home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Forum of Incident Response & Security Teams
/
Forum_of_Incident_Response_and_Security_Teams_FIRST_October_1994.iso
/
ethics
/
uofmary.txt
< prev
next >
Wrap
Text File
|
1994-07-08
|
4KB
|
83 lines
Jeffrey K. Lemich, Systems Analyst, Sr. at the Univ. of
Maryland submits the following overview of their distributed security
for data access.
Within our Student Information Systems (SIS) we have inplemented a
rather extensive distributive security system. Our system has three
levels, a SIS Security Overview Committee, a SIS Security
Administrator (with a backup), and a group of SIS Sub-system Security
Managers.
The Security Overview Committee:
* Creates policies and procedures related to SIS security.
* Appoints the SIS Security Administrator.
* Approves users to have Sub-system Security Manager capability.
* Conducts periodic security audits.
Membership is the directors of the application areas.
The SIS Security Administrator:
* Oversees the day to day security needs of the SIS.
* Assigns generic SIS security. (access to many lookup processors)
* Creates Sub-system Security Managers.
* Evaluates and distributes security audit reports.
* Removes user security after a user is terminated.
* Monitors system use.
* Enforces policies and procedures established by the Security
Overview Committee.
* Works with the development staff on generic security.
The SIS Sub-system Security Managers
* Coordinates assignment of userids within the managers own
sub-system.
* Assigns and maintains user security within their ouw system.
* Evaluates audit reports.
* Maintains special application passwords. (not the logon
passwords)
* Maintains value security for the system.
* Works with the development staff and SIS Security Administrator
to develop sub-system security.
> If so, do you have a set of guidelines or a policy?
> I'm looking for policies that assist your distributed security
> officers make decisions on who to give access to in an
> administrative environment.
For generic access (mostly lookup screens) security is control by the
SIS Security Administrator. A rather specific set of guidelines exists
for the Security Administrator to follow. These guidelines list
different groups of employees and the specific generic access they should
have. There are seven security classes controlled by the Security
Administrator and each class may have a level of 00 to 99.
Security for specific application areas are controlled by SIS
Sub-system Security Managers (usually a director or assistant
director). We have a standard methodology which is very flexible and
allows for access, function, and value security levels. The security
strategy is layed out with the developers and a guideline document
produced. Depending on the size of the department these documents can
devide access into a few or many groups. The grouping usually include
at a minimum:
Read only users (usually outside of the department)
Student workers within the department
Data entry clerks (may have more than one level)
Supervisors
Batch control clearks
Managers
Please contact me if you would like further information.
Jeffrey K. Lemich
Systems Analyst, Sr.
+----------------------------+ BITNET: JLEMICH%ADS1.UMD.EDU@INTERBIT
| /-----\____ | JLEMICH@UMDACC
| / \__ | INTERNET: jlemich@ads1.umd.edu
+/ \__ UM | JLEMICH@UMDACC.UMD.EDU
\ | PHONE: (301) 405-1723
| +----+ ADDRESS: Academic Data Systems
\__ / 3101 Mitchell Bldg.
\___ / University of Maryland
College Park, MD 20742