• USU home
• A-Z index
• calendars
• MyUSU
• contact
• people/web search

User-Defined Navigation:

• Appropriate Use Policy
• Computer Management Policy
• Wireless Network Deployment
• BulkMail Policy
• Banner Identification Number
• Network Monitoring & Vulnerability Scanning
• Information Privacy
• Institutional Email Service

Main Navigation:

Direct Access to Banner Database

Banner Database Access

Number ###

Subject: Banner Database Access

Effective Date: ???,??,200?

PURPOSE

Direct access to the Banner Database represents a security risk due to exposure of the database if the client computer is compromised. Access is controlled by a firewall in front of the Banner Database Server as well as password authentication and user-dependent access tables in the database. (Jan 2007 - there are known vulnerabilities in the database system that may overcome the authentication)

POLICY

The Office of Information Technology is charged with protecting the institutional ERP database system of record by implementing guidelines to provide multiple layers of access control in accordance with best practices and available technology and in consultation with the various administrative owners of the data.

DEFINITIONS

PROCEDURES

The following conditions must be satisfied for direct access to be granted:

• The allowed computer must be:
  • in a physically secure location.
  • managed by a qualified, fulltime system administrator
  • placed on the network in an IP pool with additional security measures [explain what this means in our current network and after the planned network configuration]
  • configured to isolate the database access from hazards posed by other applications (e.g. by limiting other applications on the computer or by installation of an access gateway interface or other technical solution)
  • subjected to vulnerability audits (intrusion detection) at any time by the IT Security Team, as described in the Network Monitoring & Scanning Policy
• The authorized user of the allowed computer must:
  • have an assigned duty requiring the use of the direct access to the database, as authorized by a direct supervisor
  • be trained to use the access appropriately, including rigorous requirements for password selection, management and replacement
  • have a signed agreement on file, accepting responsibility for protecting the confidentiality and integrity of the accessible data, as described at Confidentiality Agreement
  • be trained to use other applications on the computer in ways that will not increase the exposure of the database access
• The system administrator must:
  • keep abreast of current threats to the database and vulnerabilities of the computer system.
  • participate in the campus Network-Managers group and mailing list.
  • insure that hazardous applications are not used on the allowed computer.
  • insure that the current Computer Management Policy policy is followed
  • insure that the current Data Security and Access policy is followed
• Authorization for direct access is given for a period of (3 months | 6 months | one year) and is automatically revoked unless all conditions of access have already been reconfirmed by IT Services.

GUIDELINES

ENFORCEMENT AUTHORITY & PENALTIES