The primary responsibility of the Application Security Officer (ASO) function for SSO web applications is to ensure that the proper security administration controls are followed at their institution(s) by overseeing the regular access review process required by System Enterprise Applications.
Oversight of the member-level and department-level access reviews provides real security benefits to the A&M System, its member institutions, and its employees. The review also provides demonstrable proof of the System’s due diligence in regard to security, which could be important in the event of an external audit or a major security incident.
An institution’s ASO is required to provide the final verification of the review process for each period at the SSO Role Review Portal.
In addition, ASOs should have SSO Contact Admin role for their institution and take responsibility for maintaining the institution’s SSO Application Role Reviewer’s list.
Following is a suggested checklist for ASOs:
- If desired, create recurring calendar reminders for approximately January 11th and July 11th, with a link to this page, to serve as a backup reminder. (You should also receive an email reminder notification from the SSO application for this task).
- Navigate to the SSO Application Role Reviewer’s list , scroll down to your workstation, and verify that the expected people or departments are listed as contacts. If any changes are needed, please email firstname.lastname@example.org, Subject: “Update Contact Info for SSO Application Role Reviewers”, and describe the additions, deletions or modifications needed.
- Launch the SSO Role Review Portal. You should see a Welcome Security Officer! greeting.
- As instructed under the greeting, create a filtered list of role reviews by clicking the Role Reviews checkmark on the top menu bar.
- On the left-hand side, under Filters, expand Workstation(s), find and select the workstation(s) you wish to review. The rows of the report will be filtered to display only those rows of interest.
- Each row represents a review that has been performed. For each review that has not yet been certified perform the following checks:
- If it is a Member Roles review type, which is due quarterly, verify that it was performed between the 1st and the 10th of the current month.
- If it is a Department Roles review, which is due semi-annually, verify that it was performed between the 1st and the 10th of the first month of the current semi-annual period.
- Verify that the expected Applications, such as HRConnect , SSO, FileDepot, etc. have been reviewed.
- For each review form, you can optionally add comments to the form by first selecting the Edit button. Save when finished.
- When finished reviewing the form, press the maroon Certify This Role Review button.
- If you do not see a full set of reviews, then contact your application role reviewers (ARRs) as necessary.
- You are finished when all of the Role Reviews for your workstation(s) have the Security Officer Certification Certified checked.