HeaderPolicies Home Home Search Help Careers News Events Contact Us
PDF

Policy 5.11
Critical Financial Reporting Systems Security Policy

Responsible Official: Enterprise CIO and Sr. Vice Provost for Library Services and Digital Scholarship
Administering Division/Department: LITS: Library & IT Services
Effective Date: February 04, 2009
Last Revision: July 24, 2017

Policy Sections:

Overview

This policy documents information security controls that are intended to ensure the integrity of information systems and data which are critical for accurate annually audited financial reporting.  New systems added which meet this criteria are expected to comply within 60 days of implementation.

Applicability

This policy applies to all information systems which have been deemed critical for accurate annually audited financial reporting (Critical Financial Reporting Systems) by the EVP, Business and Administration or designee.  At the time of this revision, the following information systems have been identified as Critical Financial Reporting Systems:

 

Application Name

Business Owner(s)

System Owner(s)

Technical Owner(s)

AWA – Gift/Pledge/Constituent System

Ben Tompkins

Josh Greenbaum

Josh Greenbaum

Bank of America Treasury Mgmt System**

Carol Kissal

John Hatley

Tom Vincent - Integrations

Bank of America - Application

Bank of New York Mellon Treasury System

Carol Kissal

John Hatley

Tom Vincent - Integrations

Bank of New York Mellon - Application

 Blackline**

 Carol Kissal

 Allison Berg

 Tom Vincent - Integrations

Blackline -  Application

Code Red

Chief Investment Officer

Christie D'Amour/Kim Ledford

Francis Fernandez/Dwayne Hamrick/Code Red

CORE – Cashiering System**

Carol Kissal

Michael Jacubenta

Dwayne Hamrick/CORE

Emory Business Intelligence

Carol Kissal

Belva White

Dana Haggas

EmoryCard OneCard

Carol Kissal

Michael Jacubenta

Shane Grizzle and the Director of EmoryCard

Fundriver Endowment Software

Carol Kissal

Allison Berg

Tom Vinvent - Integrations

Fundriver - Application

GE Centricity Business – Patient Billing for Emory Clinic**

Jimmy Hatcher

Melanie Broun

Rhoda Dozier

Health Quest – Patient Billing for EHC

Jimmy Hatcher

Jim Perry

Rhoda Dozier

JPMorgan Chase Payment Net**

Carol Kissal

Loette Goosby

Tom Vincent - Integrations

JPMorgan Chase - Application

Kronos Timekeeping System

Carol Kissal/Jimmy Hatcher

Joleen Mitchell/Marion Oglesby

Kaven Moodley/Jenn Meucci

PeopleSoft Financial Aid

Heather Mugg

Beth Broyles/John Leach

Dean Schuh

PeopleSoft Financials

Carol Kissal/Jimmy Hatcher

David Miller/Liz Daunt-Samford

Tom Vincent

PeopleSoft Human Resources

Peter Barnes/Mary Beth Allen

Peter Buch/Darlene Wade

Kaven Moodley

PeopleSoft Payroll

Carol Kissal/Jimmy Hatcher

Joleen Mitchell/Marion Oglesby

Kaven Moodley

PeopleSoft Student Financials

Carol Kissal

Beth Broyles/Michael Jacubenta

Dean Schuh

SciQuest – Purchasing**

Carol Kissal

Loette Goosby

Tom Vincent - Integrations

SciQuest - Application

SCM – Supply Chain Management and AP for EHC

Jimmy Hatcher

Lee Partridge/Selene Harris

Jim Albert

SunTrust Treasury Mgmt System**

Carol Kissal

John Hatley

Tom Vincent - Integrations

Suntrust - Application

Thompson Reuters Tax Advisor

Carol Kissal

Stephen Frangis

Kaven Moodley - Integrations

Thompson Reuters - Application

Northern Trust - Endowment Custodial Mgmt System**

Chief Investment Officer

Christie D'Amour

Tom Vincent - Integrations

Northern Trust - Application

Wells Fargo Treasury Mgmt System**

Carol Kissal

John Hatley

Tom Vincent - Integrations

Wells Fargo - Application

 

