Request from our Auditors/VP of Finance

Lauren Fardella

Our auditors have requested the following for Raiser’s Edge:

a System generated listing of password and lockout configurations

Any suggestions on how I can find or present this info will be super helpful. I searched knowledgebase and came up with zilch.

Thank you!

Karen Diener

@Lauren Fardella I haven't been asked this question in 20+ years of using RE! I work in other software systems as well, and have never seen this feature. I'm not sure it makes sense to live within the system itself anyway. And since there are multiple ways Organizations can set up their security - SSO vs. BBID, or Organizations that are self-hosted vs. being hosted by Blackbaud - it would be impossible to write the specifics into the system.

I'm assuming that their concern is around data security, in which case I think you can potentially provide links to a couple of knowledgebase articles. These may address some of their concerns:

Password security and requirements for BBID

Automatic log out

Multi-factor authentication FAQ

I would also provide information about how your user security is set up in database view and webview. Who has Supervisor rights, who has view-only rights and for which sections, who has rights to delete, etc.

Hopefully that will help!

Karen

Christine Cooke

@Lauren Fardella I have the security configured by levels of access and named that way and so I just give them a screenshot of the configuration security that shows the categories of access and the user names. Then a screenshot of each level with the names that are included. It has been sufficient

Faith Murray

@Lauren Fardella
I certainly wouldn't share passwords themselves. Even auditors don't need to know that information. If you have a Policies and Procedures guide that states something like “passwords must be 12 characters long, changed every 90 days, and utilize 2-factor authentication” that should satisfy any security needs on that count.

Our auditors have never asked for a record of security configurations (I doubt they would know enough about Raiser's Edge to understand how each setting functions anyhow). But they have asked for policy clarifications. Specifically, they like to know that the person opening the mail and creating first documentation doesn't also have gift entry/edit rights in RE, and that the person transferring to our Finance System also has siloed access. They just want to make sure that one person can't launder money and then access the gift records and finance journals to cover it up. If you can provide them with P&P information covering those elements, you should be covered I would think!

Leah Ross

@Lauren Fardella
Our internal auditors requested a system generated user list last year. We had to work with our IT team to write a custom SQL server query to get the information. It isn't pretty, but it shows the list of all users, the security groups they have access to, and which users have Supervisor rights. We have to review our user list quarterly to ensure the correct access is assigned.

Austen Brown

@Lauren Fardella - You can generate a report from security for each user group that will show the user accounts that are apart of it along with all the permissions enabled/disabled for the group. Within Admin > Security (in DBV), highlight the user group you want to export, then go to File > Preview: From here you can choose to export or print the document.