ITS: Workday Security Standard
1. Overview
ÐãÉ«¶ÌÊÓƵ (ÐãÉ«¶ÌÊÓƵ) is migrating to a new Enterprise Resource Planning (ERP) system, Workday. The migration to Workday allows for improved security controls to be implemented and new security standards to be defined and adhered to.
2. Purpose
This standard establishes the security guidelines with which Workday will be configured at the direction of the Chief Information Security Officer (CISO) to minimize the risk of a data breach or other information security incident. The guidelines established herein support the university’s Information Security program, Data Governance program, Risk and Compliance program, as well certain statutes and regulations. Examples of these statutes and regulations include but are not limited to:
- FERPA – Family Educational Rights and Privacy Act
- GDPR – General Data Protection Regulation
- GLBA – Gramm-Leach-Bliley Act
- HIPAA – Health Insurance Portability and Accountability Act
3. Scope
This standard applies to all University of Akron constituents with privileged access to Workday.
4. Definitions
- Data Owner - The individual or group who has accountability and authority to make decisions about a specific set of data. The Data Owner is responsible for the function or functions that collect and use the information, determines the levels of protection for the information, makes decisions on appropriate use of the information, and determines the appropriate classification of the information. This role generally falls to a functional academic or administrative area such as the Registrar, Human Resources, or the offices of the CFO and Provost.
- Data Steward – The person who is identified by the Data Owner to act, and to approve or deny access to data, on behalf of the Data Owner.
- Enterprise Resource Planning (ERP) – An ERP is a type of software system that helps an organization automate and mange core business processes for optimal performance.
- Principle of Least Privilege (PoLP) – The Principle of Least Privilege is a security control that provides a user with the least amount of access that is needed for the user to do their job.
- Privileged Access – Special access or permissions above and beyond that of a standard user.
- Security Group – A collection of users, or a collection of objects that are related to users. Allowing a security group access to a securable item in a security policy grants access to the users associated with the security group.
- Security Policy – A configuration setting that permits access to a process or object in Workday.
- Separation of Duties (SoD) – Separation of duties is the means by which no one person has sole control over the lifespan of a transaction. Ideally, no one person should be able to initiate, record, authorize and reconcile a transaction.
5. Standard
The security configuration in Workday will follow industry best practices, as well as Workday best practices.
- Data Masking
- All Personally Identifiable Information (PII) will be masked to all Workday users except the individual whom the information belongs.
- All financial payment data will be masked to all Workday users who do not require access to it.
- Minimize Customization
- Access to Workday is controlled by Security Groups. Security Groups are applied to Security Policies.
- Workday delivers built-in Security Groups, which are automatically applied to associated Security Policies.
- IT Security Services will not provide customized access or customized groups unless there is a regulatory requirement or legitimate, documented, security need for the requested customization.
- Principle of Least Privilege (PoLP)
- IT Security Services will ensure that users have the access that is required to do their job; however, users will be provided with the least amount of access required.
- Moving to a new ERP will require a lot of change and poor practices from the past will not be replicated in the new system.
- If a discrepancy arises that a user or department feels they need more access than is initially granted, the CISO will work with the associated Data Owner(s) and/or Data Steward(s) to determine if a change should be made.
- Separation of Dutiesv(SoD)
- IT Security Services will configure Workday to adhere to the separation of duties as the baseline.
- Separation of duties may vary depending on department size, structure, and function, but only the associated Data Owner of the transaction may authorize an exception.
- Delegations
- Delegations are covered in the ITS: Workday Delegations and Approvals Policy.
- Proxy
- Proxy access is only available in development tenants.
- Only approved individuals will be permitted to use the Proxy feature.
- The use of Proxy to approve any transactions or configuration changes is strictly prohibited.
- The use of Proxy to view data that would otherwise be inaccessible due to security configurations is strictly prohibited.
- The only approved exception to this is for troubleshooting security permissions.
6. Standard Compliance
- Roles and Responsibilities
- IT Security Services is responsible for reviewing, updating, and publishing this standard.
- IT Security Services will verify compliance with this standard via various methods including but not limited to internal and external audits, system reports, audit logs, and configuration change alerts.
- Departmental staff are responsible for following the guidelines established in this standard.
- Non-Compliance
- Anyone who knowingly violates this standard may be subject to appropriate disciplinary action or sanctions.
- Exceptions
- Exceptions to this Standard shall be subject to the exceptions process defined in the ITS: Data Access Policy.
7. Related Documents
University Rule 3359-11-08: Policies and Procedures for Student Records
University Rule 3359-11-10: Acceptable Use Policy
University Rule 3359-11-10.3: Information Security and System Integrity Policy
University Rule 3359-11-10.4: Customer Information Security Policy
University Rule 3359-11-10.6: Social Security Number Use Policy
University Rule 3359-11-10.8: Identity Theft Detection, Prevention, and Mitigation Policy
University Rule 3359-11-19: Policies and Procedures for Release, Privacy, and Security of Selected Health Information
ITS: Data Classification Standards
ITS: Secure Access and Data Storage Standards
8. Standard History
Approval Authority: Chief Information Officer
Policy Manager: Chief Information Security Officer
Effective Date: 11/30/2022
Prior Effective Dates: NA
Review Date: NA