Urbana USC Project Team Recommends Adjustments to Training and Support

Posted on by Rob Watson

The USC Best Practices and SecApp Resources project team, in partnership with the Business IT Collaboration, has been working to identify the needs of over 300 UIUC Unit Security Contacts (USCs) to assist them in fulfilling their USC responsibilities. USCs are responsible for granting Enterprise Systems access to critical systems spanning Finance, Human Resources, Students, and Reporting for hundreds of staff, faculty, and students. The USC role requires adequate time to allocate towards training for and completing USC tasks.  It is critical that USCs provide employees with the appropriate security permissions to perform their duties to help minimize the risk of malicious actions.

As a result of the survey, the USC Best Practices and SecApp Resources project team has developed recommendations for USC responsibilities, identification, and auditing of Unit USCs, which are detailed below.

USC Survey Results

During the Fall 2022 semester, the project team surveyed 364 UIUC Unit Security Contacts to better understand the needs of this role.

Key Takeaways

  • 41% of USCs estimate they can grant access to over 100 employees
  • 70% of the time, USCs are just duplicating a previous employee’s permissions
  • 68% of USCs spend more than an hour a month granting permissions
USC Info graph 1

Response rates

  • Responses received from 25% of 364 UIUC USCs surveyed
Manage permissions for 5,186 Civil Service Employees

Managing permissions

  • Manage permissions for 5,186 UIUC Civil Service employees
USC Info graph 3 copy

Estimated average # of employees whose permissions they control

  • 61% grant access to 50+ employees
  • 41% grant access to 100+ employees
USC Info graph 4

Monthly time spent granting permissions

  • 32% spend less than an hour a month
  • 68% spend more than one hour per month
  • 61% spend 1-10 hours a month
USC Info graph 5 copy

How are permissions granted

  • 32% query profile with SecApp
  • 32% ask another USC
  • 70% duplicate permissions from a previous employee
Assignment areas

Areas UIUC USCs assign permissions for in SecApp

  • Students: 62%
  • HR: 79%
  • Finance: 97%

What is a Unit Security Contact?

One who has been authorized to act on behalf of the Department Head to submit Enterprise Systems access requests via the Security Application (SecApp).

Responsibilities

  • Submit access requests via the SecApp
  • Verify that users have completed the Information Security Compliance Form (ISCF)
  • Verify that users have completed relevant training or certifications
    • FERPA, JV certification, ethics statement for Contracts+, etc.
  • Complete the Mandatory Access Review (annual access audit)
    • Review all accesses and confirm their necessity
  • Unit Heads designate the primary USC for their department
    • Unit Heads are responsible for the security of their unit
    • Primary USCs can designate backup USCs
      • Note: Backup USCs receive all privileges and assume the same responsibilities as a primary USC

Current Requirements

  • No qualifications or prerequisite training currently exist

Who should be a Unit Security Contact?

  • USCs should display a willingness to perform the associated functions
  • USCs should be willing to assume accountability for the accesses being granted 
  • Ideal USC candidates should possess:
    • Knowledge of the accesses being granted
    • Familiarity with the associated applications and tasks
    • Familiarity with the user gaining access and the associated unit 
  • USCs—especially those lacking knowledge or familiarity with access being granted—should agree to take due diligence when granting access
    • Due diligence could include:
      • Conferring with employee’s supervisor, business office, subject matter experts (SMEs), etc.
      • Ensuring requested accesses are compatible
      • Ensuring that requested accesses are necessary and appropriate

Audit of Unit USCs

  • Should be performed by Primary USC in collaboration with the Unit Department Head
  • Gauge willingness to continue performing the role of USC
  • Gauge willingness to continue assuming the responsibility entailed
  • Assess whether each USC should continue in the role
    • Factors that reduce risk:
      • Limiting the number of USCs per unit
      • Ensuring USCs understand access
      • Ensuring willing, responsible USCs are in place