** Externally hosted vendor system

Policy Details

  1. The EVP, Business and Administration (or designee) must document and maintain a list of all Critical Financial Reporting Systems along with a designated Business Owner, System Owner and Technical Owner for each Critical Financial Reporting System. 
  2. System Owners in conjunction with system administrators, application administrators, and vendors are responsible for ensuring that Critical Financial Reporting Systems meet or exceed the following minimum standards.  These administrative requirements may be waived by the system owner for externally hosted vendor systems when the vendor is unable or unwilling to meet the requirements.  All waivers must be documented by the System Owner and communicated to the Business Owner.
    1. Access Controls
      1. Initial access rights to Critical Financial Reporting Systems and any subsequent modifications to user rights/permissions must be formally requested and authorized by the appropriate System Owner (or designee).
        1. Authorization of initial access requests and any subsequent requests to modify user rights/permissions must be documented and retained in accordance with Emory record retention policies.
        2. Users are not allowed to authorize their own access requests.
        3. Access rights/permissions should be sufficient to meet the minimum requirements for the user’s role, but not unreasonably exceed the level of authorization necessary to perform legitimate job functions.
      2. If a user’s employment is terminated, the user’s access rights must be promptly removed or disabled.  To accomplish this, functional managers and supervisors are responsible for ensuring that terminations are recorded in PeopleSoft HR within 1 business day.   Once Peoplesoft HR reflects the termination, system owners are responsible for ensuring that system access changes are processed within 2 business days.
      3. If a user’s job role changes, the user’s access rights/permissions must be reviewed and the user’s access rights must be removed or modified as appropriate.  To accomplish this, functional managers and supervisors are responsible for ensuring that job role changes are recorded in PeopleSoft HR within 5 business days.   Once PeopleSoft HR reflects the job role change, system owners are responsible for ensuring that appropriate system access changes are processed within 25 business days.
      4. User accounts and permissions must be periodically reviewed to confirm that access rights and permissions associated with the accounts are reasonable and appropriate and do not exceed the level of authorization necessary to perform legitimate job functions.  Periodic reviews of all users must occur at least annually.  Periodic reviews of users with full access privileges must be reviewed at least quarterly.
    2. Segregation of Duties
      1. User accounts, roles, and permissions must be periodically reviewed to confirm that the access rights and permissions associated with the accounts and/or roles are reasonable and appropriate, and that adequate segregation of duties exists to prevent and/or detect fraudulent use of the system.  The periodic reviews must occur at least annually.
    3. Review Procedures
      1. Procedures must be implemented in support of the above requirements for each Critical Financial Reporting System.  System owners may modify this process so long as the modified process is documented and is consistent with the requirements documented above.  This requirement may also be waived by the system owner for users with highly restricted access rights (e.g. read only users, users with no access to critical financial functions, users with no access to sensitive data).  All waivers must be documented by the System Owner and communicated to the Business Owner.
        1. The system administrator or application administrator will make available to the system owner (or designee) the user accounts, roles, and the permissions/rights associated with each user account and/or role.
        2. The system owner (or designee) will review the list and ensure that permissions/rights associated with each user account and/or role is reasonable and appropriate, and that adequate segregation of duties exists within the system. 
          1. Evidence that this review has been conducted will be maintained by the system owner in accordance with Emory document retention policies.
        3. The system owner (or designee) will document any required modifications to permissions/rights associated with any user accounts or roles and communicate the required modifications to functional or technical staff responsible for modifying permissions/rights for the system and to business units that may be impacted by the modifications.
        4. The functional or technical staff will make the requested modifications to permissions/rights.
        5. The system owner (or designee) will confirm that the requested modifications have been implemented.
          1. Evidence that this review has been conducted will be maintained by the system owner in accordance with Emory document retention policies.
    4. Audit Reports for Externally Hosted Vendor Systems
      1. External vendors hosting Critical Financial Reporting Systems should engage independent auditors to conduct an SSAE 16 SOC 2 Type II review on an annual basis.  A copy of the Service Auditor’s Report must be provided to the System Owner within 60 days following the completion of the review.  If the external vendor does not, for whatever reason, provide an SSAE 16 SOC 2 Type II report, the System Owner must perform alternate reviews to ensure expected controls are in place to provide similar assurances that would have been provided by the SSAE 16 SOC 2 review.  This review must be documented and a copy provided to the Business Owner and Emory's Chief Information Security Officer within 30 days of the last day of the fiscal year.
      2. The system owner must review the SSAE 16 SOC 2 Type II report and provide a copy of the report along with their response to the Business Owner and Emory’s Chief Information Security Officer within 30 days of receiving the report.  
    5. Compliance
      1. Critical Financial Reporting Systems that store, process, or transmit sensitive information that is protected by regulation (e.g. HIPAA, FERPA) or contract (e.g. credit card/cardholder data) must comply with any additional requirements dictated by the governing regulations/contracts.
  3. Technical Owners in conjunction with System Administrators, Application Administrators, and vendors are responsible for ensuring that Critical Financial Reporting Systems meet or exceed the following minimum standards.  These technical requirements may be waived by the system owner for externally hosted vendor systems when the vendor is unable or unwilling to meet the requirements.  All waivers must be documented by the System Owner and communicated to the Business Owner.
    1. Anti-Virus Controls
      1. Critical Financial Reporting Systems must utilize anti-virus software to protect against malicious code at all times.  Exceptions to this requirement must be documented and authorized in writing by the system owner.
