Process is mandatory to comply with U security policy
By Jesse Drake
UIT’s Information Security Office (ISO) is implementing a new quarterly process that will require all managers at the University of Utah to review their employees’ elevated access to high-risk applications. The current list includes Epic, Lawson, and PeopleSoft Campus Solutions and HR Financials. This list will grow as applications are rolled into the review process.
"This periodic review process will enable managers with better oversight and is an important first step towards mitigating risks around user access to high-risk applications," said Subhasish Mitra, associate director of ISO's Identity and Access Management (IAM) team.
The IAM team will conduct a pilot review with UIT, ITS and the U's Division of Human Resources in mid June. The review requirement for all managers is tentatively scheduled to begin in late July or early August 2017.
Managers will receive an email notification when it is time to perform a review. Managers must review their direct reports who have elevated access, either approving or revoking access via a portal powered by IdentityIQ (IIQ) software.
A link to the portal where these actions will be performed is not yet available, but will be provided once the site is live. Until then, managers are urged to review this training video (authentication required) and related articles in UIT's Knowledge Base.
This review process is mandatory in order to comply with Policy 4-004, Rule 4-004D. Reviews must be completed within six weeks of notification. If the review is not complete three weeks into the campaign, the manager’s supervisor will be notified. Failure to finish the review by the deadline will be documented, and the manager’s supervisor will be notified along with the University's Chief Information Security Officer.