the access has been disabled in accrdance with the request. The user access prfile shuld be attached t the Remedy Ticket. The ASO will ntify the BPO that the access remval request has been cmpleted. The ASO may chse t prvide the BPO with a cpy f the user access prfile t cnfirm the access remval. Cnfirmatin received frm the BPO shuld be attached t the Remedy Ticket. The ASO will perfrm final clseut f the Remedy Ticket. The BPO, ASO and ITS Prduct Manager shuld discuss the dispsitin f any residual data such as netwrk files and data stred n the users lcal PC, zip disks, etc. The data, as necessary, shuld be archived either t tape r t an alternative lcatin as directed by the BPO r as recmmended by ITS. Any archived data shuld be retained fr a length f time in accrdance with University plicy. (Dispsitin f data files invlving ITS may require a task be established in the Remedy Change Request Ticket). Nte: The ASO and key ITS Management shuld als perfrm a weekly review f Terminatin Reprts t ensure that all users whse access shuld be terminated are identified. See Mnitring Terminatin Reprts, belw. Remving Access t Multiple Academic Units Data The BPO shuld cmplete the apprpriate sectins n the Access Frm fr each Academic Units data t be remved. A cpy f the Access Cntrls Frm shuld be submitted t the respective ASOs. Each ASO will prcess the request thrugh Remedy in the same manner as ther access remval requests. Example 1: A user emplyed in Human Resurces needs t have access remved frm Human Resurces and Business & Finance. The BPO in Human Resurces will cmplete the apprpriate sectins n the Access Frm fr Human Resurces and Business & Finance. A cpy f the Frm wuld be submitted t the ASOs fr Human Resurce and Business & Finance. Example 2: A user emplyed in Missin & Ministry needs access remved frm Human Resurces, Business & Finance and Students. The BPO in Missin & Ministry will cmplete the apprpriate sectins n the Access Frm fr Human Resurces, Business & Finance and Students. A cpy f the Frm wuld be submitted t the ASOs in Human Resurce, Business & Finance, and Students. Desk Prcedure - Lgical Access Final Draft Page 17 f 26 Last Mdified:

18 Saint Luis University Lgical Access Prcedure Remving ITS Access The user s direct supervisr (IT Prduct Manager r IT Administratr) serves as the requestr and is respnsible fr preparing and submitting an ITS Access Security Request Frm fr access remval. The direct supervisr (requestr) rutes the Frm t the apprpriate sectin IT Administratr fr review and apprvals. After the apprpriate IT Administratr apprvals, the user s IT Administratr will apprve the Frm and initiate the Remedy ticket, attach the Frm, and rute tasks t the respective ITS Administratr r ITS Prduct Managers, wh will cmplete the tasks t remve the user access and prvide a reply in the Remedy ticket t the requestr. B. Emergency Terminatins Emergency Terminatins are situatins that require immediate remval f user access rights, in the judgment f the BPO r ther high ranking University fficial. In these instances, circumstances surrunding the terminatin and/r the nature f the user access rights makes it necessary t temprarily by-pass preparatin f the Access Frm and/r the ASO, and verbally cmmunicate (r ) the need fr access remval t the ITS Prduct Manager. The BPO/ASO shuld cnsider the circumstances surrunding the terminatin r the nature f the user access rights, when making this decisin. Example 1: A temprary prject is ending, a pending layff, r semester ends fr a student wrk, where the last day f wrk is several days r mre int the future. The user has access t systems and access rights (i.e., read-nly) that d nt pse a high risk t the University, d nt warrant immediate remval f access rights and the BPO expects the user t cntinue with nrmal wrk respnsibilities until their last day f wrk. This shuld be prcessed in the same manner as a Resignatin/Terminatin, as nted in the previus sectin. Example 2: A user is being terminated under negative circumstances and/r the user has access rights that may allw them t cmprmise University data r inapprpriately distribute data. The BPO may determine it is necessary t request immediate remval f access, which wuld be prcessed as an Emergency Terminatin. The ITS Prduct Manager will lck the accunt and prepare a Remedy ticket, with tasks t ensure subsequent cnfirmatin f the access remval request. As a fllw up t ensure cnfirmatin f the access remval request and satisfy dcumentatin f remval, tasks shuld be directed t the apprpriate ASO t btain an Access Frm frm the BPO. The Access Frm shuld nte that the remval f the user s access was requested under immediate circumstances and prvide a brief descriptin as t thse circumstances. The Access Frm shuld be submitted t the ASO. The ASO shuld ensure/cnfirm that all applicable access rights have been remved and include the Access Frm and any ther fllw up crrespndence within the Remedy Ticket. Nte: The absence f the primary ASO des nt autmatically warrant the use f the Emergency Terminatin prcess. The BPO shuld refer t the designated ASO Backup (See Appendix 1). Desk Prcedure - Lgical Access Final Draft Page 18 f 26 Last Mdified:

