Jeffrey K. Lemich, Systems Analyst, Sr. at the Univ. of Maryland submits the following overview of their distributed security for data access. Within our Student Information Systems (SIS) we have inplemented a rather extensive distributive security system. Our system has three levels, a SIS Security Overview Committee, a SIS Security Administrator (with a backup), and a group of SIS Sub-system Security Managers. The Security Overview Committee: * Creates policies and procedures related to SIS security. * Appoints the SIS Security Administrator. * Approves users to have Sub-system Security Manager capability. * Conducts periodic security audits. Membership is the directors of the application areas. The SIS Security Administrator: * Oversees the day to day security needs of the SIS. * Assigns generic SIS security. (access to many lookup processors) * Creates Sub-system Security Managers. * Evaluates and distributes security audit reports. * Removes user security after a user is terminated. * Monitors system use. * Enforces policies and procedures established by the Security Overview Committee. * Works with the development staff on generic security. The SIS Sub-system Security Managers * Coordinates assignment of userids within the managers own sub-system. * Assigns and maintains user security within their ouw system. * Evaluates audit reports. * Maintains special application passwords. (not the logon passwords) * Maintains value security for the system. * Works with the development staff and SIS Security Administrator to develop sub-system security. > If so, do you have a set of guidelines or a policy? > I'm looking for policies that assist your distributed security > officers make decisions on who to give access to in an > administrative environment. For generic access (mostly lookup screens) security is control by the SIS Security Administrator. A rather specific set of guidelines exists for the Security Administrator to follow. These guidelines list different groups of employees and the specific generic access they should have. There are seven security classes controlled by the Security Administrator and each class may have a level of 00 to 99. Security for specific application areas are controlled by SIS Sub-system Security Managers (usually a director or assistant director). We have a standard methodology which is very flexible and allows for access, function, and value security levels. The security strategy is layed out with the developers and a guideline document produced. Depending on the size of the department these documents can devide access into a few or many groups. The grouping usually include at a minimum: Read only users (usually outside of the department) Student workers within the department Data entry clerks (may have more than one level) Supervisors Batch control clearks Managers Please contact me if you would like further information. Jeffrey K. Lemich Systems Analyst, Sr. +----------------------------+ BITNET: JLEMICH%ADS1.UMD.EDU@INTERBIT | /-----\____ | JLEMICH@UMDACC | / \__ | INTERNET: jlemich@ads1.umd.edu +/ \__ UM | JLEMICH@UMDACC.UMD.EDU \ | PHONE: (301) 405-1723 | +----+ ADDRESS: Academic Data Systems \__ / 3101 Mitchell Bldg. \___ / University of Maryland College Park, MD 20742