Do You Have Technology Security On-Boarding/Off-Boarding Processes in Place?
Our organization is working on creating and documenting very specific on-boarding and off-boarding processes as it pertains to database and technology security and I was just curious if anyone had any insights or already existing documentation that they are willing to share? I am looking for specifics that may be in place such as:
*Who is in charge of certain security aspects including third-party applications like Omatic, Peer2Peer/JustGiving, etc.?
*Is there “paper trail” on what has been done (for internal auditing)?
*Who is in charge of updating the document that contains all the applications that have security implications and how often is it revisited to insure it's up-to-date?
I'm certain I'm missing other important details as it pertains to this stuff which is why I'm asking you lovely people. 
Thanks, all!!
Comments
-
It's not the same thing as what you're talking about, but I have a document on my website about the steps to add and inactivate RE users as they come and go that might be helpful to this purpose. It's also possible the other resources I have posted there in relation to the RE Security webinar I did with Blackbaud this spring might be helpful as well. see Free Resources for Raiser's Edge | Bill Connors CFRE (free and anonymous)
1 -
Thanks, Bill! I actually attended all of the webinars you hosted through Blackbaud just before this project was given to me (maybe I can tell the future and I just don't know it…?) I appreciate the documentation you have but I was hoping for something a bit more specific such as timeframes of when someone leaves, who is in charge of de-activation (and when that person isn't around who is the next in line), and who is responsible for all third party applications that I, in my position, may not be aware of. I was hoping someone would have something so I wouldn't have to reinvent the wheel but that may be the case.
0 -
Hello, we're literally talking about this at my organization right now.
There is a PDF form that is filled in and attached to a ticket to add/remove users. IS will remove user from network/Windows, etc. I suspect IS will remove user from the application as well (but that's in discussion right now). Note: the DBA on my team sets/adjusts security groups.
Happy to chat further too.
0 -
Chris-
I'm glad I'm not alone on this boat!
Are you guys planning on putting any processes in place for your DBA to insure that they are properly deactivating users within database view and/or web view…and are there other third party vendor applications that you are using that need to be inactivated as well for users and, if so, who is in charge of that and how will you make sure that they are properly deactivated in a pre-determined timeframe?Perhaps these are things that you are thinking about currently as well. You see, I am the DBA at my organization and we have many third-party applications (Graduway, P2P powered by JustGiving, Salesforce Marketing, Blackbaud Awards Management, etc.) and I need to figure out how to have centralized documentation that can assure that all areas are checked and inactivated as need be in a timely manner. Our IT department is not involved in any of these items as far as the day-to-day nitty gritty goes so a ticketing system won't really work.
Thoughts? Did I just open a can of worms too soon? Thanks for your reply!2 -
For us, the fine line between job roles in integrations has to do with whether the integrations exist on a local PC, and the functions of the software.
- Our DBM (me, for now) regulates user security in RE and NXT. It didn't used to be this way - IT used to manage this, but we proved that it was more efficient to do this ourselves, as we could understand all of the nuances of user privileges in the database more fluently.
- New RE users are created when a new hire begins their first week of work, and privileges are limited to the bare minimum needed for entry work. Privileges are expanded gradually through the course of the training period.
- Users are deactivated (moved to a User group with no rights) immediately after their last day of work.
- I have equal admin rights (but do not set user privileges) for our marketing platforms such as email and website, so that I can do bulk email imports, alumni directory updates, and technical troubleshooting in the associated platforms. However, Communications regulates these user roles because the platforms are seen as “communication” mediums.
- Our IT manages actual software install on local PCs, such as Citrix updates and Microsoft Office packages. They assist with the initial purchase of associated software (like Chimpegration, back-ups, and RE migration). Then after set-up, user roles and maintenance are done by our Development staff, or whatever department primarily uses the software. IT retains admin rights to all software in case our DBM gets hit by a bus. ?
Unfortunately, we really don't have a paper document for the process. We're a small-ish shop with low turnover (our average staffer has been here 8 years). Plus, our IT director usually pops by our office for lunch a few times a week, and if we have concerns it's easy to pick his brain on the fly.
