Table of Contents. Miami University Page 2



Similar documents
POLICIES. Campus Data Security Policy. Issued: September, 2009 Responsible Official: Director of IT Responsible Office: IT Central.

PII Personally Identifiable Information Training and Fraud Prevention

Virginia Commonwealth University Information Security Standard

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Information Security Policy

1 TABLE OF CONTENTS Page 1

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)

P Mobile Device Security.

Donna S. Sheperis, PhD, LPC, NCC, CCMHC, ACS Sue Sadik, PhD, LPC, NCC, BC-HSP Carl Sheperis, PhD, LPC, NCC, MAC, ACS

College of DuPage Information Technology. Information Security Plan

Business Intelligence & Reporting. Application Access Guidelines

PII = Personally Identifiable Information

Information Security Program

Title: Data Security Policy Code: Date: rev Approved: WPL INTRODUCTION

How To Protect Data At Northeast Alabama Community College

LANDER UNIVERSITY STUDENT INFORMATION SECURITY AND PRIVACY PROCEDURE

PRIVACY POLICY The type of web browser and operating system you have used:

FERPA Q &A for Banner Users. November 15, 2013 Meredith Braz, Registrar and Kevin D. O Leary, Associate General Counsel

Contact: Henry Torres, (870)

ITS Policy Library Device Encryption. Information Technologies & Services

Oracle Business Intelligence Enterprise Edition LDAP-Security Administration. White Paper by Shivaji Sekaramantri November 2008

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Information Security: A Perspective for Higher Education

New! LACCD Student 2013

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Information Security Policy

An Introduction on How to Better Protect Your Computer and Sensitive Data

HIPAA: Privacy/Info Security

Alphabet Soup - GLBA, FERPA and HIPAA: Security Best Practices

SCDA and SCDA Member Benefits Group

DCC student and employee information must be safeguarded.

HFS DATA SECURITY TRAINING WITH TECHNOLOGY COMES RESPONSIBILITY

Information Security Manager Training

Information Systems Security Policy

Sierra College ADMINISTRATIVE PROCEDURE No. AP 3721

California State University, Sacramento INFORMATION SECURITY PROGRAM

FACTS What does Mid Carolina CU do with your personal information?

Data Privacy and Gramm- Leach-Bliley Act Section 501(b)

*Signature: Trained by:

HIPAA Privacy & Security Rules

Wellesley College Written Information Security Program

Security Awareness Training Policy

Who Should Know This Policy 2 Definitions 2 Contacts 3 Procedures 3 Forms 5 Related Documents 5 Revision History 5 FAQs 5

HIPAA initially went into effect April 14, HIPAA is a set of rules that is to be followed by doctors, hospitals and other health care providers.

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY

Valdosta Technical College. Information Security Plan

College Operating Procedures (COP)

HIPAA and Privacy Policy Training

ITS Policy Library Use of . Information Technologies & Services

Application for Bank of Pontiac NetTeller Services Internet Banking and Bill Pay

Test Yourself on FERPA

Oracle E-Business Suite - Oracle Business Intelligence Enterprise Edition 11g Integration

MEDICAL OFFICE COMPLIANCE TOOLKIT. The Complete Medical Practice Compliance Resource HIPAA HITECH OSHA CLIA

HIPAA Compliance for Students

Oklahoma State University Policy and Procedures. Red Flags Rules and Identity Theft Prevention

Topic: Online Course Evaluation

Ivy Tech Community College of Indiana

<Insert Picture Here> Oracle WebCenter Spaces and Oracle BI Applications Configuration

APPLICATION COMPLIANCE AUDIT & ENFORCEMENT

R345, Information Technology Resource Security 1

THE UNIVERSITY OF THE WEST INDIES Electronic Mail & Messaging Services Policy 1. Introduction

YU General Guidelines for Use of Social Media

stacktools.io Services Device Account and Profile Information

Adopt and implement privacy procedures, train employees on requirements, and designate a responsible party for adopting and following procedures

HIPAA Privacy Keys to Success Updated January 2010

Wheaton College Audit Committee Red Flag Identity Theft Prevention Program Meeting of February 20, 2009

