PrevPrev Go to previous topic
NextNext Go to next topic
Last Post 06/10/2014 9:33 AM by  Leonard Courchaine
Lawson Admin Segregation of Duties
 3 Replies
Sort:
You are not authorized to post a reply.
Author Messages
Leonard Courchaine
Private
Private
Veteran Member
(128 points)
Veteran Member
Posts:50


Send Message:

--
06/03/2014 1:28 PM
    We're being pressured by auditors about breaking up into two the Lawson Admin who puts something (mod/CTP/Env Patch) into our Test environment and the Admin who puts it into Production.

    Our practice has been:
    1. Dick puts quarterly patches into test; Harry puts environment patches into test.
    (user testing occurs)
    2. Dick then puts quarterly patches into prod; Harry puts environment patches into prod.
    (All Lawson Admins have keys to test and prod e.g. the lawson password.)

    Auditors would like it if PersonA puts something into test and PersonB then puts it into production with Person A not having the ability to access production. Same with new custom mods that we put in.

    We'd **LOVE** to know how others are dealing with this type of auditor request around segregation/separation of duties with limited resources.
    Thanks so much,
    Lenny

    0
    Kwane McNeal
    Private
    Private
    Veteran Member
    (1197 points)
    Veteran Member
    Posts:399


    Send Message:

    --
    06/04/2014 10:43 AM
    Lenny,
    If you have one or two, and no more than two admins, typically I have seen clients do some variation to the following:
    1) Document an audit exception, because the point of having two admins is one is a backup to the other. If you segregate one from PROD completely, you lose some of the benefit to fall back.
    2) Setup a system to audit access to both the 'root'/'administrator' and 'lawson' accounts, by using 'su' (for UNIX), or some type of OTP (for Windows). Direct 'root'/'administrator' and 'lawson' access is forbidden, and the logs are sent to some other server the admins don't have access to.

    Kwane
    0
    Tim Cochrane
    Private
    Private
    Veteran Member
    (450 points)
    Veteran Member
    Posts:154


    Send Message:

    --
    06/06/2014 9:55 AM
    Agreeing with Kwane - we've got a team of 5-7 System Admins: 5 on-site; 2 off-shore. ALL are expected to be able to handle ALL environments...otherwise they are worthless They typically work in pairs; one to make the changes and the other to validate.

    We're a large health care organization, so we've have to follow the same SOX requirements that you do. I don't know if our LSAs have to report anything to IA...never heard of them doing that...but our IA is comfortable with the process. Our Lawson Security group DOES have to make periodic reports to IA, so that might include any LSA activitiy, but i think the Security report is more around role/classes/user changes in LS.

    Kwane's worked with us before, he's seen how our system works.
    Tim Cochrane - Principal LM/IPA Consultant
    0
    Leonard Courchaine
    Private
    Private
    Veteran Member
    (128 points)
    Veteran Member
    Posts:50


    Send Message:

    --
    06/10/2014 9:33 AM
    Guys,
    Thanks ***very*** much for your input. I'll pass it along. Seems very reasonable.
    Lenny
    0
    You are not authorized to post a reply.