        1. Anti-virus software and virus detection signature files must be kept up-to-date.
        2. The system must be configured to automatically retrieve and apply updates to anti-virus software and virus detection signature files at least weekly.
        3. Anti-virus software must be configured to scan files upon access in real-time.
        4. Anti-virus software must be configured to protect the entire file system, but may be limited to file types recommended by the anti-virus vendor. 
    2. Auditing and Review
      1. Audit logs must capture and preserve information needed to detect key events and conditions that might indicate possible fraudulent use of the Critical Financial Reporting System. Key events and conditions to be logged by the system (operating system, application, database, web server, etc.), should include the following whenever possible:
        1. Login attempts
        2. Stopping/Starting of security process or processes that listen on the network
        3. File permission changes
        4. Addition or deletion of user accounts
        5. Modification of user rights or permissions
        6. Changes to system security configurations (e.g. changes to password policy, audit/logging policies)
        7. Attempts to access protected resources (e.g. files, database tables)
        8. Actions taken by administrative users
        9. Privilege escalation events (e.g. su, sudo, run as)
        10. Core system events (e.g. startup/shutdown, system crash, core dump)
        11. Addition, deletion, modification, or viewing of sensitive information
        12. Transactional events that can be used to determine the activities taken by a user (queries executed, changes made, screens viewed, etc.)
      2. For each event the following data elements should be logged if possible
        1. Date and time of the event
        2. User account associated with the event
        3. Description of the event
        4. Success or failure of the event
        5. Source of the event (e.g. IP address, system name)
        6. Event specific details
      3. Audit logs should be written to write once media, logged to a remote logging server or be copied from the server to backup media or a secure log repository at frequent regular intervals.
    3. Authentication and User Identification
      1. All Critical Financial Reporting Systems must require each user of the system to authenticate with accounts that uniquely identify the user.
    4. Backup and Recovery
      1. Data backup procedures to create and maintain retrievable, exact copies of all necessary Critical Financial Reporting System data must be established and implemented.
      2. All removable media used for backing up Critical Financial Reporting System data must be stored in a properly controlled environment in a secure offsite location or separate building from the system hosting the original data and must be transported in a secure manner.
      3. Removable backup media (e.g. tapes, DVDs) containing personally identifiable information must be encrypted.
      4. The data backup procedure must be periodically tested (at least annually) to ensure that Critical Financial reporting System data can be successfully retrieved from backup media.
      5. Critical Financial Reporting Systems must also comply with any Emory business continuity and disaster recovery policies.
    5. Incident Response
      1. If a Critical Financial Reporting System is compromised or suspected of being compromised the incident must immediately be reported to the system owner, central IT Security, and the Chief Information Security Officer.
      2. Fraudulent or suspected fraudulent use of a Critical Financial Reporting System that may have exposed sensitive information must immediately be reported to the system owner, central IT Security, and the Chief Information Security Officer.
    6. Passwords
      1. Passwords for all user accounts must meet the requirements established in Emory’s Enterprise Password Policy (http://policies.emory.edu/5.15).
    7. Physical Security
      1. Critical Financial Reporting Systems must be located in physically secured areas and protected from unauthorized physical access.
        1. Access to facilities housing Critical Financial Reporting Systems must be controlled and records of access to these facilities must be maintained.
    8. Security Updates and Patches
      1. Critical Financial Reporting Systems must be kept up-to-date with the most current security patches and updates.  A reasonable time to certify and deploy security updates is allowed, but deployment timeframes should be appropriate for the level of risk associated with the update. 
        1. Updates that address high risk vulnerabilities should be deployed within 30 days.
        2. All updates that address security vulnerabilities should be deployed within 90 days.
        3. A documented implementation plan must be documented for any security updates that cannot be deployed within the required timeframe.  This plan must be communicated to the system owner and Chief Information Security Officer before the required deployment timeframe expires.
      2. Only currently supported operating systems and applications may be utilized by Critical Financial Reporting Systems.  Software that is not supported with security updates is prohibited.
    9. Segregation of Duties / Change Control
      1. Segregation of duties must exist to ensure that the individuals developing or submitting changes to Critical Financial Reporting Systems do not have authority to move those changes into production environments without formal approval and oversight.
        1. Formal change management procedures must be documented and implemented for each Critical Financial Reporting System and must include:
          1. Documented change requests
          2. Documented approval of change requests by an authorized oversight body separate from the change requestor
          3. A review process to ensure that undocumented changes have not been made to Critical Financial Reporting Systems, and that all documented changes have been approved
            1. Evidence that this review has been conducted will be maintained by the system owner in accordance with Emory document retention policies.
    10. System Warning Banners
      1. Critical Financial Reporting Systems must display a system warning banner at each interactive login when technically feasible. 
      2. The text of the system warning banner must read “You are about to access a computer system maintained or made available by Emory University and/or Emory Healthcare that is intended for authorized users only.  Unauthorized use of this system is strictly prohibited and may be subject to criminal prosecution.  By proceeding, your use of this system constitutes your acceptance of Emory’s IT Conditions of Use and other applicable policies and your consent to monitoring, retrieval, and disclosure of any information within this system for any purpose deemed appropriate by Emory University or Emory Healthcare, including law enforcement purposes and enforcement of rules concerning unacceptable uses of this system.”
Sanctions:
 
