University of Oregon

 

Summary of Banner security policies and procedures

The Banner Coordinating Group (BCG) oversees the administration of Banner, including setting policy, scheduling upgrades, monitoring modifications to ensure integration between the modules, setting standards, and doing short- and long-range planning for administrative computing at the University of Oregon. Members include representatives from the offices of the Registrar, Admissions, Financial Aid, Business Affairs, Human Resources, Resource Management, Research Services and Administration, and the Computing Center.

Access to Banner

Access is generally restricted to faculty and staff. However, a student is eligible to be an employee if they are enrolled in the term of employment for a minimum of 8 credits as an undergraduate (6 hours as a graduate). 

An employee, whose job requires they have access to Banner, must submit a Banner Access form (BAF) to the Banner accounting clerk. It includes a "Code of Responsibility for Security and Confidentiality of Records and Files" policy that the employee must have dated and signed, acknowledging they have read and understood the policy, and that they will comply with it. The form must also be signed by the appropriate director or department head.

The Banner accounting clerk will initiate access to Banner but it will not be activated until the person has completed user training for the module(s) for which they have requested access. Training includes instruction on the appropriate use of Banner data and the purpose of the "Code of Responsibility for Security and Confidentiality of Records and Files." Upon successful completion of training, the security officer for the module will grant them access for only those parts of Banner for which they need access to do their job.

Annual reminder

The director of Human Resources sends out a reminder to faculty and staff annually, reminding them of the "Code of Responsibility for Security and Confidentiality for Records and Files" policy.

Termination of access

1. An audit job runs weekly that locks BANNER accounts, terminates certain DuckWeb roles, and terminates all data warehouse access if:

-         the employee record was terminated in previous week and no BAF received, or

-         an OUS employee record was terminated in previous week and no BAF received, or

-         temporary or student employees have not been paid in 38 days and no BAF received.

2. If the person submits a new BAF to the Computing Center, the appropriate security officer(s) are notified. They then review the userr's access, modify it if their current job status warrants it, and notify the Computing Center if the account should be unlocked.

3. Student employees lose their BANNER access unless they submit a new BAF to the Computing Center by the second Monday of each new term.

4. Employees that change jobs at the UO lose their BANNER access unless the hiring department submits new BAF to the Computing Center. The hiring department must submit a FIS/HRIS hiring for to the BAO if FIS or HRIS access is needed.

5. FIS, HRIS, FIS and Accounts Receivable access is audited by the Registrar and the BAO annually.  A memo is sent to each department and access is removed unless the memo is returned indicating that access is still required.

Remote Access Policy

With the implementation of SCT Internet Native Banner (INB), employee and student data is more vulnerable to unauthorized access by the outside world. To address security and privacy risks, the Banner Coordinating Group (BCG) will support remote access to Banner data via DuckWeb only. Banner users needing remote access to information that is currently not readily available via DuckWeb should contact the appropriate core office to discuss modifications to existing forms or development of new forms to provide the information. The full Banner application will only be available within the Campus Intranet.

Recommendations for securing desktops

See http://ccadmin/banner/banner_sec_recommendations.doc

Security officers

The Registrars Office, the Admissions Office, Financial Aid Office, and Business Affairs each designate one or two individuals as security officers. The security officer's role is to determine what constitutes legitimate access for each user according to his or her job responsibilities. The security officers grant and remove user access to Banner forms and reports as they deem appropriate. The data base administrator oversees the training and work of the security officers.