Mandatory Annual A'C'E' Training

1
Mandatory Annual A.C.E. Training

• Fiscal Year 2008

2

INFORMATION SECURITY AWARENESS
An ACE UpdateOctober 2007
Information Security Is Everyones Responsibility
3
Laws and PoliciesA Few Examples
University of TexasSystem PolicyUTS165
UTHSCSA Handbookof Operating Procedures

Texas Penal CodeChap 33
UTHSCSAStudent Catalog
FERPA
Computer Fraud andAbuse Act of 1986
Privacy Act
Texas Administrative CodeChapter 202
HIPAA
4
What is Information?
E-mail
Student Records
C L I N I C A L R E C O R D S
Patient Health Records
Personnel Data
INFORMATION
Financial Records
Grant Submissions
Research Data
Personal Data
Credit Card Information
5
In the News

• Between February 15, 2005 and October 15, 2007,
  there have been 666 reported data breaches
  accounting for over 194 million possible
  identities lost
• One third of those breaches came from educational
  institutions

6
Percent of Total BreachesOut of 666
7
In the News

• Between February 15, 2005 and October 15, 2007,
  there have been 666 reported data breaches
  accounting for over 194 million possible
  identities lost
• One third of those breaches came from educational
  institutions
• There were four data breaches in the University
  of Texas system last year
• ALL of them were preventable

8
Data at RestData in Motion

• Information must be protected at all times, to
  the appropriate level
• Data on a protected, managed server generally
  provides the best protection
• Precautions must be taken for sensitive data on
  workstations
• Special attention must be paid to data on
  external devices or being transmitted

9
Data at Rest

• Servers provide a centralized location for
  departmental information, providing easy access,
  consistent management, and regular backups
• Workstations must have the Universitys managed
  antivirus and patch management programs
  (designated TSR)
• In order to maintain individual accountability,
  user accounts and passwords must NEVER be
  shared(HOP 5.8.4 and various Fed regulations)
• Dont forget physical security

10
Data at Rest

• As an aside the University has a tool to help
  individual users better manage their login
  password self-service password reset
• Enroll at http//pwr.uthscsa.edu with current
  password
• After enrolling, the member can easily reset
  their password if its forgotten, at any time of
  day

11
Data in Motion

• Information is most at risk outside the normal
  operating environment
• Mobile computing thefts average 1,800 per day in
  the U.S., 2 per month at UTHSCSA
• Theft of computing devices, media, and portable
  storage devices accounted for nearly one-half of
  the data breaches several were personally-owned
  with sensitive information

12
Number of Breaches by CauseOut of 666
13
Data in Motion

• Encrypted hard drives would have made those
  device losses irrelevant
• The University has purchased a whole-disk
  encryption solution, available from Client
  Support Services
• Encryption of portable storage devices is coming
  soon

14
Data in Motion

• Sending protected information in e-mail is
  prohibited if it is not encrypted
• The University has a secure e-mail product that
  is targeted toward
• Physicians
• Clinicians
• Researchers
• In short, anyone who has to send sensitive data
  OUTSIDE the UTHSCSA network

15
Data in Motion

• Simply put at the beginning of the subject line

16
Data in Motion

• Simply put at the beginning of the subject
  line
• The tells the mail system to treat as a secure
  mail message
• The recipient gets notification of the secure
  mail
• For more information, go to http//infosec.uthscs
  a.edu/
• Click on Tips, Tricks, Safe Computing

17
InfoSec Resources
Email infosec_at_uthscsa.edu Hotline
(210) 567-5900 Web http//infosec.uthscsa.edu
Shirley Erp, CISO Voice 210.567.0652 erp_at_uthsc
sa.edu Mike Runnels, ISO Voice
210.567.2094 runnelsm_at_uthscsa.edu Kevin Kjosa,
ISO Voice 210.567.0642 kjosa_at_uthscsa.edu Patric
k Braxton, ISO Voice 210.567.2118 braxtonp_at_uthsc
sa.edu
18
Whats in your Training Packet?

• Departmental User Security Access Confirmation
  List Annual ACE Training Acknowledgement
• Deadline November 30th
• Calendar of Events
• ACE Ownership Dept ID Listing
• Queries
• User Access lists for DW
• User Security Access change forms (DW, DRS, PS)
• Only used to delete user access
• To add access use the PSAR form
• Helpful Phone Numbers and Emails

19
Access Control Executive Policy Section 5.8.8

• Definition of an ACE (Access Control Executive)
• The departmental representative assigned the
  responsibility to authorize and manage user
  access to institutional administrative business
  systems
• Implementation of appropriate access controls to
  administrative business systems is critical to
  the attainment of HSCs missions.
• Failure to comply could put business processes
  and information at risk.
• In the ACEs absence, only the Dean, Chair, or
  Director may assume the responsibilities and
  duties of the ACE.

20
ACE Responsibilities and Duties

• Paperless Future
• In lieu of the Dean, Chair or Director the ACE
  may designate a proxy to prepare the PSAR form in
  their absence.
• Send proxys name to DCATS CSS Acct/Mgmt
• Proxy can submit form ONLY in an emergency
  situation. (i.e. Absences or Vacations)

21
ACE Responsibilities and Duties

• To document the completion of required ACE
  training, the department must maintain a current
  signed copy of the Departmental User Security
  Access Confirmation List. The original is sent
  over to DCATS
• Any access changes (during ACE training) will be
  processed on the forms provided in the ACE
  packet.
• Attach to Confirmation list, submit to DCATS.
• DCATS will send all user changes to
  CSS Acct/Mgmt team

22
ACE Responsibilities and DutiesP.S.A.R. form

• Personnel Security Access Request Form (PSAR)
• DCATS website / ACE link / Forms Guides
• Form processed by CSS Account Mgmt team and a
  Remedy ticket is created
• Reply ALWAYS goes to the departmental ACE
• NO more faxes, emails paper request forms.

