tidBiTS
Informs and engages the UNB community on IT developments and news

Management Briefing - Access Manager backgrounder

Author: ITS

Posted on Aug 15, 2014

Category: Management Briefings

Genesis of Access Manager Access Manager is the culmination of years of planning and work on addressing high‐risk issues with internal processes and controls raised in auditor reports to the Audit Committee of the Board of Governors since at least 2006. Specifically, the auditors have long recommended tighter controls over who has access to various university IT systems, including tracking not only the accesses themselves, but who is accountable for granting and reviewing them—in others words providing a record of who granted what access, to whom, when. The auditors also repeatedly emphasized risks in leaving accesses in place for individuals who have moved between departments or left the university completely. There are several important issues being addressed with Access Manager. First, the auditor’s recommendations highlight financial risk to the university in the event that someone with inappropriate system access could perform acts that might lead to fraud or damage to the integrity, security, and accessibility of financial data. Second, from the IT perspective, inappropriate access can lead to any number of problems, from loss of data, to malicious attacks on our systems, to poor work performance caused by inappropriate access permissions. Third, there is regular turnover of staff and faculty in many areas, but thorough processes ensuring IT accesses are kept up to date have not been previously implemented; this is often missed in current practice, and sometimes old, inappropriate accesses are never removed. Finally, the current system of IT access control is highly dependent on manual processes both within ITS and across the university. Access Manager automates some of these processes, thus reducing time needed to provide service, while also reducing the chances for errors or omissions in the access process. Access approvers defined Access approval for faculty members has been aligned with RPB’s hierarchy of Portfolio and Envelope managers and contacts, which most closely represents UNB’s current signing authority schema. Most access approvals for staff members are the responsibility of direct supervisors, with some exceptions (for example, access to highly confidential data requires higher approval). Access approvals cannot be delegated, as this would defeat one of the main purposes of Access Manager‐‐to provide an auditable record of authorization to use UNB’s IT systems, by those individuals responsible and accountable for the activities that take place within their units and departments, while ensuring that all accesses are reviewed and changes made as needed. Development and launch of Access Manager A lot of thought, planning and effort has gone into making sure that the development and implementation of Access Manager has been widely communicated. In the development stage, an ITS Business Analyst consulted stakeholders across the community to gather input on system requirements. In the design stage, developers handed over their work regularly to non‐IT testers who reviewed the product with a critical eye, leading to many improvements through simplification and the incorporation of standard user‐interface design principles. In the pre‐launch period, administrators and Level 1 staff were invited to introductory sessions on Access Manager, in which all aspects of the product were covered. In addition, regular communications have gone out from ITS via the regular channels including myUNB News, the ITS blog, and an AVP management briefing note. We will continue to update the community as Access Manager is developed further; several enhancements are already planned, and the next version will automate more backend manual processes.

August 15, 2014, Terry Nikkel, AVP, ITS