Failure to comply with this policy may have legal consequences and may result in:
  • Suspension or termination of access;
  • Disciplinary actions (up to and including termination of employment) in accordance with applicable university policy.

Definitions

  1. Business Owner – The business owner is the business executive or leader who is accountable for the primary business functions performed by the Critical Financial Reporting System.  This role will usually be a director level or higher role within the institution.
  2. System Owner – The system owner is the functional unit leader who is responsible for the Critical Financial Reporting System and its proper functioning.  This role is responsible for ensuring that the Critical Financial Reporting System meets the business needs of the institution, including complying with relevant institutional policies.  The system owner is also responsible for determining appropriate roles and permissions for users of the system, and for ensuring appropriate use of the system. This role will usually be a director or manager level position within the functional unit responsible for the business functions performed by the system.
  3. Technical Owner – The technical owner is the individual who is responsible for ensuring that the technical information technology components of the Critical Financial Reporting System are properly implemented and managed effectively.  Information Technology components may include operating systems, servers, applications, databases, networks, etc.  This role is usually a manager or director level IT staff member within either the functional unit or central IT.
  4. System Administrator – The system administrator is the individual responsible for the proper operational configuration, management, and functioning of one or more information technology components of the Critical Financial Reporting System such as an operating system, server, database, etc.  This role is usually a staff level IT position within either the functional unit or central IT. 
  5. Application Administrator – the application administrator is the individual responsible for the proper operational configuration, management, and functioning of one or more Critical Financial Reporting System applications.  This role is usually a staff level IT or functional position within the business unit. 

Related Links

Contact Information

SubjectContactPhoneEmail
Clarification of Policy  Chief Information Security Officer  (404) 727-2630  brad.sanford@emory.edu 

Revision History

  • Version Published on: Jul 24, 2017 (Updated applications and contacts, other minor changes)
  • Version Published on: Mar 17, 2016
  • Version Published on: Feb 04, 2009 (Original Publication)