The TAMUS Office of Information Technology’s (OIT) System Enterprise Applications (SEA) department supports multiple security role review processes for its FAMIS and Single Sign On/related applications and the Enterprise Data Warehouse (EDW) and BusinessObjects reporting portal.
These processes use different inputs to the process – typically reports generated from the applications/tools themselves – and different methods of recording the review itself, different levels of reporting granularity – e.g., FAMIS screen reporting vs. SSO role reporting – and different reporting intervals.
The goals of performing period security role reviews include but are not limited to:
- Ensuring terminated employees have their access removed
- Ensuring employees who change jobs have their access adjusted appropriately, if necessary
- Complying with IT best practices regarding application and data access
- Satisfying federal, state, and internal audit recommendations and requirements
Results at satisfying these goals has been mixed to-date. Users of the SEA-provided IT solutions are not satisfied with have multiple methods of performing the required reviews. They are also not content with any of the individual processes in use today. The process and tools are not optimized and do not completely surface information needed to completely perform the review. And the tools themselves are far from efficient. Improvements are needed.
At the same time, SEA management is not satisfied with the level at which the security reviews are being performed. Effectively the review process is an opt-in process. This has led to some members actively reviewing roles and others not doing so. Even within a member one team may diligently perform their role reviews only to have that review remain uncertified by the security officer. The review process should become mandatory as it is made more efficient and complete.
A third consideration is that the SEA applications are not the only ones with these problems. There are many departments and IT systems for which periodic security reviews are required. A common method of performing and recording security reviews has the potential to be a benefit to the A&M System at large.
The remainder of this white paper will focus specifically on the SSO applications’ role review process. In the recommendations section of this paper, suggestions will be made to improve the SSO review process.
In addition, consideration will be given to the creation of a common process for all SEA review processes as well as other departments’ review needs.
SSO Role Review Process
The SSO role review process is delegated to the system members. It is not performed or administered by the SEA staff.
The process is conducted on the following intervals:
- Central/Global roles: Reviewed monthly
- Departmental roles: Reviewed quarterly
Members are to review roles in SSO’s native applications:
Single Sign On
- Time & Effort
- UIN Manager
- Position Budget
Each member should designate an application role reviewer (ARR) responsible for reviewing each of the applications above (given that the application is used by the member).
Excepting Guardian I-9, reviews are performed by running the following reports in SSO:
- SSO Roles by Application
- Employees with SSO Roles
- Employee Monthly Position Changes
The Guardian I-9 process requires the reviewer to access the Guardian role assignments and review them separately.
Certification of the results of the review is done by filling out simple monthly and quarterly review forms on the IT SSO website.
Individual reviews are then emailed to the member’s application security officer (ASO). The ASO’s responsibility is to collect the reviews from the member’s ARRs and enter them into the System Application Security SharePoint site.
SSO applications’ ARRs are primarily subject matter experts regarding the applications they review. ARRs are primarily drawn from the HR and payroll departments, with notable exceptions for Time & Effort, which is more research-focused.
Conversely, SSO’s ASO’s are the information security officers (ISOs) at the member institution. When the formal SSO role review process was established, this assignment was created in conjunction with the system information security officer’s endorsement and seemed like a good fit for the ISO position.
The SSO reports used by the ARRs to perform the role review process have the information necessary to perform the required reviews. Recently the Employee Monthly Position Changes report was added to identify individuals who have had a position change that may require role access changes.
Still, the reporting made available to SSO ARRs could be more closely aligned with the review process. Ideally fewer than 3 reports would be required.
It is worth noting that in conjunction with the Workday implementation, SSO now automatically removes roles from individuals who terminate employment with the A&M System. With this change, the primary focus of the role review process has become employee position/function changes that should result in application role changes.
The SSO role review process is fully documented on the IT SSO website. Generally speaking, the process is simple and easy to follow.
One weakness in the process is that is that the Security SharePoint site requires an ASO to use a TAMU NetID to log in. NetID are readily available and this is seen as an annoyance rather than a true problem.
In SEA’s opinion, the SSO role review process has not been effective overall. We believe there are two principal reasons for this. First, as mentioned, the process is effectively opt-in for every member/application. There are no consequences for failing to complete the review.
Second, the ASOs – the member ISOs and/or their designees – have not reliably completed their part of the process. Here again, there are no consequences for failing to verification of the reviews submitted.
The SSO role review process has been through multiple reviews by both internal and state auditors. The auditors were not favorably impressed by the completeness of the role reviews recorded on the Security SharePoint site and expressed concern that members were not completing them.
Despite this deficiency, the SSO role review process itself has not resulted in any audit findings. It is SEA’s opinion that this is the result of the reports and process documentation being complete, even though the execution has been fair at best.