19 Saint Luis University Lgical Access Prcedure C. Lck Accunts There may be instances where a BPO, ASO r ITS Prduct Manager determines that a user access rights needs t be temprarily lcked until authrizatin f user access rights can be cnfirmed. This will typically ccur as a result f the review f Service Access Reprts, Terminatin Reprts r Psitin Change reprts (discussed in the Mnitring Sectin belw). This culd als ccur when a user is separating frm the University and the BPO must determine the apprpriate dispsitin f the users accunt. XI. DOCUMENT RETENTION Apprved Access Frms and ther dcuments used t supprt authrizatin (r denial) t access University Infrmatin Systems r t supprt remval f user access, shuld be retained r embedded within the crrespnding Remedy ticket. If circumstances warrant (i.e., Remedy is unavailable), the supprting dcumentatin may be stred in electrnic flders r in secured file cabinets (in the case f hardcpy). If dcuments are retained in r hardcpy, the dcuments shuld be rganized by user name r by ther means which wuld allw easy lcatin f the supprting dcumentatin fr any particular user. Dcuments shuld be retained fr a length f time in accrdance with the University s Data Retentin plicy. XII. MONITORING The BPO, ASO and ITS must mnitr users fr the fllwing types f events within the rganizatins fr which they are respnsible and determine if individual user access needs t be mdified r remved: Terminatin f emplyment Change in emplyee duties due t: rerganizatin f wrk within department persnnel changes within department Change in rganizatin hierarchy and/r creatin f new rganizatin Establishment f new prjects. Accunt Inactivity The fllwing sectins prvide detailed prcedures fr the Mnitring Reviews (See Appendix 7 fr a Summary f Mnitring Reviews): A. Service Access and Accunt Inactivity Reprts Review On at least a bi-annual basis, University ITS will initiate a review f user accunts and crrespnding access rights. Reprts will be prvided r made available t ASOs, BPOs (as identified), ITS Prduct Managers and/r ITS Business Manager (cllectively t be referred t as Reviewers ). The fllwing reprts will be utilized: Service Access Reprt Cmprehensive listing f users access rights by rganizatin units. (See Appendix 4 fr sample reprt) The reprts shuld list all students, emplyees (faculty/staff), guests, and cntractrs wh have access, including pwer users, develpers and administrative users, t Banner (INB and Self Service) and its assciated integrated systems (WebFOCUS, Xtender, Axim, Wrkflw), and underlying databases. Accunt Inactivity Reprt Lists accunts with n lg-in activity fr at least the last 90 days. Desk Prcedure - Lgical Access Final Draft Page 19 f 26 Last Mdified:

20 Saint Luis University Lgical Access Prcedure The review prcess will be perfrmed as fllws: 1. The reprts are prduced and made available t each Organizatinal Unit (OU) via WebFOCUS Reprt Caster. An message will be issued t each OU BPO f recrd infrming them that the reprts are ready fr review, prviding instructins n hw t access the reprts, and a summary f the review prcess. a. Fr ITS, the ITS Business Manager and/r designated ITS Administratrs and Prduct Managers, fulfill the rle f the BPO. There shuld be separate reprts and reviews fr ITS staff user access rights and DBA users. 2. The BPO reviews the reprt fr their respective OU and takes actin as necessary. (Nte: The ASOs and ITS Business Manager may access the Service Access Reprt at any time, n the WebFOCUS Dashbard, t review access rights.) a. The identified BPO fr distributin f the reprt may be at an Executive Level. The Executive may delegate the review and disseminate the reprt t its management staff as deemed necessary. 3. If it is determined that a user has access rights that shuld be changed/remved (i.e., inapprpriate rights, segregatin f duties issue, terminated emplyee), the BPO r ITS Management shuld submit the request fr changes n an Access Frm in accrdance t the Changes t User Access r Access Terminatin Prcedures, as discussed within this desk prcedure. The Access Frms shuld be retained in accrdance with Dcument Retentin prcedures, as discussed within this desk prcedure. 4. The BPO sends an reply t the QA Administratr with a Mnitring Review Frm attached t nte that the review has been perfrmed. In the Mnitring Review Frm, the BPO will nte a brief descriptin f actin taken. Example message frm the BPO f General Cunsel (E15): a. Cmpleted review f reprt dated 4/30/08 fr OUs S52, S53, S54, S56, S57. Actin taken fr user Jhn De, SLU NETID # remved access. 5. The QA Administratr will maintain a lg nting each review cmpleted and ensure all reviews are cmpleted. The QA Administratr will fllw up with the BPO that have nt submitted a Mnitring Review Frm. 6. The QA Administratr stres the lg alng with the cnfirmatins in a secured electrnic flder. Crrespnding reprts shuld als be maintained. 7. If an ASO wants t verify that their areas have been reviewed, they can cntact the QA Administratr r request that BPOs cpy them n the s. The Service Access Reprts and Accunt Inactivity Reprts review (including submissin f Access Frms and Mnitring Review Frms) shuld be cmpleted and by the end f the fllwing mnth. (Example: Fr the perid ending April 30 th, the review shuld be cmpleted by the last wrking day in May). B. Psitin Change Reprts On at least a weekly basis, ITS will make available r prvide a Psitin Change Reprt t all ASOs and the ITS Business Manager. (See Appendix 6 fr sample reprt). The Psitin Change Reprt lists emplyees (faculty/staff) wh have changed psitins within the University (ver the last 28 days). The ASOs and ITS Business Manager shuld review the reprts t determine whether any changes are necessary t user access rights. The ASOs and ITS Business Manager shuld identify BPOs in a psitin t assist in the review prcess and crdinate the disseminatin f the reprts t thse BPOs fr review, as necessary, r inquire with the BPO regarding needed changes. If a change t ne r mre user s access is required as a result f the review, the BPO and ITS Business Manager shuld submit the request fr changes n an Access Frm in accrdance t Desk Prcedure - Lgical Access Final Draft Page 20 f 26 Last Mdified:

21 Saint Luis University Lgical Access Prcedure the Changes t User Access prcedures, as discussed within this desk prcedure. The Access Frms shuld be retained in accrdance with Dcument Retentin prcedures, as discussed within this desk prcedure. The ASO and ITS Business Manager must dcument that the Psitin Change Reprt has been reviewed as required. (See examples f the dcumentatin f review in the sectin Dcumentatin f Mnitring belw). The ASO and ITS Business Manager shuld frward a Mnitring Review Frm f the review t the QA Administratr fr maintaining. In the verificatin frm, the BPO will nte a brief descriptin f actin taken. The Psitin Change Reprts shuld be retained fr a length f time in accrdance with University plicies. The review (including submissin f Security Request Frms and Mnitring Review Frms) shuld be cmpleted by the end f the week. (Example: If the Reprt is available n Mnday mrning, the review shuld be cmpleted by Friday f that week). C. Terminatin Reprts On at least a weekly basis, ITS will make available r prvide Terminatin Reprts t all ASOs and ITS Business Manager. (See Appendix 5 fr sample reprt). The reprts shuld be frmatted r segregated in a manner that allws the ASOs and ITS Business Manager t review terminatins fr their respective academic units r areas f respnsibility. The Terminatin Reprts lists all students, emplyees (faculty/staff), guests, and cntractrs wh have separated frm the University, but whse applicatin and/r database access has NOT been remved t date. The Terminatin Reprts shuld nt serve as the first identifier f separated emplyees. As discussed in the Access Terminatin Prcedures sectin abve, if the BPO submits a request fr access remval at the time f the user s separatin, then the user shuld nt appear n the Terminatin Reprts. The Terminatin Reprts shuld nly serve as a secndary identifier f thse users wh were nt prperly identified fr prcessing thrugh the Access Terminatin Prcess r wh have future dates fr terminatin. As the Terminatin Reprts represents separated users, the ASO and ITS Business Manager may utilize the reprts as the basis t remve the user s access. The ASO and ITS Business Manager shuld perfrm the fllwing: Send a Remedy task t the Banner INB Prduct Manager t request that the accunt be temprarily lcked. Cnfirm the emplyment status f the user with the BPO and determine if access rights shuld be remved. The reply shuld be dcumented via . If n reply is received within 24 hurs, submit Remedy ticket t remve access. Based n reply, if access is t be remved, submit Remedy ticket t remve access. If access is t remain, infrm Banner INB Prduct Manager t remve the temprary lck. Fr access remval, the Terminatin Reprts and replies shuld be attached t the Remedy ticket. The Remedy ticket shuld als include a task t ntify the BPO f the access remval. (Nte: Only remve access fr thse users whse terminated dates have passed; nt thse with future terminatin dates) The ASO and ITS Business Manager must dcument that the Terminatin Reprts have been reviewed as required. (See examples f the dcumentatin f review in the sectin Dcumentatin f Mnitring belw). The ASO and ITS Business Manager shuld frward a Mnitring Review Frm f the review t the QA Administratr fr maintaining. In the verificatin frm, the BPO will nte a brief descriptin f actin taken. The Terminatin Reprts shuld be retained fr a length f time in accrdance with University plicies. Desk Prcedure - Lgical Access Final Draft Page 21 f 26 Last Mdified:

22 Saint Luis University Lgical Access Prcedure The review (including submissin f Security Request Frms and Mnitring Review Frms) shuld be cmpleted by the end f the week. (Example: If the Reprt is available n Mnday mrning, the review shuld be cmpleted by Friday f that week). E. Dcumentatin f Mnitring The Reviewers must dcument that the Service Access Reprt, Audit Inactivity Reprt, Psitin Change Reprt, and Terminatin Reprt have been reviewed as required. The Reviewers are required t submit a Mnitring Review Frm indicating that the reprts have been reviewed and include a descriptin f the actin taken regarding user access rights. The reviewers shuld maintain dcumentatin fr their recrds. Sme examples f dcumentatin f review may include, but are nt limited t, ne r a cmbinatin f the fllwing: The Mnitring Review Frm (Nte: This frm shuld be retained fr all reviews) Hardcpy reprt with Reviewers initials/signature and date directly n a hardcpy, as evidence f review. Tickmarks and ther ntatins, as necessary, may be included n the reprt nting individual items reviewed and actin taken. A lg (electrnic r hardcpy) that lists the reprts and reprt date, with an indicatin that the reprt has been reviewed by the BPO, ASO, and/r ITS Management. (Yu may cnsider embedding r linking a cpy f the reviewed reprt in yur electrnic lg). s indicating that the reprts have been reviewed and a ntatin f thse users that required sme change/remval f access rights. Regardless f the manner f review, the QA Administratr shuld ensure fr audit validatin that the dcumentatin f review and actin taken as a result f the review is clearly nted. The QA Administratr shuld ensure the reprts reviewed are retained (whether electrnically r hardcpy) fr a length f time in accrdance with University plicies. The QA Administratr will prvide a peridic lgical access cmpliance reprt t upper management. XIII. NETWORK OPERATING SYSTEM LOGGING Banner and ther key netwrk Operating Systems can be utilized t prvide built-in auditing capability and t mnitr a variety f events. The fllwing audit categries must be enabled: Lgn and Lgff Success and Failure Use f user rights Failure User and Grup Management Success and Failure Security Plicy Changes Success and Failure Restart, Shutdwn, and System Failure ITS will maintain Audit Activity Lgs capturing these events. ITS will review the Audit Activity Lgs n a weekly basis fr ptential security prblems r suspicius activity. ITS will use its judgment in determining the apprpriate level f investigatin and actin t be taken, if any. The actin shuld be taken in a timely manner t reslve the issues. (Nte: ITS will designate a persn(s)/psitin fr the review f the audit lgs. Als, ITS shuld cnsider a plicy requiring specified actin based upn the type f event, including events t be escalated t the University s Infrmatin Security Officer r Chief Infrmatin Officer). ITS Prduct Managers must dcument that the Audit Activity Lg has been reviewed as required. The Audit Activity Lgs and all dcumentatin related t the investigatin f events shuld be retained fr a length f time in accrdance with University plicies. The QA Office will be respnsible fr ensuring that required audit activity is maintained and dcumented in accrdance with these prcedures. Desk Prcedure - Lgical Access Final Draft Page 22 f 26 Last Mdified:

23 Saint Luis University Lgical Access Prcedure APPENDICES Appendix 1: ACADEMIC SECURITY OFFICERS Nte: Security Officers and Organizatinal Unit heads shuld ensure that the backups are aware f their rles and are prperly trained. Department/Unit Security Officer Back Up Advancement Will Curran Valerie Mangnall Business & Finance Lisa Zia Jenny Kukic Human Resurces Nick Hebel Derrick Weathersby Student Ellen Weis Jhn-Herbert Jaffry Student Financial Services Jhn Mejaski Tena Jnes Appendix 2: ITS PRODUCT MANAGERS Department/Unit Security Officer Back Up Axim Maggie Waters Bb Kvarik Banner INB Mary Ann Pitras Jeff Kapp Banner Self Service Rena Davenprt Jeff Kapp ODS/EDW Renee Canavan Elaine Slan Oracle Nel Humphrey Kevin Ballard WebFOCUS Renee Canavan Elaine Slan Xtender Pat Shff Tim Mser Wrkflw Maggie Waters Rena Davenprt Appendix 3: ACCESS SECURITY REQUEST FORM APPROVAL LEVELS Department/Unit Human Resurces Business & Finance Student Financial Services Advancement Student ITS Other University Departments Minimum Level Required fr Access Security Request Frm Apprval Business Manager Business Manager Assciate Directr Directr Directr IT Administratr and/r Architect Business Manager Nte: A list f specific apprver names is maintained by ITS. (Include specific address t WebFOCUS link. Determine if accessible by everyne) Desk Prcedure - Lgical Access Final Draft Page 23 f 26 Last Mdified:

24 Saint Luis University Lgical Access Prcedure Appendix 4: Sample Service Access Reprt (Nte: Actual reprt may be presented in alternate frmat) Desk Prcedure - Lgical Access Final Draft Page 24 f 26 Last Mdified:

25 Saint Luis University Lgical Access Prcedure Appendix 5: Sample Terminatin Reprt Appendix 6: Sample Psitin Change Reprt Desk Prcedure - Lgical Access Final Draft Page 25 f 26 Last Mdified:

26 Saint Luis University Lgical Access Prcedure Appendix 7: Summary f Mnitring Reviews Reprt Review Timing Respnsible Parties Service Access Twice a Year April and Octber Business Prcess Owner Security Officer Inactivity Twice a Year April and Octber Business Prcess Owner Security Officer Terminatin Weekly Security Officer Psitin Change Weekly Security Officer Desk Prcedure - Lgical Access Final Draft Page 26 f 26 Last Mdified: