Access and Security Representative ASR Training

1
Access and Security Representative (ASR)Training

• John Williams
• Administrative Information Services (AIS)
• October 30, 2006

2
ASR Training

• AIS Support Center Staff John
  Ellenberger Chrissie Harter Sue Jones
  (Manager) Linda McCamley Sue Reese
  Colleen Shives Byron Weston Matt Wolfe

3
INDEX

• ASR Responsibilities
• ASR Guidelines Forms
• ASR Web Page - Guidelines and Forms - Contact
  Listings - Documentation - Paths and
  Profiles - Requesting Access
• Privacy Office
• Internal Auditing
• ASR Reports
• Imaging
• Security Office
• Data Warehouse
• FIT
• Password Requirements
• SecurID Tokens

4
ASR Responsibilities

• Whats my responsibility?

5
ASR Responsibilities

• Human element in the application process.
• Known by users
• Personal touch
• Trusted source outside AIS.
• Responsible for a smaller/more manageable group
  of people.

6
ASR Responsibilities
7
ASR Responsibilities

• Read and Understand Computer Security Policies.
• Have user sign-off on AIS Access Form affirming
  that they read and understand AD-20, AD-23 ADG-01.

8
Computer Security Policies

• AD-20 Computer and Network Security
• AD-23 Use of Institutional Data
• ADG-01 Glossary of Computerized Data and System
  Terminology
• ADG-02 Computer Facility Security Guidelines
• AD-11 University Policy on Confidentiality of
  Student Records
• AD-35 University Archives and Record Management

9
AD-23 ASR Responsibilities

• Requesting access control information (e.g., a
  User ID and Password), and initial basic
  capabilities for new system users or information
  associates.
• Requesting access for system users or information
  associates to needed production applications,
  both on-line and batch.
• Coordinating requests by authorized system users
  or information associates for access to
  Computerized Institutional Data for ad hoc
  reporting and analyses.
• Ensuring that all data accessed or received is
  used in accordance with University policy and
  agreements reached with the data stewards.

10
AD-23 ASR Responsibilities

• Providing a secure means to inform users of
  password changes or replacement passwords that
  have been entrusted to the ASR.
• Coordinating access and security procedures for
  system users transferring to or from other
  positions within the University.
• Ensuring that cessation of access to University
  Computer and Network Resources by system users
  terminating employment is promptly requested
• Reporting violations of this policy or other
  University data access and use policies and
  agreements to the appropriate computer security
  officer or system administrator, and to the
  Security Operations and Services Director.
  Custodial responsibility for institutional data
  begins when data are accepted within the access
  and security representative's organization.

11
AIS Access Request Flow Diagram
Budget Executive HR Representative Financial
Officer Campus Registrar
12
ASR Responsibilities

• Have user sign-off on AIS Access Form affirming
  that they read and understand AD-20, AD-23
  ADG-01.
• If it is known that the user has not read these
  policies, refuse to process the form.
• Your signature is our confirmation that the user
  read these policies and that you processed the
  form.

13
ASR Responsibilities

• Your signature is our confirmation that
• the user read the required policies
• you processed the form
• you are aware of the request
• you have the necessary records
• others in your area signed based on some criteria

14
ASR Responsibilities

• Report any violation of these policies beyond
  first-time, minor violations
• posting passwords on monitor
• Permitting those under them to logon using their
  userid
• Assist in investigations involving your area
• Ensure that Terminated Employees hand in their
  SecurID token.
• -Policy HR55 THINGS TO KNOW WHEN LEAVING
  UNIVERSITY EMPLOYMENT

15
ASR Guidelinesand FormsChrissie Harter
16
Guidelines for ASRs Requesting AIS Access

• Use the current AIS Access Request Form located
  at http//ais.its.psu.edu/asr/index.html under
  Forms. (when printing the form please try to
  duplex and not send two pages)
• Requests will be processed within 10 business
  days. You will receive an email when the request
  has been processed. If requested access requires
  additional approval, you will receive a second
  email once all access has been approved and
  given. (Note - additional data steward approval
  may require extra time.)
• ASR must ensure that all information required on
  the form is complete with the following
  information
• UserID PSUID
• Campus, College or Administrative Unit and
  Department
• ISIS/IBIS Profile needs to be provided
• Path Access Update/Read-only needs to be
  indicated
• Verify that all required signatures are on the
  form before sending to AIS Security If this
  information is not filled in it could delay the
  processing of the request.

17
ASR Guidelines(continued)

• If a user needs access to two different profiles
  from two different areas we cannot combine the
  two profiles. Both profiles will exist and the
  user will need to call the AIS Support Center to
  request that they be attached to the profile that
  they currently need.
• Access to eDDS and Data Warehouse are not
  requested on the AIS Access Form (however we do
  need a signed form if the user has no other AIS
  access). A signed AIS Access Form is required for
  all data so there is a record of policy
  acknowledgement. Requesting access to these and
  other applications can be found at the following
  link under Requesting Access
  http//ais.its.psu.edu/access/index.html
• Faxes will be treated like any other form and we
  still need the original form due to imaging. All
  requests including faxes will be processed in the
  order that they are received by the Security
  Office.
• eMail requests should be sent to the AIS Support
  Center via ais-support_at_psu.edu (not individual
  personnel, this ensures that the request is
  logged into our database and processed in a
  timely manner)
• When an employee has terminated or moved to
  another area you must notify the AIS Security
  Office immediately to have their access
  suspended/removed.

18
ASR Guidelines(continued)

• When a SecurID Token is required for AIS Access,
  it can be assigned at any time by calling the AIS
  Support Center _at_ (814-863-2276) or by sending an
  email to ais-support_at_psu.edu with the serial
  number and userid (a token is not needed for
  eDDS, DW and EIS access). An AIS Access Form can
  be sent for processing prior to having a SecurID
  Token.
• AIS passwords must be a minimum of six and a
  maximum of eight letter/numbers. Cannot be the
  current or previous 3 passwords. Cannot contain
  triple repeating letters or numbers. Cannot be
  your userid (if userid is six characters) and
  must contain at least one number.

19
http//ais.its.psu.edu/asr/index.html
20
Security Forms

• AIS Access Form (under construction)
• http//ais.its.psu.edu/access/access_accounts_docu
  mentation.html
• ASR Access Checklist
• ASR Authorization Card
• http//ais.its.psu.edu/asr/asrcard.html
• Trusted Network Certification Form
• http//ais.its.psu.edu/security/trusted_network_fo
  rm.html

21
AIS ACCESS FORM

• Following is a sample of the Updated AIS Access
  Form the form. This form is available to fill and
  print at http//ais.its.psu.edu/access/access_ac
  counts_documentation.html
• The text in red needs to be completed by the
  user and ASR. If this information is not filled
  in it could delay the processing of the request.

22
(No Transcript)
23
(No Transcript)
24
(No Transcript)
25
http//ais.its.psu.edu/asr/asrcard.html
26
http//ais.its.psu.edu/security/trusted_network_fo
rm.html
27
ASR Web PageContact ListingsandDocumentation
Colleen Shives
28
http//ais.its.psu.edu/
29
http//ais.its.psu.edu/asr/index.html
30
CONTACT LISTINGS

• Access and Security Representatives
• http//ais.its.psu.edu/access/replist.html
• Data Stewards
• http//ais.its.psu.edu/access/steward.html
• Financial Officers
• http//www.controller.psu.edu/Divisions/FinancialO
  fficers/staffcontact.html
• Human Resource Representatives
• http//www.ohr.psu.edu/HRRepList.cfm

31
http//ais.its.psu.edu/asr/index.html
32
http//ais.its.psu.edu/access/replist.html
33
http//ais.its.psu.edu/asr/index.html
34
http//ais.its.psu.edu/access/steward.html
35
http//ais.its.psu.edu/asr/index.html
36
http//www.controller.psu.edu/Divisions/FinancialO
fficers/staffcontact.html
37
http//ais.its.psu.edu/asr/index.html
38
http//www.ohr.psu.edu/HRRepList.cfm
39
DOCUMENTATION

• University Policies for Computer and Data
  Security
• http//ais.its.psu.edu/security/univpol.html
• ISIS Screens and Procedures for the Registrar
  Subsystem
• http//www.registrar.psu.edu/staff/isis/screens_an
  d_procedures_index.html
• ISIS Documentation (NCRR)
• http//ais.its.psu.edu/isis/media/NCRRDOC.pdf
• IBIS Documentation
• http//ais.its.psu.edu/ibis/ibis_documentation.htm
  l
• SecurID Tokens
• http//ais.its.psu.edu/access/securid.html
• Net-Pass and the Net-Pass Activity Table
• http//ais.its.psu.edu/access/netpass.html

40
http//ais.its.psu.edu/asr/index.html
41
http//ais.its.psu.edu/security/univpol.html
42
http//ais.its.psu.edu/asr/index.html
43
http//www.registrar.psu.edu/staff/isis/screens_an
d_procedures_index.html
44
http//www.registrar.psu.edu/staff/isis/registrar_
isis_screens.html
45
(No Transcript)
46
http//ais.its.psu.edu/asr/index.html
47
http//ais.its.psu.edu/isis/isisdoc.html
48
http//ais.its.psu.edu/isis/media/NCRRDOC.pdf
49
http//ais.its.psu.edu/asr/index.html
50
http//ais.its.psu.edu/ibis/ibis_documentation.htm
l
51
http//ais.its.psu.edu/ibis/alphabetical_listing.h
tml
52
(No Transcript)
53
(No Transcript)
54
http//ais.its.psu.edu/asr/index.html
55
http//ais.its.psu.edu/access/netpass.html
56
(No Transcript)
57
UNASSIGNED NET-PASS ACTIVITY TABLE
58
NET-PASS ACTIVITY TABLE WITH APPLICATION ACCESS
ENTERED
59
SAVING THE NET-PASS ACTIVITY TABLE ENTRIES
60
REQUESTING AIS SYSTEMS ACCESSSue Reese
61
http//ais.its.psu.edu/
62
http//ais.its.psu.edu/access/hours_avail.html
63
http//ais.its.psu.edu/
64
http//ais.its.psu.edu/asr/index.html
65
ADISALUMNI DEVELOPMENT INFORMATION SYSTEM
ADIS is an application that provides inquiry and
update access to a database containing
information on alumni and donors, alumni
memberships, biographical data, prospect
tracking, gift and pledge data, and WPSX
memberships.
66
http//ais.its.psu.edu/adis/adis_access.html
67
ADISALUMNI DEVELOPMENT INFORMATION SYSTEM

• Need to request DCOM to use the ADIS Web Site
• All access needs to be approved through the
  Office of University Development
• A SecurID Token is needed
• http//ais.its.psu.edu/adis/adis_access.html

68
AIMSAccount Information Management System

• AIMS is a Web-based system designed to allow
  faculty members access to the financial status of
  their sponsored project accounts.

69
http//ais.its.psu.edu/aims/aimsaccess.html
70
AIMSAccount Information Management System

• All users are given AIMS function assigned to
  their IBIS profile
• No request is needed by the ASR, access is
  automatically granted via the IBIS account
  creation process
• Users with AIMS access will not appear in your
  ASR profiles
• http//ais.its.psu.edu/aims/aimsaccess.html

71
CIDRCENTRAL ID REPOSITORY FUNCTION ACCESS

• CIDR is the Universitys Central ID Repository.
  It contains information about a person such as
  the PSU ID, Digital IDs Access or Friends of
  Penn State (FPS) accounts, SSN and additional
  biographical data like birth month and day that
  can be used for matching records. 

72
http//ais.its.psu.edu/access/central_id.html
73
CIDRCENTRAL ID REPOSITORY FUNCTION ACCESS

• All requests for the functions below must be
  submitted by your Access and Security
  Representative (ASR) to the Administrative
  Support Center ais-support_at_psu.edu via
  electronic mail or on the AIS Access Form
• CIDR functions can only be used by University
  employees and where noted require a SecurID token
  to be used
• There are some CIDR functions that require
  additional Data Steward approval
• http//ais.its.psu.edu/access/central_id.html

74
DATA WAREHOUSE ACCESS

• Penn State's Data Warehouse provides users with
  easy, flexible and widely-available ad hoc access
  to institutional data for analytical and
  reporting purposes. With more than two dozen
  databases available, it is the source for
  information on students, employees, classroom
  facilities, applicants and financial transactions.

75
http//ais.its.psu.edu/data_warehouse/dw_request_a
ccess.html
76
(No Transcript)
77
http//ais.its.psu.edu/data_warehouse/dw_request_a
ccess.html
78
http//ais.its.psu.edu/data_warehouse/isis.html
79
DATA WAREHOUSE ACCESS

• If a user does not already have an AIS Account,
  the ASR will need to fill out an AIS Access form
• If the user already has an AIS Account, the ASR
  will need to go into this website
  http//ais.its.psu.edu/data_warehouse/dw_request_a
  ccess.html and click on the Data area that is
  needed. This will give you the Data Stewards
  email address and an example of how the Data
  Steward wants the request.
• Once the request is completed, an email is sent
  to the user and the ASR telling them to that the
  access request has been completed. If this is a
  new Data Warehouse user they will be instructed
  to call Colleen Shives _at_ (814-863-8168) or the
  AIS Support Center _at_ (814-863-2276) to get the
  password, we can not email the password.

80
eDDSeDOCUMENT DISTRIBUTION SYSTEM

• eDDS is a tool that enables the user to access
  and view reports via the Web.

81
http//ais.its.psu.edu/edds/access.html
82
(No Transcript)
83
(No Transcript)
84
eDDSeDOCUMENT DISTRIBUTION SYSTEM

• If a user does not already have an AIS Account,
  the ASR will need to fill out an AIS Access form
  
• If the user already has an AIS Account, the ASR
  will need to go into this website
  http//ais.its.psu.edu/edds/access.html and click
  on the Report Steward of the report being
  requested
• The Report Steward will approve the request and
  send it to AIS Support via e-mail
• If a user is requesting access to ITS Online
  Billing Statement, the user will need to submit
  the request, as long as the user already has an
  AIS Account, all other eDDS access needs to be
  requested by the ASR
• Once the request is completed, an email is sent
  to the Report Steward and the user telling them
  that its been completed. The password is the
  same as your Access password

85
EISENTERPRISE INFORMATION SYSTEM

• EIS is your tool for answering questions about
  enrollments, admissions and other related
  University information.

86
http//ais.its.psu.edu/eis/eis_request_access.html
87
EISENTERPRISE INFORMATION SYSTEM

• EIS access must be requested by the ASR for the
  initial access
• If a user does not already have an AIS Account,
  the ASR will need to fill out an AIS Access Form
• EIS Access can be requested via email to
  ais-support_at_psu.edu or on the AIS Access Form
• Additional access must be made by the Data
  Steward
• If EIS is the only access the user has they will
  not show up on the ASR profiles

88
eISISElectronic Integrated Student Information
System

• eISIS provides Penn State faculty and/or staff
  with a Web site for applications using a Web
  interface. These applications contain data on
  students who are currently taking, or have
  previously taken courses at any of the campuses.

89
http//ais.its.psu.edu/eisis/prerequisites.html
90
https//eisis.psu.edu/isapi/eisis.dll/submit
91
eISISElectronic Integrated Student Information
System

• The ASR can request the functions on the AIS
  Access form.
• eISIS function will be assigned to their ISIS
  security profile.
• A SecurID Token is needed.

92
FITFINANCIAL INFORMATION TOOL

• FIT is a client/server tool for budget
  administrators and others who need to perform
  management functions for one account or one cost
  center with IBIS Financial data.

93
http//ais.its.psu.edu/fit/fit_request_access.html
94
FITFINANCIAL INFORMATION TOOL

• ASR must request access to ISTR
• ISTR is available on the following profiles
• EASY
• FO
• Budget Exec
• OHR

95
IBISINTEGRATED BUSINESS INFORMATION SYSTEM

• IBIS is the electronic business system used at
  Penn State. It is comprised of a variety of
  business applications and systems that provide
  you with financial and human resource
  information.

96
http//ais.its.psu.edu/ibis/ibis_request_access.ht
ml
97
http//ais.its.psu.edu/asr/index.html
98
http//ais.its.psu.edu/access/ibispath.html
99
(No Transcript)
100
IBISINTEGRATED BUSINESS INFORMATION SYSTEM

• The ASR will need to fill out an AIS Access form
  for IBIS (CCOM) Access
• If requesting Salary or OHR paths, must have the
  Financial Officer, Budget Executive or the Human
  Resource Representatives signature
• Provide the mnemonic, FO Number and/or OHR Number
  and the profile that is needed for the user
  requesting access
• http//ais.its.psu.edu/ibis/ibis_request_access.ht
  ml

101
ISISINTEGRATED STUDENT INFORMATION SYSTEM

• ISIS is the centralized student system that
  manages the records for all Penn State students
  graduate and undergraduate, credit and
  non-credit, at all Penn State locations.

102
http//ais.its.psu.edu/isis/isis_access.html
103
ISISINTEGRATED STUDENT INFORMATION SYSTEM

• The ASR will need to fill out an AIS Access form
  for ISIS (ACOM/BCOM) Access
• Userids beginning with A-J are on ACOM
• Userids beginning with K-Z are on BCOM
• Requesting Registrar screens from a Campus needs
  the Registrar signature
• http//ais.its.psu.edu/isis/isis_access.html

104
PROCESSING AIS REQUESTS

• The ASR completes the AIS Access form, sends it
  to AIS at 24 Shields.
• We process as much of the request as we can
  before additional approvals (if needed) are
  received.
• We notify the ASR via email with the userid,
  password and what access was given to the user.
• Depending on what access was requested. We may
  need to send the form out to the Data Stewards
  for ISIS and IBIS requests. This could take weeks
  depending on how many Data Stewards need to
  approve the form. There could be up to 10
  different Data Stewards when requesting access to
  an ISIS profile.
• Once the form has all the approvals, we notify
  the ASR via email saying that the AIS Access that
  was requested has been completed.
• Copies of the completed form will no longer be
  sent to the ASR. All forms will be scanned and
  then the ASR will be able to look at the form on
  the AIS Imaging System.

105
AIS Access Request Flow Diagram
Budget Executive HR Representative Financial
Officer Campus Registrar
106
SECURID TOKENS/PASSWORDS FOR SYSTEMS AND SERVICES
107
Risk Management and Privacy

• David J. Lindstrom, CIPP/G
• Chief Privacy Officer
• Penn State University

108
Penn State Privacy Office

• Mission
•  
• The mission of the Privacy Office is to serve as
  a central resource for issues of privacy among
  affected university units and to provide
  leadership in the development of programs and
  practices to meet relevant privacy requirements
  and standards.

109
Privacy Office Functional Areas

• Compliance Resource (HIPAA, FERPA, GLBA, etc.)
• Privacy liaison between all PSU units
• Administer all PSU privacy policies
• Privacy and security risk assessment and
  remediation
• Administer a university-wide complaint and
  incident response system

110
Risk Approach

• The use of personal and institutional information
  creates risk
• Essential to our business processes and service
  to our customers
• Some risks are insurable others are not
• People can manage both kinds of risk

111
Privacy Legislation

• Increasing number of bills introduced
• Some current laws
• HIPAA (Health Insurance Portability and
  Accountability of 1996)
• Gramm-Leach-Bliley Act (GLBA)
• Family Education Rights and Privacy Act (FERPA)
• Telephone Consumer Protection Act
• CAN SPAM Act of 2003
• Fair and Accurate Credit Transactions Act of 2003
  (FACT Act)

112
Passed PA Legislation

• PA Senate Bill 712
• Effective June 2006
• Personal Information is defined as name, linked
  with
• Social Security Number,
• Drivers License,
• Financial Account Numbers, or
• Credit/debit card number

113
PA Senate Bill 712

• Need to know where covered information is stored
• Need to know how to get in touch with data
  subjects
• Need a plan to respond to data breach
• Similar statutes exist in more than 20 states

114
SB 712 Requirements

• If it is believed that personal information
  was or is reasonably believed to have been
  accessed and acquired by an unauthorized person
  they must be notified of the breach. The
  notification of breach may be in the form of any
  of the following
• Written notice to the last known home address for
  the individual.
• Telephone notice if it can be reasonably expected
  that the individual will receive it.
• Email notice if a valid email is known.

115
SB 712 Requirements

• Substitute notices may be allowed if
• The cost of providing notice would exceed
  100,000.
• Or if the number of individuals exceeds 175,000
• Or if sufficient contact information is not
  available.
• Substitute notice includes all of the following
• Email notice to the individuals.
• Conspicuous posting of the notice on the entitys
  website.
• Notification to the statewide media.

116
Substitute Notice?
117
Student Information

• Student educational records
• Covers just about any record a college or
  university maintains on a student
• Scattered throughout the institution
• Anyone who has access to these records should be
  affected by the Family Educational Rights and
  Privacy Act (FERPA)

118
FERPA

• Department of Education enforcement can
  withhold federal funds
• Policy guidance, actual letters to school
  districts, colleges and universities are on line
• http//www.ed.gov/policy/gen/guid/fpco/hottopics/h
  t-10-09-02a.html

119
Higher Education is a Business

• We all sell things
• We take cash
• Sometimes we take checks
• We ALWAYS take credit cards

120
PCI-VISA Standards

• Payment Card Industry (PCI) Data Security
  Standard/Cardholder Information Security Program
  (CISP) Not a law
• Merchant and service provider requirement for
  those that store, process or transmit data
• Other card companies have endorsed the VISA
  standard single approach

121
CISP Standards

• Build and maintain a secure network
• Protect cardholder data
• Maintain a vulnerability management program
• Implement strong access control measures
• Monitor and test networks
• Maintain an information security policy

122
Wheres the PCI CISP Data?
123
What happens if we make a mistake?

• All departments and networks could be affected.
• Security requirements would rise for all units.
• Credit card transaction disruption is likely.
• Fines, up to 250,000 are not uncommon
• http//usa.visa.com/business/business_resources/

124
Identity Theft
Greeley, Colo. ID Theft Feared from Missing Hard
DriveSome University of Northern Colorado
employees are switching bank accounts to thwart
identity theft after a college computer hard
drive containing Social Security and bank account
numbers for nearly 16,000 employees disappeared.
Officials are unsure whether the hard drive was
misplaced or stolen.
125
Penn States Motivation for SSN Use Change

• Stanford University May 2005
• Purdue University (3rd time) May 2005
• George Mason University January 2005
• University of Georgia January 2004
• New York University December 2003
• University of Texas at Austin March 2003
• State of California May 2002
• Arizona State University June 2002
• Akron Health Insurer March 2002

126
PSU SSN Conversion Project
127
SSN Conversion Resources

• http//ais.its.psu.edu/SSN/

http//guru.psu.edu/policies/AD19.html
128
UT Austin Hit Again

• Posted on Mon, Apr. 24, 2006
• Hacker got more than 100,000 Social Security
  numbers
• JIM VERTUNO
• Associated Press
• AUSTIN - Whoever hacked into the computer system
  at the University of Texas at Austin's business
  school obtained the names and Social Security
  numbers of 106,000 people, including all faculty
  and staff, most students and about half the
  alumni, a UT official said Monday.

