Educause Security Discussion mailing list archives

Re: Business / Functional Ownership of non business / end user applications

From: "Jones, Dan" <Dan.Jones () UMASSMED EDU>
Date: Thu, 12 May 2011 18:58:39 -0400

If single sign-on is centrally managed, then any request to provision access should be granted only after obtaining
permission from the data owner --eg payroll or any other resource. The process should be auditable, and accomodate
periodic user access reviews. If multiple departments need to be in the business of provisioning access, they should
all follow the same procedure.

This is inline with ISO 27k and other standards. Hope this is useful.

Dan Jones
ISO
UMass Medical School

"Radford, Jennifer" <jradford () INTAUDIT UBC CA> wrote:

Hi all,

I would let to get a sense of what the norm is out there for ownership of applications that are not directly connect to
the end users. For example, from a best practice perspective, the Payroll application would be owned by the department
head for payroll. This owner would be accountable for ensuring their data is secure by communicating required policies
to IT so they can set up security configurations etc. However, my challenge is around applications such as single sign
on apps that are pervasive in nature and campus wide – whilst they may have an IT custodian, there may not be a
‘functional / business’ owner assigned to ensure password policies etc as set in line with what senior management
requires.

Any thoughts?

Cheers,

Jenny

Jennifer Radford, Senior IT Audit Manager
Internal Audit, UBC
6000 Iona Drive, Vancouver, BC Canada V6T 1L4
Phone: 604-822-6512
Fax: 604-822-9027
E-mail: Jradford () intaudit ubc ca<mailto:Jradford () intaudit ubc ca>
Web: www.intaudit.ubc.ca<http://www.intaudit.ubc.ca>
The information contained in this e-mail message is strictly confidential and intended solely for the use of the
designated addressee(s). Any unauthorized viewing, disclosure, copying or distribution of this e-mail is prohibited and
may be unlawful. If you have received this e-mail in error, please do not read it, reply to the sender immediately to
inform us that you are not the intended recipient, and delete the e-mail from your computer system. Thank you.

Current thread:

Business / Functional Ownership of non business / end user applications Radford, Jennifer (May 12)
- Re: Business / Functional Ownership of non business / end user applications Dr. Wole Akpose (May 12)
  - Re: Business / Functional Ownership of non business / end user applications Valdis Kletnieks (May 12)
    - Re: Business / Functional Ownership of non business / end user applications Brendan Bellina (May 13)
- Re: Business / Functional Ownership of non business / end user applications Jack Suess (May 12)
- Re: Business / Functional Ownership of non business / end user applications Mike Wiseman (May 13)
- <Possible follow-ups>
- Re: Business / Functional Ownership of non business / end user applications Jones, Dan (May 12)