Internal Control over Compliance (Repeat Finding 2022-001, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002, 2015-002, 2014-008)
Name of contact person responsible for corrective action plan:
Rhett R. Vertrees, Assistant Chief Financial Officer
2601 Enterprise Road, Reno NV 89512-1666
Phone: (775)...
Internal Control over Compliance (Repeat Finding 2022-001, 2021-003, 2020-001, 2019-002, 2018-003, 2017-002, 2015-002, 2014-008)
Name of contact person responsible for corrective action plan:
Rhett R. Vertrees, Assistant Chief Financial Officer
2601 Enterprise Road, Reno NV 89512-1666
Phone: (775)784-3409, Fax: (775)784-1127
Email: rvertrees@nshe.nevada.edu
Responses
UNR agrees with the findings
• Detailed corrective action taken, including what will be done to avoid the identified issues in the future, and when these measures will be in place;
The technical staff can only have the PeopleSoft Administrator (PSA) role in either development or production, but not both. There is an approval process in place to ensure that access is removed from either development or production when a PSA needs to be moved across to the other environment. This process became effective March 1, 2023.
There is a quarterly security review of the PeopleSoft Administrator role in PeopleSoft. The first quarterly review was performed in FY16 Q1 and has been performed each quarter since. The reviews are documented and approved.
There is a quarterly security review of the PeopleSoft Administrator activities in PeopleSoft. The first quarterly review was performed in FY22 Q4 and has been performed each quarter since. The reviews are documented and approved.
There is a quarterly security review of the PeopleSoft Oracle database and user access. The first quarterly review was performed in FY20 Q2 and has been performed each quarter since. The reviews are documented and approved.
• How compliance and performance will be measured and documented for future audit, management and performance review.
Compliance and performance can be measured by the documented quarterly reviews.
• Who will be responsible and may be held accountable in the future if repeat or similar observations are noted.
The PeopleSoft Manager will be responsible for ensuring the corrective actions plans are implemented and followed.
The Vice President of Information Technology will be accountable for the department’s compliance.
UNLV agrees with the finding.
• Detailed corrective action taken, including what will be done to avoid the identified issues in the future, and when these measures will be in place;
UNLV understands the importance of adequate segregation of duties within the PeopleSoft environments and applications. The PeopleSoft Administrator (PSA) position that is the subject of the finding is responsible for the installation, configuration, upgrades, and troubleshooting of all the application environments. The PeopleSoft Administrators are not programmers/developers, and their access to the production environments is periodically required to perform the needed activities required to provide timely support of the application within the scope of their job duties.
UNLV has implemented the following controls to mitigate the risks associated with the elevated access required for the administrators to perform their required support activities.
1. UNLV has removed all persistent assignment of the PeopleSoft Administrator role from all PSAs in all environments.
2. The PeopleSoft Administrator role is temporarily assigned only when elevated actions are required. All assignments are of a limited duration and include a justification detailing the need and actions to be performed. All assignments trigger the follow actions:
a. An immediate notification to the Director of Business Continuity & Resiliency and the Interim Senior Associate Vice Provost for Digital Strategy and Transformation.
b. Removal is automatic but can be initiated by PSA if work is completed sooner than expected.
c. All details around the assignment are captured in a tracking table.
d. A review of all assignments and activities is performed monthly.
3. UNLV will continue to review access, activities, and assigned privileges monthly for the PeopleSoft Administrators.
4. UNLV will continue researching and implementing other control methods that may strengthen the segregation of duties or the monitoring capabilities that are available.
• How compliance and performance will be measured and documented for future audit, management and performance review.
The PeopleSoft Administrator role is no longer persistently assigned to the PSA position. It is only assigned upon request with the knowledge and approval of approving authorities.
UNLV performs monthly reviews of the access and activities to determine if the PeopleSoft Administrators' activities align with the necessary support. Additionally, UNLV will continue to research other control methods that will address the segregation of duties while providing appropriate service and support.
• Who will be responsible and may be held accountable in the future if repeat or similar observations are noted.
The Director of Business Continuity & Resiliency will be responsible for performing the activity reviews and access needs of the PeopleSoft Administrators. The Director will complete the reviews and is also accountable if repeat or similar observations are noted. The Chief Information Security Officer will verify that reviews are conducted on a monthly basis per audit practices.
SCS agrees with the findings
• Detailed corrective action taken, including what will be done to avoid the identified issues in the future, and when these measures will be in place;
In addition to the compensating controls (a) to (d), that have been operating since prior to FY23 the segregation of PeopleSoft Administrators (PSA) is enforced through a “locked account” process. Only two employees have PSA access in both the Production and Development environment. Each employee can only have access to the Production or Development environment at any one time, i.e., the PSA account in the other environment remains locked. A JIRA ticket must be opened for an account to be unlocked. The request is approved by management and the account is unlocked by a member of the IT Security Team. The controls listed below should also mitigate the segregation of duties risk and support a review of “user activities” in the absence of an appropriate user activities audit log function.
(a) STAT for PeopleSoft – Code control and internal modification tracking provides visibility over PSA activities that are processed via this tool. These object changes are reviewed and approved by the Director of Information and Application Services.
(b) JIRA ‐ Change control management and project tracking software. Change requests and projects related to the PeopleSoft shared instance are tracked and approved. This would include user access modifications and system updates for example.
(c) Security e‐mail alerts – The SCS security team are alerted via automated e‐mails when key events are triggered. For example, an elevated role is assigned to a user.
(d) User Access Reviews – On an annual basis an independent user access review is performed
incorporating SCS/SA privileged users and all shared instance security coordinators.
• How compliance and performance will be measured and documented for future audit, management and performance review.
The PeopleSoft Administrators will have persistent unlocked access to either the Production or
Development environments only. Their corresponding account in the other environment will remain locked.
In the event that access is needed to the locked environment, a ticket will be created requesting access which will document the rationale and approvals.
In addition, PSA activities are monitored via the change control process through STAT for PeopleSoft. Object changes within the Production environment for example, are approved along with the associated workflows.
• Who will be responsible and may be held accountable in the future if repeat or similar observations are noted.
The SCS Director of Information and Application Services, and SCS Security Group are responsible for locking/unlocking PSA accounts. The SCS Security Group monitor PeopleSoft e-mail alerts. The IT Audit Manager is performing annual SCS/SA privileged user access reviews.