129
Surplus and Salvage Issues

• CALGARY (CP) - A privacy complaint involving the
  resale of a computer has prompted Staples
  Business Depot to develop a formal policy to
  ensure all hard drives are wiped clean before
  they are put back on store shelves.

130
This Week

• Operator of 12 hospitals informs of lost data
• CD contained personal data for more than a
  quarter-million patients
• Updated 440 p.m. ET Oct 24, 2006
• INDIANAPOLIS - The operator of 12 hospitals in
  Indiana and Illinois is notifying more than a
  quarter-million patients that compact discs
  containing their Social Security numbers and
  other personal information were lost for three
  days over the summer.
• The Sisters of St. Francis Health Services,
  which operates 10 hospitals in Indiana and two in
  Illinois, said in the warning letter that an
  employee of a medical billing contractor copied
  the data onto several CDs in July and placed them
  in a new computer bag to work from home.

131
True PSU Stories

• Dont place confidential material in a blue bag
  and leave it in the hall, unsecured.
• Dont place confidential material in a clear
  plastic garbage bag and leave it outside for a
  few days.
• Dont take confidential information home, no
  matter how secure you think you can keep it.

132
True Stories Continued

• Dont store confidential material on unsecured
  computers
• Dont store confidential material on unsecured
  media (e.g., flash drives)
• Dont give data access to a third party without
  appropriate contract protections in place

133
Data Categorization

• Re-evaluating all categories of data needing
  protection (public, non-public, confidential,
  secret, top secret, cryptographic???)

134
Penn States AD 35

• University Confidential Records -
• records which have the highest level of
  confidentiality attached to them and which may
  only be used by a limited number of people in the
  originating office.
• University Restricted Records -
• records having a high level of confidentiality
  attached to them and where access is limited to
  the staffs of a small number of offices. Examples
  include individual salary and wage data,
  individual personnel files, development gift
  records, non-directory student information, and
  fiscal records at the budget and fund level.
• University Official Records -
• records which are available to University faculty
  or staff members (usually within the unit), but
  are not made available to the public. Generally
  speaking, the bulk of University records fall
  into this category.
• University Vital Records -
• Records essential to the continued functioning or
  reconstitution of the University during and after
  an emergency, and also those records essential to
  protecting the rights and interests of the
  University and the individuals directly affected
  by its activities.

135
Penn State Privacy Activities

• Centralized used computer sales and salvage
• Blue Bag Program central shredding resource
• Privacy breach incident response plan (team
  approach including key units and personnel)
• Information Privacy and Security Improvement
  Program

136
Project Phases

• The primary focus of Phase I is to meet the
  requirements of PCIDSS.
• Work with consultant to make eCommerce site and
  Bursars compliant with PCIDSS
• Develop Reference Architecture Documents to be
  used as the base template or list of
  requirements for departments using eCommerce.

137
Phase II

• Address internal policy requirements and other
  statutory compliance obligations
• Individual department or unit-based improvements
  achieved in Phase I will need to be expanded to
  other units of the university.

138
Project Team

• Staff to be assigned on a full-time basis
• Manager
• Technical expertise
• Support
• Project directed jointly by Senior Director for
  Security Operations and Services and Privacy
  Officer

139
Expectation of Privacy
140
Questions
David J. Lindstrom, CIPP/G Chief Privacy Officer
Penn State University 227 West Beaver Avenue,
Suite 103 State College, PA 16801 814-863-3049
(Privacy Office) 814-865-7211 (Direct to my
desk) 814-865-4029 (Fax)privacy_at_psu.edu
141

• IT Audit
• ASR Meeting
• Gary Grgurich
• October 30, 2006

142
Internal Audit

• Nine Auditors
• Director
• IT and Financial Audit Managers
• IT staff (3)
• Financial staff (3)
• Report to the Corporate Controller
• Meet regularly with the members of the Board of
  Trustees

143
College Campus Audits

• Colleges and Campuses are selected for audit on a
  rotating basis
• Unless some area of risk is identified
• Dean/Chancellor are notified in advance
• Audit consists of Financial, Operational and IT
  components
• Primary contacts are Dean/Chancellor, Financial
  Officer, ASR and IT Manager

