State of Connecticut Office of the State Comptroller MEMORANDUM NO. 2008-07


	STATE OF CONNECTICUT
NANCY WYMAN COMPTROLLER	OFFICE OF THE STATE COMPTROLLER 55 ELM STREET HARTFORD, CONNECTICUT 06106-1775	MARK OJAKIAN DEPUTY COMPTROLLER

MEMORANDUM 2008 - 07

March 4, 2008

TO THE HEADS OF ALL STATE AGENCIES

Attention:	Chief Administrative and Fiscal Officers, Business Managers, and Payroll and Personnel Officers
Subject:	Comptroller's Core-CT Systems Security

I. PURPOSE

The purpose of this memo is to advise all state agencies of the importance of having appropriate internal controls over and within the Core-CT Financial and Human Resource Management System (HRMS) to ensure that all transactions are properly authenticated and authorized. Guarding against unauthorized and inappropriate access to the Core-CT system is critical due to the integration of the Financial and HRMS Systems. Unrestricted access to the Core-CT system compromises the controls provided by segregation of duties and other safeguards that are part of manually operated systems.

II. CONTROL ACTIVITIES

Security in the Core-CT system is imperative and must be restricted to only those individuals authorized to have access. The establishment or modification of user access to Core-CT is initiated by the agency's security liaison via Form CO-1092, Agency Application Security Request Form. Only permanent state employees and those acting under a Memorandum of Understanding are allowed to have access to the Core-CT production environment.

Each agency designee has the responsibility to assign a Core-CT Security Liaison to be the primary contact with the Statewide Core-CT Applications Security Administrator. The Security Liaison is responsible for monitoring all authorized access to the Core-CT Financials/HRMS application to their agency personnel, and acting as point of contact for the Core-CT Applications Security Administrator. Each agency should develop internal security procedures for Financial, HRMS and EPM users.

The liaison's tasks include:

Requesting new access for system users and changes to existing access.
Submitting all new, change, or delete requests on the CO-1092, Agency Application Security Request Forms.
Contacting the Core-CT Application Security Unit with any questions regarding User-ID's, passwords or access.
Sharing these responsibilities and tasks only with other authorized liaisons within the agency. The Core-CT Security Unit will only communicate security information to authorized agency liaisons.
The agency's human resource office must provide notification to the liaison of an employee's termination, retirement or transfer to another department/agency and the request for deletion of access on the date of separation will be made by the liaison. When an employee transfers from one agency to another, the employee's ID is reusable but Core-CT access has to be re-defined by the new agency.

It is each agency's responsibility to monitor the following:

Review each user's access and restrict that access where the access is incompatible with the user's job description and/or does not provide proper segregation of duties. Approve only the employees required to perform the business functions.
Enforce that User-ID's and passwords are not shared for convenience between personnel.
Enforce that User-ID's and passwords are not attached to computers, desks tops, or located where accessible to unauthorized personnel.
Enforce that passwords are changed immediately if the employee suspects that the security of his/her password has been breached.
Correct user access when an employee has a change in responsibility within the agency.
Notify the agency liaison when an employee terminates, retires or transfers to another agency or another department within the agency.

III. GUIDELINES AND PROCEDURES

The following are the guidelines and procedures for submitting security application requests. The Core-CT Application Security Request Form (CO-1092) is available at http://www.core-ct.state.ct.us/user/xls/core-ct_application_security_request_form.xls .

The supervisor of the unit initiates and authorizes the request, completes the CO-1092 and forwards it to the agency security liaison.
The liaison reviews the form for completeness, verifies the authorized signature, and signs off on the form.
The liaison must fax the request to the Core-CT Security Unit at (860) 622-2611 and retain the original at the agency for auditing purposes.
Core-CT will obtain the appropriate Central Authorization before the request is processed. In addition, an on-going review of agency HRMS and financial roles is conducted by the State Comptrollers, Accounts Payable Division, for segregation of duties.
The Core-CT Security Unit will process the request and communicate the completion to the Agency Security Liaison with the User-ID and password, if applicable.

NOTE: New Policy for Financial Roles - If an agency submits a security request for a new employee or changes an existing employee's role for "Final Approver" in encumbrance or expenditure, they must submit an updated Claims Authorization Form (CO-512) to the Office of the State Comptroller, Accounts Payable Division before the security request can be approved.

IV. PASSWORD SECURITY POLICIES

The following password security policies are in effect:

All passwords expire in sixty (60) days.
Users will be warned for fifteen (15) days prior to the password expiration.
Five (5) logon attempts are allowed before the account is locked out.
The password can not match the User ID.
New password character requirements are in place and users cannot reuse the same password for six (6) changes.
Both alphabetic and numerical characters are required.
Make the password obscure rather than obvious.
Only authorized agency security liaisons can request password resets.

Distribution of the User-ID's and temporary passwords by the agency security liaison, should be by the most expeditious and secure means. Agency personnel should be informed of the password guidelines and policies, procedures for password and access problems, and who to contact. Any problems associated with User ID's or passwords must be communicated through the agency security liaison. Agency personnel are not to contact the Core-CT Security Unit directly.

V. QUESTIONS

Questions may be directed to the State Comptroller's Office as follows:

Memorandum Interpretation

Fiscal Policy Division, (860) 702-3440

Central Review (Segregation of Duties)

Accounts Payable Division, (860) 702-3396 or 702-3391

Security Guidelines and Procedures

Agency's Security Liaison:

Financial - www.core-ct.state.ct.us/fin-golive/xls/security_liaisons_fins.xls

HRMS - www.core-ct.state.ct.us/hr-golive/xls/hrms_security_liaisons.xls

NANCY WYMAN
STATE COMPTROLLER

NW:EH

Return to Index of 2008 Comptroller's Memoranda
Return to Index of Comptroller's Memoranda
Return to Comptroller's Home Page