Hardware Security Module - HSM access

Hardware Security Module  - HSM access

Feb-18

The 11 users (including 5 admins) HSM Passwords access is underway Feb18. from Glenn to Alister and is now with John who is progressing with the 11 users to set up thier unique pins. -------

Glenn,

I have spoken with Garry and he has confirmed that each user should have their own HSM password with an unique pin in CSeries.  I believe Alister's call sent to your helpdesk contains all the users that require access.

Can you confirm what the process would be for adding new HSM passwords further down the line (for example when a new user starts and requires access)?

2 other questions -

Batch Audit

The batch audit only displays the last instance of each process.  For example if a file is approved by USER1 then unapproved by USER1 and then Approved by USER2, the Audit will only show that USER2 has approved the file and will not display it had been previously Approved and Unapproved by USER1.  Is it possible for this to be changed to show all actions on the file?

Emails -

I believe the Directorate will receive email notifications for all files once approved, however can this be limited so they only receive notifications for the ones that they need to approve - Salaries RTI, Salaries Non RTI and Accounts Payable as all others will be completed approved and Signed by the Cash Office.? - is this a case of setting up a new group.

John  

-------

Jan-21

Hi John,

As suspected, Email is not seen as secure for transferring passwords.

After speaking with others it looks like the best approach to security would be for a call to be logged in Unidesk, containing the users name, c-series account name and phone no. Apps-Man will then get in touch with Bottomline about getting the accounts updated, bottomline will remote in and update the account (with apps-man controlling access).  Then Bottomline can call the user back with their new password (pin).

With this, no-one at the UoE will know anyone else's pin, The call will be logged though unidesk and show a record of account creation/change/deletion requests and actions.

There will be no password data held in email or anywhere else within the University.

For the initial passwords(pins) setup, I am happy for John to email me the list as it may require some scheduling\planning at the bottomline side of things.

Alister.

Hi John/All,

Following on from yesterday meeting, I have just had a chat with bottomline support regarding the HSM passwords (pin) to find out what they would recommend as best practice.

What they say is that each user should have their own HSM password and recommend the best way of doing this is raising a support call with them on Emae-support@bottomline.com for any HSM password creation/removal. The reason for not having the password the same for everyone is if something needs a second signature and all passwords are the same, they are likely just to enter the second signature themselves.

The call should have both the c-series user name and the users email address. Bottomline will then login and create a password on our system and email the user.

These passwords do not expire and no one else on the premises would know any other users password.

Please reply to this email if you have a concern about going ahead with doing HSM passwords in this way.

Alister

-------

Project Info

Project
ALBACS Replacement
Code
FIN106
Programme
Finance (FIN)
Project Manager
Anne Mathison
Project Sponsor
Elizabeth Welch
Current Stage
Close
Status
Closed
Start Date
04-May-2015
Planning Date
n/a
Delivery Date
n/a
Close Date
31-May-2016
Programme Priority
2
Overall Priority
Normal
Category
Compliance