BANKOH BUSINESS CONNECTIONS WIRE TRANSFER GUIDE

8.03 Health Insurance Portability and Accountability Act (HIPAA)

PRIVACY AND SECURITY POLICY

HIPAA TRAINING. A training course for Shiawassee County Community Mental Health Authority Employees

Identity Theft and Data Protection

Human Subject Research: HIPAA Privacy and Security. Human Research Academy 101

Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman,

Online Agreement. Electronic Delivery of Documents

FEDERAL AND STATE BREACH NOTIFICATION LAWS FOR CALIFORNIA

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

HIPAA Compliance Annual Mandatory Education

UMDNJ Information Security Plan 2007

Cloud Computing and the Regulatory Compliance Labyrinth

Metropolitan Living, LLC 151 W. Burnsville Parkway, Suite 101 Burnsville, MN Ph: (952) Fax: (651)

Information Security

PRIVACY POLICY (Update 1) FOR ONLINE GIVING FOR THE UNITED METHODIST CHURCH

Protecting Student Identity Principles of Good Practice University System of Georgia

Rowan University Data Governance Policy

Privacy for Beginners: What Every Healthcare Worker Needs to Know About HIPAA and Privacy

Information Technology Security Policies

plantemoran.com What School Personnel Administrators Need to know

HIPAA (The Health Insurance Portability and Accountability Act)

ELECTRONIC FUNDS TRANSFERS AGREEMENT YOUR RIGHTS AND RESPONSIBILITIES

DATA AND USER ACCESS POLICIES

October is Cyber Security Month

Page 1. NAOP HIPAA and Privacy Risks 3/11/2014. Privacy means being able to have control over how your information is collected, used, or shared;

ITS Policy Library Use of . Information Technologies & Services

Subscription Administrator Guide. For GS1 Canada Services

ADMINISTRATIVE DATA MANAGEMENT AND ACCESS POLICY

The Impact of HIPAA and HITECH

Information Security Policy

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) BUSINESS ASSOCIATE AGREEMENT

Transcription:

OBIEE Security Authors: Amy Goll Last Updated: 6/12/2012

Table of Contents Miami University s Confidential Information Policy... 4 Security within OBIEE... 5 OBIEE Security Roles... 5 Miami Security Roles... 5 Responsibilities of Roles Regarding Security Application... 6 Responsibilities of Roles Regarding Information... 7 Scenario... 8 Security Procedures How Do I In Progress... 9 Add a new Author... 9 Add a new Publisher... 9 Add a new Active Directory Group... 9 Add a user to an Active Directory Group... 9 Miami University Page 2

Revision History Name Date Changes Made Version Amy Goll 3/5/12 initial draft 1.0.0 Miami University Page 3

Miami University s Confidential Information Policy Excerpt from MUPIM 2011-2012 Miami University collects, stores, and distributes large amounts of information essential to the performance of University business. This information represents a valuable University asset. Although a large portion of University information is public, a portion of our information is protected by state and federal laws. To comply with these laws and protect the University community, the University has the right and obligation to protect, manage, secure, and control information (whether in hard copy or stored as electronic data) in its possession. Information protected by federal or state law may not be shared with unauthorized persons. These laws include the Federal Privacy Act which protects social security numbers, the Family Educational Rights and Privacy Act (FERPA) which protects personally identifiable student records, the Gramm-Leach-Bliley Act (GLBA) which protects consumer financial information, and the Health Insurance Portability and Accountability Act (HIPAA) which protects personal health information. All employees, faculty and staff, bear responsibility for protecting confidential information from unauthorized disclosure. This is true whether this information is stored on paper, a network computer, on a laptop, on a personal digital assistant (PDA) or other device. Information that is protected by law may only be disclosed to authorized persons. Examples of confidential information include: social security numbers disability status health and medical information student advising records student grades student disciplinary records consumer financial information Banner student identification numbers trade secrets credit and debit card numbers Social security numbers are primarily used for student financial assistance and employment tax-related matters. If unique identification of an individual is required, an identifier other than a social security number should be used. The recommended identifier is the Banner Plus number. An appropriate security plan and the written consent of the Information Security Officer are required before any University office is permitted to collect and/or maintain social security numbers. Each faculty and staff member must assume responsibility for protecting confidential information from unauthorized exposure. This means you must: A. understand and follow Miami s Responsible Use of Computing Resources policy; B. consult the Information Security Office if you are uncertain whether certain information is confidential; C. consult the Information Security Office if you are uncertain how to safeguard confidential information; D. understand and follow the Miami University Computing Security Policy; E. protect your computer password and change it according to standards published by the Information Security Office in the IT Services Knowledge Base at http://ithelp.muohio.edu; F. NOT provide access to confidential information to any other person unless authorized to do so. Ohio law requires the University to take certain actions in the event of unauthorized disclosure of confidential information. You must report any suspected disclosure of confidential information to unauthorized persons to the Information Security Office (Call 529-7900 immediately and report that you suspect that confidential information has been disclosed). In addition to reporting the theft of any laptop, personal digital assistant or other device that contains confidential information to the appropriate law enforcement authorities, you must immediately report the loss/theft of any laptop, personal digital assistant or other device that contains confidential information to the Information Security Office. Miami University Page 4

