UCIrvine: Delegated Access Control and Periodic Access Review Workflow Problem Statement. As requested by PriceWaterhouseCoopers in an SAS112 audit, and for better compliance with PCI DSS, UC Irvine needs to create a much tighter process to control access to financial business transactions, formalize periodic access review by data proprietors, and formalize enforcement by Internal Audit. An enterprise workflow solution with clearly defined roles becomes critical for tracking who requested access, when and why; who approved this access; who last reviewed access and what problems were identified; and who revoked access, when, and why. Any required training as well as background checks that are needed to qualify for a role also must be automated. This effort is also required for streamlining manual and paper based yearly audit reports, that are currently collected from multiple systems.
Our financial transaction access control process is complex and involves many systems including the General Ledger System, Payroll System, Reimbursement System, Student Financial Services, Housing, Campus Credit Card System, Purchasing, and the Employee Training/Learning Management System. A set of manual Human Resources processes for conducting credit checks and criminal background checks on an employee are required for access to credit card data, per PCI DSS compliance. In the case of PCI DSS, employees are required to sign special security forms. Many data owners/proprietors are involved as well as Internal Audit. Access must also integrate with the Employee Training/Learning Management System, which stores required training or certification for a user to qualify for a business role, and the results of this training (whether the user passed or failed). For example, a high value purchaser is required to pass a test, demonstrating that they know campus purchasing policies and procedures, before they can be granted purchasing business transaction access. Modern and legacy systems must be provisioned or de-provisioned as employees separate and often, another workflow is needed to reassign roles as access is revoked or the employee separates.
The campus delegates access control to trusted and trained individuals spanning the campus. Delegated access controls require multiple steps. All activity must go through a well-defined sequence and be easily audited and reported on. It must log not only who requested initial access but also, why, and when; whether required training was successfully passed; who provided access to whom and when; when access was last reviewed; when access was revoked and why; and possible reassignment of role. Several steps are needed in complex workflow. The first step facilitates anyone on campus to request access to any financial transaction. The user requesting access must also acknowledge that they have read and reviewed relevant campus policy and procedures. A second step requires the business data owner to validate that the user's job duties require access to this transaction and verify authenticity and no conflict of interests. For example, the Controller, as the owner of financial data, must have ultimate approval of all access to financial data and confidence of proper management of delegated access. A third step in the workflow may require training or certification before access can be granted and integrate with the Learning Management System. Another step may require Internal Audit to provide exception to separation of duties since one employee may wear multiple hats. Finally, for highly critical financial transactions, such as access to credit card data, Human Resources must be notified to conduct a credit and criminal background check for the campus to be in compliance with PCI DSS. Only parts of this entire process are currently automated, many are still paper based. An enterprise workflow would greatly help coordinate and monitor this problem.
Why is this a Workflow Problem:
The initial request for access to a system is currently paper based. The paper is signed both by the employee and department head, indicating that the employee needs access to a transaction to perform their job duties. The paper is then sent to a Delegated Access Administrator that works on behalf of one or more departments, to grant access to this employee. There is currently no workflow involved, making it difficult to find out what state a request for access is in, and in whose queue. Likewise, the same occurs when the employee moves from one department to another and their role changes, or the employee separates from the university. With large departments, the paper works becomes a management problem and as audits require this paper, if it gets lost, an audit could result in serious penalties.
What we would gain:
- The access control and review process would be easier to audit.
- A more standardized process would reduce training, errors, and learning curves.
- Compliance with legal regulations, such as PCI DSS could be enforced better.
- At any time in the process, we could see who was waiting on access to what function and where the bottleneck was; as in a deadline for submitting a federal report that requires access to be granted to specific data by a specific date/time.
- The time it would take to answer auditor questions and provide audit reports would be greatly reduced.
- Roles could be changed or reassigned more easily, with less people being "hard-wired" to handling access control. Phone based coordination would be replaced with an on-line system.
- Escalation of overdue access granting or revocation and role backup management could be handled better.
- The cost of maintaining access in multiple systems would be reduced with a single, workflow enabled access control system, for multiple business systems scattered across the campus.