State of Connecticut Office of the State Comptroller MEMORANDUM NO. 2010-34
COMPTROLLER'S SEAL STATE OF CONNECTICUT

STATE OF CONNECTICUT

NANCY WYMAN
COMPTROLLER
OFFICE OF THE STATE COMPTROLLER
55 ELM STREET
HARTFORD, CONNECTICUT 06106-1775
MARK OJAKIAN
DEPUTY COMPTROLLER

MEMORANDUM 2010-34

December 16, 2010

TO THE HEADS OF ALL STATE AGENCIES

Attention:   Chief Administrative and Fiscal Officers, Business Managers, and Payroll and Personnel Officers
Subject:   Comptroller's Core-CT Systems Security for State Employees

I. PURPOSE

The purpose of this memo is to advise all state agencies of the importance of having appropriate internal controls over and within the Core-CT Financial and Human Resource Management System (HRMS) to ensure that all transactions are properly authenticated and authorized. Guarding against unauthorized and inappropriate access to the Core-CT system is critical because of the integration of the Financial and HRMS Systems. Unrestricted access to the Core-CT system compromises the controls provided by segregation of duties and other safeguards that are part of manually operated systems.

II. CONTROL ACTIVITIES

Security in the Core-CT system is imperative and must be restricted to only those individuals authorized to have access. The initial request for user access to Core-CT is done via the Financial and HRMS Forms CO-1092, Agency Application Security Request Form.

Each agency has the responsibility to assign a Core-CT Security Liaison to be the primary contact with the Statewide Core-CT Applications Security Administer. The Security Liaison is responsible for monitoring all authorized access to the Core-CT Financials/HRMS application to their agency personnel, and acting as point of contact for the Core-CT Applications Security Administrator. Each agency should develop internal security procedures for Financial, HRMS and EPM users.

The liaison's tasks include:

It is each agency's responsibility to monitor the following:

III. GUIDELINES AND PROCEDURES

The following are the guidelines and procedures for submitting security application requests. The Core-CT Application Security Request Forms (CO-1092) are available at: http://www.core-ct.state.ct.us/security/xls/hrform.xls and http://www.core-ct.state.ct.us/security/xls/finform.xls 

  1. The supervisor of the unit initiates and authorizes the request, completes the CO-1092 and forwards it to the agency security liaison.
  2. The liaison reviews the form for completeness, verifies the authorized signature, and signs off on the form.
  3. The liaison must fax the request to the Core-CT Security Administrator at (860) 622-2611 and retain the original at the agency for auditing purposes.
  4. Core-CT will obtain the appropriate Central Authorization before the request is processed. In addition, an on-going review of agency HRMS and financial roles is conducted by the State Comptroller's Fiscal Policy Division, Accounts Payable Division, Budget & Financial Analysis Division, Payroll Services Division and Core-CT staff of both the State Comptroller and Department of Administrative Services for compliance with segregation of duties and standards of access.
  5. Core-CT Security Administration will process the request and communicate the completion to the Agency Security Liaison with the User-ID and password, if applicable.
  6. Retention period for the CO-1092's is two years from the date that an employee separates from the agency. Original copy is retained by the submitting agency. Destruction can occur after minimum retention period and submission to the State Library for approval of form RC-108: http://www.cslib.org/publicrecords/Forms/RC108rev2010_01.doc
NOTE: Policy for Financial Roles - If an agency submits a security request for a new employee or changes to an existing employee's role for "Approver" in encumbrance or expenditure, they must submit an updated Claims Authorization Form (CO-512) to the Office of the State Comptroller, Accounts Payable Division before the security request can be approved.

IV. PASSWORD SECURITY POLICIES

The following password security policies are in effect:

Distribution of the User-IDs and passwords should be hand delivered or emailed by the agency security liaison. Agency personnel should be informed of the password guidelines and policies, procedures for password and access problems, and who to contact. Any problems associated with User ID's or passwords must be communicated through the Agency Security Liaison. Agency personnel are not to contact the Core-CT Security Administration directly.

V. QUESTIONS

Questions may be directed to the State Comptroller's Office as follows:

Memorandum Interpretation
Fiscal Policy Division, (860) 702-3440
 
Central Review (Segregation of Duties)
Accounts Payable Division, (860) 702-3391 or 702-3393
 
Security Guidelines and Procedures
Agency's Security Liaison: http://www.core-ct.state.ct.us/security/xls/scrty_liaisons.xls


NANCY WYMAN
STATE COMPTROLLER

NW:SJ

Return to Index of 2010 Comptroller's Memoranda
Return to Index of Comptroller's Memoranda
Return to Comptroller's Home Page