Security within OBIEE Oracle Business Intelligence Enterprise Edition (OBIEE) software offers various types of security. These types include object and data level security. An object within OBIEE can be a dashboard, a report, a folder, or even a specific column of data. This type of security can allow Miami to include sensitive data in the data warehouse and allow users access to this information only if they have a specific need. Data level security offers Miami the ability to allow users to see specific data they need to see and prevent them from seeing data outside of their specified area. OBIEE Security Roles OBIEE is delivered with 3 basic roles. BIConsumer. The Consumer can only view and run existing dashboards, analysis and reports provided to them. These objects will be published in a shared area with proper security rights. Consumers typically are the broadest user base across the institution. BIAuthor. The Author can create and edit dashboards, analyses and reports. Authors will include a narrower user base than Consumers, including areas outside of the IT department BIAdministrator. The Administrator can edit and create new repositories and catalogs. They also have full control over all aspects of the OBIEE tool suite. This role is granted to only a few users within IT. Miami Security Roles Miami specific adaptation of Security BIConsumer.. The Consumer can only view and run existing dashboards, analysis and reports provided to them. These objects will be published in a shared area with proper security rights. Consumers will be the broadest user base across the university. BIAuthor. Authors will be able to create analysis and reports using any data subject areas available in the OBIEE system with the exception of information protected by law. Authors will only have the capability to save reports in their own folder area and will not be permitted to publish items to the shared areas for other users to use. Authors will be a narrower user base. BIPublisher. Miami will be creating this new role as another base role within OBIEE. The BIPublisher will have the same permissions as the BIAuthor with the added ability to publish into a shared space those dashboards, analyses and created by Authors. There will be a smaller number of Publishers than Authors. Not all Authors will be a Publisher but all Publishers will also be an Author. BIAdministrator. The number of Administrators for Miami will be limited to the database administrators. The administrator will be responsible for making code changes during the promotion process from development to test to production. Miami currently uses Active Directory and many of the groups in the Active Directory are automatically assigned or removed from users through a nightly process. There are other Active Directory groups that are specifically managed by certain users around the university. OBIEE is able to leverage all Active Directory groups both, automatically managed and user managed. Although initial setup will be the largest time consumer, being able to leverage the existing Active Directory (AD) framework will reduce the ongoing amount of time needed to oversee security within the OBIEE tool. In order to aid with future maintenance, roles will be named the same as the AD group. This maintenance strategy will identify AD changes which will impact OBIEE. Miami University Page 5

Responsibilities of Roles Regarding Security Application BIConsumer The BI Consumer will not hold any responsibility in creating or maintaining security. BIAuthor The BI Author will not hold any responsibility in creating or maintaining security. BIPublisher Within their area, the BI Publisher will be responsible for: Applying proper security permissions to any dashboard, analyses, or reports they publish to a shared folder. Assisting in the maintenance of the user maintained Active Directory groups. Review security structure on a semi-annual basis. This will align with the frequency of the current security review for the ERP system. BIAdministrator/IT Department The BI Administrator will be responsible for: Making code changes during the promotion process from development to test to production. Map new AD groups to application roles Create and/or amend security for the application roles The IT Department will be responsible for: Applying object level security, specifically data source and column level security, within the OBIEE Repository (RPD). Applying the proper security permissions to any dashboard, analyses, or reports published in the university wide Institutional Analytics folder. Miami University Page 6