0 - Our DBM (me, for now) regulates user security in RE and NXT. It didn't used to be this way - IT used to manage this, but we proved that it was more efficient to do this ourselves, as we could understand all of the nuances of user privileges in the database more fluently.
-
Faith-
This is awesome! Thank you so much for your response. Every little bit helps so I appreciate it. We have the same situation going on but, even though I am the DBA, my direct supervisor (Finance Director) is the one that “holds the power”…even though I am the one that is responsible for said power ? so the more documentation I have, the easier it will be for me to audit these items.
I think I may need to create a training document to determine when a user “gets” to have more rights. This project is quite the challenge…but I like challenges.
Thank you, again, for your response!
0 -
We use SharePoint
A manger lets us know someone is coming onboard. We add the person to SharePoint. SharePoint sends out an email to the manager and new user telling them how to attend training. The trainer goes into the list and marks a person as trained after they have been trained. We can then give them access if they do not already have it.
We also use the list to audit who has signed what documentation (NDAs, FERPA etc.)The list also recommends to the DB admin (me) and the Active directory people what security groups the person should belong to based on their department and title.
As someone leaves we activate a workflow that notifies the active directory people and DB admin that this person is leaving on this date so we can take them out of the security groups.
We also use the list to notify the manager that within a couple of weeks we will begin to cleanup the persons queries.
0 -
Mike-
Thanks for your reply. SharePoint would be a good place to start for an interactive process for sure. You are very lucky to have so many people from so many different departments on task with this...and to know enough to make an educated decision about what security group that someone should go in? Wow! And down to the query clean up - that is outstanding! Is there a cheat sheet that people are using to determine the security group? This portion really has piqued my interest.
Thanks, again!0 -
When we first went live in BBEC the implementation team decided what people would get what roles.
From that, we made a matrix in sharepoint that the program uses to communicate to the admins what roles the person should get. From that point to now we do an audit to determine what needs to be changed in the matrix.
We also communicate to the managers when someone is hired that the initial security can be changed if they decide there is a business reason and can provide us that in their ticket so any security is not set in stone and flexibility is allowed so the end user can get their jobs done.
I'm happy to provide a demo if you would like0 -
Mike-
I don't require a demo at this time, but don't tempt me with a good time. ?
I really like what you guys have going on over there when it comes to the transparency and the overall teamwork. If I require more information you better believe that I will reach out to you to find out more.
Thank you so much and congrats on having such a seemingly well run machine over there!0
Categories
- All Categories
- 6 Blackbaud Community Help
- 210 bbcon®
- 1.4K Blackbaud Altru®
- 395 Blackbaud Award Management™ and Blackbaud Stewardship Management™
- 1.1K Blackbaud CRM™ and Blackbaud Internet Solutions™
- 15 donorCentrics®
- 360 Blackbaud eTapestry®
- 2.5K Blackbaud Financial Edge NXT®
- 649 Blackbaud Grantmaking™
- 567 Blackbaud Education Management Solutions for Higher Education
- 3.2K Blackbaud Education Management Solutions for K-12 Schools
- 937 Blackbaud Luminate Online® and Blackbaud TeamRaiser®
- 84 JustGiving® from Blackbaud®
- 6.5K Blackbaud Raiser's Edge NXT®
- 3.7K SKY Developer
- 247 ResearchPoint™
- 119 Blackbaud Tuition Management™
- 165 Organizational Best Practices
- 239 The Tap (Just for Fun)
- 33 Blackbaud Community Challenges
- 31 PowerUp Challenges
- 3 (Open) PowerUp Challenge: Data Health
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Product Update Briefing
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Standard Reports+
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Email Marketing
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Gift Management
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Event Management
- 3 (Closed) Raiser's Edge NXT PowerUp Challenge: Home Page
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Standard Reports
- 4 (Closed) Raiser's Edge NXT PowerUp Challenge: Query
- 785 Community News
- 2.9K Jobs Board
- 53 Blackbaud SKY® Reporting Announcements
- 47 Blackbaud CRM Higher Ed Product Advisory Group (HE PAG)
- 19 Blackbaud CRM Product Advisory Group (BBCRM PAG)