110 likes | 265 Views
The World of Access Controls. Kevin Savoy, MBA, CPA, CISA, CISSP Director of Information Technology Audits. Risk. Business Risk “The potential that a given threat will exploit vulnerabilities of an asset to cause a loss or damage to an asset.”. Controls. Controls
E N D
The World of Access Controls Kevin Savoy, MBA, CPA, CISA, CISSP Director of Information Technology Audits
Risk Business Risk “The potential that a given threat will exploit vulnerabilities of an asset to cause a loss or damage to an asset.”
Controls • Controls “The policies, practices and organizational structure designed to provide reasonable assurance that business objectives will be achieved and that undesired events will be prevented or detected and corrected”
Layers Where IT Controls Exist • Application (this is where YOU come in) • Database (oracle admin level) • Operating System (Unix, Windows) • Network (routers, firewalls, switches)
Application Controls • Program Integrity (change control) • Edit Checks • Data Reconciliations • ACCESS CONTROLS
Most Intrusions • Statistics continue to show that most unauthorized access to data is from within an organization. • You would not know this fact from the press that hackers receive. • Therefore your responsibility over ACCESS CONTROLS within applications (Finance, Student System, HR and other supporting systems) is critical.
Access Controls • Consist of two parts: • Authentication (is a user who they say they are) • Authorization (what can they do once they “are in”)
Authorization • YOU are the gatekeeper to UVA data. • Should be based on a “least amount of access needed to perform a job function”. • Should not allow a user to have conflicting access. For instance, a user should not be allowed to record and approve payments without oversight. • The person giving access should be knowledgeable of the individual’s need for data access (can be personal knowledge at the lowest levels and trust of supervisors at the higher levels of approval).
Authorization • Users should not be able to build up access as they move to different departments, thus all access should be terminated and reapplied for. • User access should be reviewed periodically to determine if it is still needed. A standard approach should be taken AND documented. • Access should be removed immediately upon termination or change of position except within the same department.
ESHARP… • Audit was involved and believes automating access requests should make your job easier and more secure. • Audit will continue to spot check Access Control procedures, validity of access granted, and approvals during regular audits.
Questions??? • Kevin Savoy - savoy@virginia.edu