Educause Security Discussion mailing list archives
Re: Business / Functional Ownership of non business / end user applications
From: Mike Wiseman <mike.wiseman () UTORONTO CA>
Date: Fri, 13 May 2011 12:01:23 -0400
At my institution, in general, authentication services are managed by central IT. User authorization to gain access to data is under the control of the data owner. To be specific, under authentication services, central IT manages the low and higher assurance services which consists of: enrolment, password resets, one time password device issuance and replacement, usage policy measurement and enforcement, and the infrastructure services such as webSSO, Kerberos, shibboleth. Eventually, we may map the assurance levels to data classification levels (as was discussed by Jack Suess). Authorization datastores are managed by central IT for central services such as student records and ERP but the respective data owners are the authority behind user provisioning workflow. eg. read/write access to student records services for a staff member is approved by the group that runs student records. Departments may have their own authorization datastores which are used internal to that department only. You can see the separation of functions in the management of online access services. Regards, Mike Mike Wiseman Manager, Information Security Information + Technology Services University of Toronto Hi all, I would let to get a sense of what the norm is out there for ownership of applications that are not directly connect to the end users. For example, from a best practice perspective, the Payroll application would be owned by the department head for payroll. This owner would be accountable for ensuring their data is secure by communicating required policies to IT so they can set up security configurations etc. However, my challenge is around applications such as single sign on apps that are pervasive in nature and campus wide - whilst they may have an IT custodian, there may not be a 'functional / business' owner assigned to ensure password policies etc as set in line with what senior management requires. Any thoughts? Cheers, Jenny Jennifer Radford, Senior IT Audit Manager Internal Audit, UBC 6000 Iona Drive, Vancouver, BC Canada V6T 1L4 Phone: 604-822-6512 Fax: 604-822-9027 E-mail: Jradford () intaudit ubc ca<mailto:Jradford () intaudit ubc ca> Web: www.intaudit.ubc.ca<http://www.intaudit.ubc.ca> The information contained in this e-mail message is strictly confidential and intended solely for the use of the designated addressee(s). Any unauthorized viewing, disclosure, copying or distribution of this e-mail is prohibited and may be unlawful. If you have received this e-mail in error, please do not read it, reply to the sender immediately to inform us that you are not the intended recipient, and delete the e-mail from your computer system. Thank you.
Current thread:
- Business / Functional Ownership of non business / end user applications Radford, Jennifer (May 12)
- Re: Business / Functional Ownership of non business / end user applications Dr. Wole Akpose (May 12)
- Re: Business / Functional Ownership of non business / end user applications Valdis Kletnieks (May 12)
- Re: Business / Functional Ownership of non business / end user applications Brendan Bellina (May 13)
- Re: Business / Functional Ownership of non business / end user applications Valdis Kletnieks (May 12)
- Re: Business / Functional Ownership of non business / end user applications Jack Suess (May 12)
- Re: Business / Functional Ownership of non business / end user applications Mike Wiseman (May 13)
- <Possible follow-ups>
- Re: Business / Functional Ownership of non business / end user applications Jones, Dan (May 12)
- Re: Business / Functional Ownership of non business / end user applications Dr. Wole Akpose (May 12)