Data Access Audit Standard
The purpose of this standard is to provide the framework/process by which Data Stewards and Data Owners annually review and approve access granted to all Banner Database Environments, for the Access Audit. Further, this standard is directly related to the Data Access Qualification Standard and should serve as a checks and balances for assessing risk via current access.
To establish a method by which access to the Banner system (in a production environment or other) is reviewed on an annual basis thereby affirming the original granting of access.
This standard includes all Banner Database Environments, the ODS (Operational Data Store) and the EDW (Enterprise Data Warehouse). Data Stewards are responsible for the review of all Banner Classes in Banner Production, all Oracle Roles and all ODS Classes and Roles.
Data Stewards and Data Owners should use the following guidelines and process when conducting the Annual Access Audit:
Data Stewards and Data Owners should use the auditing tools provided (Banner Self-Service Security Menu).
- Data Steward Responsibilities:
- Data Stewards should review and ensure that the level of access for each Role or Class is appropriate for the class name:
- Choose the Role or Class to audit.
- Extract the metadata (Members and Objects) into excel spreadsheets.
- Verify that the objects within classes and roles are appropriate for the job class (this may require discussion with others especially if the job class is in a division/department other than the Data Steward/Owner)
- Data Steward should mark Objects that are unacceptable with comments stating why and provide a recommendation for resolution, if possible.
- Mark the users that cannot be verified with an explanation.
- After review of all Classes and Roles is complete, Data Steward should submit their report to the queue for reviewing
- Data Owners should review the report which aggregates the access levels approved by the Data Steward and review comments for all access flagged as potentially unneeded.
- If an access level is flagged for an individual or group outside of the Data Owners area, they should discuss the access issue with the Data Owner of the groups area prior to authorizing the removal of access.
- Via the security menu available in Banner Self-Service, the Data Owner should approve or deny access.
- Access level changes requested by the Data Owner will be stored in the report queue.
- The Data Access Administrator will review each request.
- If clarification is needed, the Data Access Administrator will contact the Data Owner.
- Data Access Administrator will make the requested change(s) in the Banner Production Environment, the Banner Training and Upgrade Environments if applicable, the ODS and the EDW.
All changes will be recorded in the database with a date stamp indicating the last time the Class or Role was adjusted. Audits following the initial audit using the web tools will only involve Classes and Roles where some element has changed (members, objects, types of access, etc.)
Changes to this standard must be approved by the WPI Governance Committee based on recommendations of WPI Information Technology and the WPI Data Access Working Group.
- June 12, 2009 - Initial Release by Data Access Working Group (DAWG)
- September 23, 2009 - Approved by Governance Working Group (GWG)
Last modified: Oct 18, 2009, 22:23 EDT