Educause Security Discussion mailing list archives
Re: Looking for consesus
From: "David L. Rotman" <rotmand () CEDARVILLE EDU>
Date: Thu, 3 Aug 2006 11:46:10 -0400
Our approach (prompted by an audit recommendation a couple of years ago) is to send a monthly report to managers. The report shows which transactions are within their area of responsibility and (for each transaction) lists all of the users who have access. We use this granularity because knowing who has access to the system is not sufficient. For example, if a staff member moves from the financial aid office to the payroll office...the staff member still has access to the same ERP system but their list of allowable transactions should change. We hope that pushing the report out will prompt managers to look at the data. We do get requests to change access as a result of this kind of review. I'm sure there are some managers who don't give the report high attention each month, but most managers understand the importance of helping enforce security. Dave Rotman Director of Computer Services Cedarville University 251 N. Main Street Cedarville, OH 45314 rotmand () cedarville edu voice 937-766-7905 fax 937-766-8819
"Chad McDonald, CISSP" <chad.mcdonald () GCSU EDU> 8/3/2006 9:14 am
I have been asked to provide realtime information pertaining to who has access to various systems across campus. We require the data owner to sign off on who has access to the systems, so I was considering publishing on the web a list of names (NOT usernames) correlating to the systems to which they have access. I don't see a need to publish the level of access or any other data than system name and user's name. I am torn between providing the easy access to the data owners and the benefits that access provides and the risk of making it know who has access to which system. Any thoughts that you may have will be appreciated. Thanks, Chad McDonald, CISSP Chief Information Security Officer Georgia College & State University Office 478.445.4473 Cell 478.454.8250
Current thread:
- Looking for consesus Chad McDonald, CISSP (Aug 03)
- <Possible follow-ups>
- Re: Looking for consesus Valdis Kletnieks (Aug 03)
- Re: Looking for consesus David Gillett (Aug 03)
- Re: Looking for consesus Waller, Michael A. (HSC) (Aug 03)
- Re: Looking for consesus David L. Rotman (Aug 03)