23
ACE Responsibilities and DutiesP.S.A.R. form

• Online (PSAR)
• Benefit
• Less likely to get lost since its online
• No paper form to attach or email
• For ACE Training, ACEs will use paper forms
  included in packets to delete access of
  terminated and transferred employees. This is to
  be used only for the Month of November.
• To add access ACEs will use the PSAR form.
• These forms ARE NOT to be used at any other time

24
ACE Responsibilities and DutiesP.S.A.R. form

• If user access or password reset is requested by
  fax or email from the ACE it will not be accepted
  
• The PSAR form must be submitted

25
ACE Responsibilities and DutiesP.S.A.R. form

• The following requests should be submitted using
  the online PSAR form
• Reset passwords
• Email will no longer be accepted
• When requesting password resets, do not select
  the ADD for the application type.
• Password reset should be on the PSAR form by
  itself

26
ACE Responsibilities and DutiesList of Queries

• DCATS will provide user access lists for
• Data Warehouse Users
• Use the HSC_DEPT_SEC_GROUP_ROLES query in
  PeopleSoft HCM 8.9
• This query will not show you specific classes of
  access for each user, only who has access in your
  department

27
ACE Responsibilities and DutiesList of Queries

• Use the ACE Tools for the following
• Web Requisition Click on Dept Inquiry to view
  all users for your dept
• To make changes on users access Search for
  individual user in Requisition Security
• Add/Delete dept ids or project ids as needed

28
ACE Responsibilities and DutiesData Warehouse

• When requesting access for Data Warehouse
• If you do not have a vacant license in your
  department, you must complete an SRF.
• PSAR form will not purchase a license for you.
• If you are adding DW access to a new user AND
  also the HR PAY DATA report
• Click on Add, type short comment in box
• If user already has DW, only adding the HR PAY
  DATA report
• Do not click on ADD for DW, just check off the HR
  Pay Data report

29
ACE Responsibilities and DutiesD.R.S.

• When requesting access for DRS
• Clarify and complete the PSAR form for access.
• Add a new preparer / need the approvers name.
• Add a new approver/ need the preparers name.
• Should have a primary approver for Time
  Collection and Leave Accounting.
• Need a proxy for primary approver.
• Always check for updated payroll calendar
  especially
• at the end of the Fiscal Year

30
ACE Responsibilities and DutiesD.R.S./Proxys
31
ACE Responsibilities and DutiesD.R.S./Proxys

• To remove a proxy, click the Delete button.

32
ACE Responsibilities and DutiesSpace Management
System (SMS)

• When requesting access for SMS
• ACE submits PSAR
• User Must attend training first
• ACE must add dept id in SMS Security
• SMS User Errors
• No matching values- ACE needs to add dept id
• Sign in box no access for user ACE needs to
  request access

33
ACE Responsibilities and DutiesZ9001

• Z9001 Access
• ACE must process PSAR form with request for
  Z9001
• List in Comment Box
• Need access for dept id Z9001
• What role for user? Requester Administrator
  Approver or Project Manager Approver
• Inquiry Only?

34
ACE Responsibilities and DutiesReports
To view your user access list for SMS users

• DW user, clicks on ACE Folder

• Click on PS SMS User Report

35
ACE Responsibilities and DutiesReports

• Click on Schedule and Set Value
• Type in ACEs domain (user) name, click Set

36
ACE Responsibilities and DutiesReports
HR Pay Data Report users will be listed on here
37
ACE Responsibilities and DutiesReports

• When viewing your HCM / Budget user list
• All users on list have access to HCM
• Users with BUD_USER class can view the Budget
  panels

38
ACE Responsibilities and DutiesTransfers

• For employees who transfer out of your
  department
• Click on ACE Tools and remove their roles from
  the following
• PS Web Req
• DW Security
• SMS Security
• Send PSAR to delete access (operator id)

39
ACE Responsibilities and DutiesTransfers

• If an employee transfers into your department
• You must request access, it will not transfer
• New Access cannot be activated until day of
  transfer NOT before
• Access first DELETED from the old dept
• Transfer is done for employee to new dept
• New access is activated if it was requested

40
ACE Responsibilities and DutiesTerminations

• All User Lists
• Be sure to delete access for terminated employees
• Review your list CAREFULLY (several names on the
  lists still show employees who have terminated or
  transfered)
• This includes all application systems

41
How to Contact DCATS

• DCATS_at_UTHSCSA.EDU
• 567-0180
• For an emergency situation during the hours of
  1100 300 Pager- 210-235-0660
• This pager number is only for the departmental
  ACEs use.

42
Web Requisition Revised

• Deployment scheduled for December 10th 2007
• Training (Seminar NOT MANDATORY)
• 2 Before Full Deployment (11/28, 12/6)
• Time and location TBA
• 2 After Full Deployment (12/12, 12/20)
• Time and location TBA

43
What is Due Back to DCATS and when?

• Departmental User Security Access Confirmation
  List
• Annual ACE Training Acknowledgement
• Deadline November 30th

44

• If you have questions regarding the information
  within the presentation, please email DCATS at
• DCATS_at_UTHSCSA.EDU