Responsibilities of Roles Regarding Information BIConsumer As an end user of information made available within the OBIEE system, the Consumer are responsible for protecting the data. This includes ensuring private information is not disseminated outside the University or to persons without a necessary need for information. BIAuthor Authors are granted access to all data sources made available within the OBIEE system. With shared access to various subject areas, caution must be used to protect private information. Authors in one area who wish to use data from another area are responsible for collaborating with an Author of expertise in the other area. The collaboration should include a method of verification for the joint data. As a reminder, anything an Author creates, it is only available to that Author. BIPublisher Publishers are granted access to all data sources made available within the OBIEE system. With shared access to various subject areas, caution must be used to protect private information. If an Author requests to have an item published to a shared folder, the Publisher is responsible for collaborating with the Author to verify the data in the item to be shared (Dashboard, Analyses, or Report). This collaboration must include review of the data to be published. BIAdministrator/IT Department The IT Department will be responsible for verifying and maintain analyses, dashboards and reports published to the university wide Institutional Analytics folder. In this instance, the IT Department is acting as a Publisher and must follow the responsibilities of the Publisher role. Authors, Publishers and the IT department must understand the ramifications of any protected information being made available for general use. Another way of protecting the university s information from being erroneously exposed is by limiting how detailed information is presented. The proper procedure is to include a safeguard against the potential of a user getting to detailed information that could surface the identity of specific student(s), staff or faculty member(s). Every published item must be reviewed to verify that protected or identifying information is not revealed unless the user has a need for the information. Miami University Page 7

Scenario An Active Directory manager Jerry, in the Finance department, adds a user, Joe, to their Finance BI Author group. Joe is now able to create analyses and reports against all data available within OBIEE. This will include any data sources added in the future. Within each of the data sources, there may be data protected by regulations. When Joe was added to the Finance BI Author group, he may not be able to see protected data columns, such as SSN, Date of Birth, etc. Joe can only save any analysis or reports he creates in his own folder. If he has created something that should be made available to others, and there is no data used from outside his area, the BI Finance Publisher, Bill, would then have the responsibility of reviewing the analysis to verify the information is correct before promoting the analysis to a Shared Folder or Dashboard. If the analysis or reports is written using some Advancement data, Joe and Bill must review the information with the Advancement BI Publisher/Authors prior to publishing the analysis in the Shared Folder/Dashboard. Joe (and/or Bill) would then also become responsible for maintaining the analysis should changes be necessary. If Joe finds he has a need to include protected information within his analysis, then he would contact the publisher in the area of protected data ownership (ie, student DOB = Registrar area). However, Joe would have to understand if his analysis is published to a Shared Folder, and someone running the analysis does not have permissions to see the protected information, that person would not see the protected data in the report. Miami University Page 8

Security Procedures How Do I In Progress Add a consumer No action is required to add a consumer. If a user is an active faculty or staff member, they have access to the system. Add a new Author A request is sent to the Active Directory manager for the employee s area. Active Directory manager adds the user to the proper author group. The new user would be trained on the use of the tools, the proper use of the information they have access to, and the procedures of getting information published. Add a new Publisher A request would be sent to the Active Directory manager for the employee s area. Active Directory manager adds the user to the proper Publisher group. The new user would be trained on the use of the tools, the proper use of the information they have access to, and the procedures and responsibilities of publishing new content. Add a new Active Directory Group Add a user to an Active Directory Group Navigate and log into to the following site: http://community.muohio.edu/phpapps/directoryaccounts/?l=home Begin to type the name of the AD Group in the Edit box. It will begin to give suggestions as you type. Select the group you need to edit. Scroll to the bottom of the page. Add or remove users from this area. Miami University Page 9

Miami University Page 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information