LISTSERV - HP3000-L Archives

HP3000-L Archives

March 1997, Week 4

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L March 1997, Week 4

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: HP3000 policy
From:	"J. Robert Leighton" <[log in to unmask]>
Reply To:	J. Robert Leighton
Date:	Tue, 18 Mar 1997 15:22:07 GMT
Content-Type:	text/plain
Parts/Attachments:	text/plain (56 lines)

Previous respondents all have good suggestions.  Bixby's solution is
rather elaborate; I just don't have the time to devote to that level
of sophistication, and if I did, I would probably conlude that keeping
auditors at bay is not worth that much effort.  Gueterman's suggestion
is fine, assuming you have Security/3000 and access to the personnel
records and you have the time to review and crossreference these
reports.  Phillips' idea is probably the most effective, if you can
get the cooperation of personnel--that is, if you can get them to hold
the employees pay-out check or other benefit distribution until all
signatures are obtained.  (This approach is not very effective,
however, if a significant portion of the employees do not require
computer access.)

I have tried/considered all of these methods.  In my case, I have
users from some 15 remote hospitals/tranining centers who access our
centralized applications.  Each of these remote facilities have their
own personnel department and, in some cases, their own HP3000 server.
Most of our employees do not require computer access to perform their
job functions.  For those that do, I generate a form for each
employee's initial access and send it to the personnel department that
maintains the official employment record.  The policy places the
burden on the personnel department to complete and return the form to
the originator when the employee separates from service.

So, how well does this work?  Well, the record is mixed.  Again, it
requires the cooperation of the personnel departments, which is
sometimes lacking.  However, the policy clearly puts the
responsibility on the personnel departments to notify the security
administrator--and that is where the audit comment would be directed
if computer access for terminated/separated  employees is not removed
in a timely fashion.  (As a backup, I use features of Security/3000 to
expire MPE user passwords and to deactivate dormant logon profiles.)

Gary Jackson <[log in to unmask]> wrote:

>Our auditors have dinged us for not having a written policy regarding the
>3000 and its users. They want:
>A formal procedure to notify th System Manager of terminated employees in
>order to delete the former employee's computer access.
>
>Does anyone have this sort of thing that they could share with us?
>
>TIA
>
>Gary
>Gary Jackson
>Nevada CSOS
>(916) 478-6407 - voice
>(916) 478-6410 - fax

_______
Bob

ATOM RSS1 RSS2

RAVEN.UTC.EDU