144
IT Audit Process

• Questionnaire to IT Manager in advance
• Basic information on IT staffing, infrastructure
  and controls
• E-mail to ASR in advance
• User authorization and SecurID assignment
  procedures
• Exit meeting to discuss issues
• Report with management responses

145
What is Reviewed

• Documentation/Policy
• Staffing
• Network Administration
• Logical Security
• Physical Security
• Backup and Recovery
• System Monitoring

146
Some Areas of Emphasis

• Access to sensitive information (i.e. FERPA,
  HIPAA, credit card s, SSNs)
• Access to key IBIS/ISIS access paths
• Download/storage to workstations (laptops)
• User understanding of regulations and PSU policy
• Secure workstations
• Anti-virus, anti-spam, patching
• Anti-theft
• Encryption

147
ASR Role

• Maintain current, accurate list of users
• Suspend/delete terminated users on a timely basis
• Ensure that user profile information is accurate
• Ensure that users read PSU security policies
• Control SecurID tokens
• Assist with review of user access to IBIS/ISIS
  screens

148
Contact Information

• Gary Grgurich
• Manager IT Audit
• gjg13_at_psu.edu
• 814-865-9598
• Internal Audit website
• http//www.controller.psu.edu/Divisions/InternalAu
  dit/index.html
• Financial Compliance Hotline
• 800-560-1637

149
ASR REPORTS
150
Populated by a single userID. Returns information
particular to a single user.
151
Populated by a single userID. Returns information
particular to a single user.
152
Automatically populated by ASR userID. Returns a
list of all users for an ASR (note the token ID
expiration date).
153
Populated by a single userID. Returns information
particular to a single user.
154
Automatically populated by ASR userID. Returns a
list of all users for an ASR.
155
ASR REPORTS(continued)

• Future Additions
• IBIS report - return multiple Mnemonic access for
  a user. Currently we only have the first
  mnemonic available for this report.
• IBIS ISIS report - return a list of users based
  on path.
• User report - return a list of users based on
  system (ACOM, BCOM, CCOM, etc.)

156
AIS IMAGINGMatt Wolfe
157
https//imaging.ais.psu.edu/
158

• SECURITY OFFICE

159
DATA WAREHOUSE FOR THE ASR

• Sue Jones

160
DATA WAREHOUSE (continued)

• Access to the data warehouse ASR database is
  automatically given when you become an ASR.
• How to access the Data Warehouse
• http//ais.its.psu.edu/data_warehouse/index.html
• https//www.warehouse.ais.psu.edu/datadict/datadic
  tcomp.asp
• Instructions included in the back of the book for
  connecting, linking tables and creating queries

161
DATA WAREHOUSE (continued)
http//ais.its.psu.edu/data_warehouse/index.html
162
DATA WAREHOUSE (continued)
http//ais.its.psu.edu/data_warehouse/data.html
163
DATA WAREHOUSE (continued)
https//www.warehouse.ais.psu.edu/datadict/datadic
tcomp.asp
164
DATA WAREHOUSE (continued)
https//www.warehouse.ais.psu.edu/datadict/datadic
t2.ASP?database_nameasr
165
DATA WAREHOUSE (continued)
https//www.warehouse.ais.psu.edu/datadict/datadic
t3.ASP?table_nameacf2
166
DATA WAREHOUSE (continued)

• Data Warehouse Demonstration
• create queries
• sample queries
• http//ais.its.psu.edu/data_warehouse/queries.html
  

167

• FIT
• AND
• PASSWORD REQUIREMENTS
• John Ellenberger

168
FITFINANCIAL INFORMATION TOOLWindows
RequirementsOS , Hardware and Security

• Supported Operating Systems
• Windows 2000 or Windows XP (32 Bit)
• Hardware Requirements
• 486 66 MHz or higher CPU
• 32 MB RAM
• 10MB available space on hard disk
• Postscript enabled printer with at least 4MB RAM
  (if printing)
• PSU Data Backbone or Wireless Connection or modem
• ( IP in Trusted Network or VPN (ISP to PSU) or
  Wireless

169
FITFINANCIAL INFORMATION TOOL (CONTINUED)

• Note  32MB is the minimum amount of memory.
  FIT's ability to process accounts and cost
  centers with large numbers of transactions is
  related to the amount of memory available.
• Security Requirements
• Access account from the Information Technology
  Services Accounts Office
• IBIS access to function ISTR from the
  Administrative Information Services (AIS)
• Permissions Full Control to the ibisfit folder
  and below folders