SEA further believes that we have been fortunate on this point and that the role review process must be executed completely to shield the system from both actual security risks and the expense/embarrassment of future audit findings.
To this point, auditors are very sensitive to role authorizations that should be removed when an employee terminates or moves to a position in which application roles previously held are no longer required. Proper execution of the SSO role review process will protect members against this sort of finding.
A Brief Case Study
In 2017, SEA itself was found to have not removed access appropriately when 2 team members changed roles by moving to the Workday HCM implementation team. To be clear, no data security issues took place as a result of this continued access and the individuals’ access was immediately removed during the audit. Nevertheless, the auditors wrote a formal finding against the members being reviewed.
The consequences of this finding were painful, not least because the finding was replicated for each member under audit. These findings then required multiple written responses and follow-ups involving as many as two dozen system employees. We did not track the time spent on the efforts required to address the finding, but a conservative estimate is that at least 100 hours were spent responding to this single issue. Clearly this represents a significant opportunity cost to any team.
While the access in question was at the server level rather than at the SSO application level, this case illustrates what can happen when role reviews are not completely executed.
Role Review Working Group
In April 2020, SEA team members from the SSO applications, FAMIS, and EDW teams met with Workday Services and an array of member representatives representing HR, payroll, finance, and IT perspectives.
For SSO, 3 recommendations were made:
- Change the review intervals for SSO role reviews to:
- Central/Global roles – Quarterly, with an option to make Semi-Annually
- Department roles – Semi-Annually
- Move the SSO ASO oversight function to the CFO organization
- Implement a better mechanism for ASR role review certification and ASO verification
Additional recommendations were also made:
- Find ways for the TAMUS OIT applications to be reviewed the same way
- One method to certify and verify role reviews
- One way to pull role access reports
- Find a way to review FAMIS at the role or function level rather than at the screen level
- Consider an role review process that includes applications beyond TAMUS OIT; e.g., member IT systems such as domain directory, email, and other systems
SEA believes that the 3 changes to the SSO role review process discussed above should be implemented during the summer/fall of 2020.
Changing the review intervals to quarterly and semi-annually will reduce the administrative burden associated with the reviews and incent the ASRs to do a more thorough job when reviews are conducted.
The ASO role is particularly important to the review process. SEA has spoken with several CFOs and assistant CFOs. Thus far, all have been supportive of the change to move the security officer function into their organizations.
Two questions have arisen regarding this change. First, will the ISOs agree to this change? SEA has presented the proposed change to both Danny Miller, the system Chief ISO, and the ISO working group. They are in agreement with this change.
Second, who in the CFO organization should be given the ASO role? Here, SEA must defer to the member CFOs to designate their own security officers. Of course, we recommend the individual(s) have sufficient authority to require that role reviews be performed regularly and a willingness to participate in the process long-term. The need for security review processes will not diminish over time.
Therefore, during the summer of 2020, SEA will formally request that the CFOs take over the ASO role starting on 10/1/2020.
Finally, a new SSO role review application was developed as a proof-of-concept project for the QuickBase development tool. SEA believes we can enhance that sample application without significant effort and use it to manage the SSO role review certification and verification process.
SSO role reports will be pulled by the ARRs as before and the reviews will be recorded in the new application where they can be viewed by the ASOs. The new role review application will use an SSO logon so that NetIDs will no longer be required.
With respect to the working group’s additional recommendations, SEA proposes to proceed in an incremental fashion. If the SSO role review process changes are successful, we would then consider using the new role review application for reviews in the FAMIS and EDW departments, as well as offering the application to the Workday Services team.
In regard to performing FAMIS access reviews at the role rather than the screen level, Teresa Edwards from the System Office of Budgets and Accounting (SOBA) has offered to work with FAMIS staff and security officers to define the appropriate screen-to-role mappings. If consensus can be reached, FAMIS access reviews could be greatly simplified.
NOTE: The modernized FAMIS application will retain these screen numbers for several years after the project completes in 2022.
Finally, in regard to a comprehensive role/access review process including all SEA, TAMUS OIT, and other member applications, more analysis and discussion is needed.
Some important questions include:
- Do the CFOs consider this a priority project?
- Is a central repository of role assignments needed for comprehensive role reporting?
- Does a commercial software package exist to meet our needs? If so, what is its cost?
Periodic role reviews are a required element of the software application life cycle. They are part of the total cost of ownership of the applications any organization relies on to do its work. The role review process includes reporting on employee terminations and job changes, removing inappropriate access, and certifying the completion of the reviews.
SEA intends to streamline the role review process for its applications starting with SSO and its “family” of applications with the intention of following up with changes in its other areas.
To streamline SSO we believe the CFO organizations should take ownership of the process.
If successful, future steps could include role-based FAMIS reviews and/or the addition of applications beyond those provided by TAMUS OIT.