Re: Looking for consesus

["David L. Rotman" <rotmand () CEDARVILLE EDU>]

Our approach (prompted by an audit recommendation a couple
of years ago) is to send a monthly report to managers.  The
report shows which transactions are within their area of
responsibility and (for each transaction) lists all of the users who
have access.

We use this granularity because knowing who has access to
the system is not sufficient.  For example, if a staff member moves
from the financial aid office to the payroll office...the staff member
still has access to the same ERP system but their list of allowable
transactions should change.

We hope that pushing the report out will prompt managers
to look at the data.  We do get requests to change access as
a result of this kind of review.  I'm sure there are some managers
who don't give the report high attention each month, but most
managers understand the importance of helping enforce security.




Dave Rotman
Director of Computer Services
Cedarville University
251 N. Main Street
Cedarville, OH 45314
rotmand () cedarville edu
voice 937-766-7905
fax 937-766-8819

> > > "Chad McDonald, CISSP" <chad.mcdonald () GCSU EDU> 8/3/2006 9:14 am
I have been asked to provide realtime information pertaining to who
has access to various systems across campus.  We require the data
owner to sign off on who has access to the systems, so I was
considering publishing on the web a list of names (NOT usernames)
correlating to the systems to which they have access.  I don't see a
need to publish the level of access or any other data than system
name and user's name.  I am torn between providing the easy access to

the data owners and the benefits that access provides and the risk of

making it know who has access to which system.  Any thoughts that you

may have will be appreciated.

Thanks,
Chad McDonald, CISSP
Chief Information Security Officer
Georgia College & State University
Office  478.445.4473
Cell    478.454.8250