170
FITFinancial Information ToolMacintosh
Requirements OS, Hardware and Security

• Supported Operating Systems
• Macintosh OS X
• Note  FIT will not work on Macintosh OS 8.x or
  OS 9.x or Intel Mac OS X.
• Hardware Requirements
• Power Macintosh (PowerPC)
• OS X.1 or greater.
• 4 MB RAM
• 2 MB available disk space
• Postscript enabled printer with at least 4MB RAM
  (if printing)
• Open Transport TCP/IP Version 1.1 or later

171
FITFINANCIAL INFORMATION TOOL(CONTINUED)

• PSU Data Backbone or Wireless Connection or mode
• (IP in Trusted Network or VPN (ISP to PSU) or
  Wireless.
• Security Requirements
• Access account from the Information Technology
  Services Accounts Office
• IBIS access to function ISTR from the
  Administrative Information Services (AIS)
• Ownership Permissions Need Read Write to
  the ibisfit directory and below

172
http//ais.its.psu.edu/fit/downloads.html
173
AIS RequirementsFor Changing Password

• Password is required
• Minimum of six and max of eight letters/numbers
• Can not be current or previous 3 passwords
• Can not contain triple repeating letters or
  numbers
• Can not be your user id (if userid is six
  characters)
• Must contain at least one number

174

• SECURID TOKENS
• Linda McCamley

175
http//ais.its.psu.edu/
176
http//ais.its.psu.edu/access/index.html
177
http//ais.its.psu.edu/access/securid.html
178
http//ais.its.psu.edu/access/securid.html
179
SecurID Tokens

• What Systems Require a Token?
• Listed below is a list of systems and web
  applications that require 2nd factor
  authentication as part of their access
  requirement.
• Administrative Information Services (AIS)
  mandates the use of a SecurID token to access
  centralized administrative systems. Data
  Stewards may require that a SecurID token be used
  to access their specific data elements regardless
  of read or update access.
• A SecurID token is required for the following
• NetPass/Mainframe Systems
• IBIS, ISIS, ROSCOE, Testais, TSO
• WebADIS, ADIS
• CIDR
• eISIS
• eLion Functions requiring faculty input

180
SecurID Tokens(continued)

• eCommerce - Beginning in December 2006, in
  order to process credit cards,
  eCommerce users will need to have a SecurID
  token to log on to eCommerce services.
• eSteward - Now available. Alumni Development web
  application that provides authorized Penn State
  faculty and/or staff with a Web site tool that
  brings together necessary data for the effective
  management and stewardship of our donors' gifts
  and the scholarship, faculty, and program
  endowments/accounts that their gifts support.

181
SecurID Tokens(continued)

• Reminder Current Pricing
• SecurIDs for Staff ? 31.00 each
• SecurIDs for Faculty ? 25.00 each (for a
  limited time until the supply is depleted)
• Please share this pricing information with all
  departments within your administrative unit. The
  AIS Business Office is still receiving IDCCs
  with the old 75.00 cost per token indicated.

182
SecurID Tokens(continued)

• Faculty Token Allotments
• In November 2005, each area ASR and alternate's)
  were informed that any new SecurID tokens
  purchased for Faculty members (grade entry
  process), would be priced at 25.00 per token for
  a limited time.
• This special token allotment was determined by
  the number of Faculty positions held within each
  College or Campus and will be available until
  their allocation has been depleted. At that time,
  you will be notified that the token price will
  increase to 31.00 (same as the current staff
  pricing).
• Quarterly, an email message is sent alerting you
  to the status of your allotment.

183
SecurID Tokens(continued)

• Expiring Tokens
• In June 2006, a message was sent listing those
  users whose tokens would be expiring during the
  next fiscal year. We will continue to provide
  this information.
• Returning and Replacing Faulty Tokens
• Any SecurID token malfunctioning before its
  expiration date (located on the back of each
  token) will be replaced free of charge. The
  replacement token will have a comparable
  expiration date as the faulty token.
• Faulty tokens should not be returned to us
  through interoffice mail. University Park
• staff should bring the token to our office in 24
  Shields Bldg., for a replacement.
• Campus returns should be placed in a cushioned
  mailer and sent to us via surface mail. A
  replacement will then be mailed.

184
SecurID Tokens(continued)

• Transferring Ownership of the Token
• If an employee is transferring within the
  University or leaving the University, their
  SecurID token should be returned to the area ASR
  or the person who issued it to them.
• A previously assigned token can be reassigned to
  another user within that department. Funds used
  to purchase the token came from a specific
  department budget, therefore the token should
  remain in this area unless other arrangements
  have been made.
• Token Orders
• Any concerns?
• Are you receiving your token order in a timely
  manner?