|
 |
|
|
STATE OF CONNECTICUT |
|
| |
OFFICE OF
THE STATE COMPTROLLER |
|
Kevin Lembo
State Comptroller |
55 ELM STREET
HARTFORD, CONNECTICUT
06106-1775 |
Martha Carlson
Deputy Comptroller |
MEMORANDUM 2011-23
November 7, 2011
TO THE HEADS OF ALL STATE AGENCIES
| Attention: |
Chief Administrative and Fiscal Officers,
Business Managers, and Payroll and Personnel Officers |
| Subject: |
Comptroller's Core-CT Systems Security for
State Employees |
I. PURPOSE
The purpose of this memo is to advise all state agencies of the importance of
having appropriate internal controls over and within the Core-CT Financial and
Human Resource Management System (HRMS) to ensure that all transactions are
properly authenticated and authorized. Guarding against unauthorized and
inappropriate access to the Core-CT system is critical because of the
integration of the Financial and HRMS Systems. Unrestricted access to the
Core-CT system compromises the controls provided by segregation of duties and
other safeguards that are part of manually operated systems.
II. CONTROL ACTIVITIES
Security in the Core-CT system is imperative and must be restricted to only
those individuals authorized to have access. The initial request for user access
to Core-CT is done via the Financial and HRMS Forms CO-1092, Agency Application
Security Request Form.
Each agency has the responsibility to assign a Core-CT Security Liaison to be
the primary contact with the Statewide Core-CT Applications Security Administer.
The Security Liaison is responsible for monitoring all authorized access to the
Core-CT Financials/HRMS application to their agency personnel, and acting as
point of contact for the Core-CT Applications Security Administrator. Each
agency should develop internal security procedures for Financial, HRMS and EPM
users.
The liaison's tasks include:
- Requesting new access for system users and changes to existing access.
- Requesting deletion of access immediately upon the notice of an
employee's termination, retirement or transfer to another department/agency.
When an employee transfers from one agency to another, the employee's ID is
reusable but Core-CT access has to be re-defined by the new agency.
- Maintaining confidentiality of User-ID's and passwords.
- Resetting User passwords when necessary and ensuring system profiles are
set up and include valid email accounts.
- Submitting all new, change, or delete requests on the CO-1092, Agency
Application Security Request Forms.
- Liaison may share these responsibilities and tasks only with other
authorized liaisons within the agency. Core-CT Security Administration
will not communicate security information to unauthorized agency personnel.
- Contacting Core-CT Application Security Administrator with any questions
regarding User-ID's, passwords or access.
It is each agency's responsibility to monitor the following:
- Review each user's access and restrict that access where the access is
incompatible with the user's job description and/or does not provide proper
segregation of duties. Approve only the employees required to perform the
business functions.
- Enforce that User-ID's and passwords are not shared for convenience
between personnel.
- Enforce that User System Profiles are set up to leverage the automated
password reset process and include valid email accounts.
- Enforce that User-ID's and passwords are not attached to terminals,
desktops, or located where accessible to unauthorized personnel.
- Enforce that passwords are changed immediately if the employee suspects
that the security of his/her password has been breached.
- Correct user access when an employee has a change in responsibility
within the agency.
III. GUIDELINES AND PROCEDURES
The following are the guidelines and procedures for submitting security
application requests. The Core-CT Application Security Request Forms (CO-1092)
are available at:
http://www.core-ct.state.ct.us/security/xls/hrform.xls and
http://www.core-ct.state.ct.us/security/xls/finform.xls
- The supervisor of the unit initiates and authorizes the request,
completes the CO-1092 and forwards it to the agency security liaison.
- The liaison reviews the form for completeness, verifies the authorized
signature, and signs off on the form.
- The liaison must fax the request to the Core-CT Security
Administrator at (860) 622-2611 and retain the original at the agency for
auditing purposes.
- Core-CT will obtain the appropriate Central Authorization before the
request is processed. In addition, an on-going review of agency HRMS and
financial roles is conducted by the State Comptroller's Fiscal Policy
Division, Accounts Payable Division, Budget & Financial Analysis Division,
Payroll Services Division and Core-CT staff of both the State Comptroller
and Department of Administrative Services for compliance with segregation of
duties and standards of access.
- Core-CT Security Administration will process the request and communicate
the completion to the Agency Security Liaison with the User-ID and password,
if applicable.
- Retention period for the CO-1092's is two years from the date that an
employee separates from the agency. Original copy is retained by the
submitting agency. Destruction can occur after minimum retention period and
submission to the State Library for approval of form RC-108:
http://www.cslib.org/publicrecords/Forms/RC108rev201107.doc.
- NOTE: Policy for Financial Roles - If an agency submits a
security request for a new employee or changes to an existing employee's
role for "Approver" in encumbrance or expenditure, they must submit an
updated Claims Authorization Form (CO-512) to the Office of the State
Comptroller, Accounts Payable Division before the security request can be
approved.
IV. PASSWORD SECURITY POLICIES
The following password security policies are in effect:
- All passwords expire in sixty (60) days.
- Users will be warned for fifteen (15) days prior to the password
expiration.
- Five (5) logon attempts are allowed before the account is locked out.
- The password can not match the User ID.
- The password must be at least eight (8) characters in length, three (3)
of which must be digits. Six (6) passwords are retained in the system.
- Both alphabetic and numerical characters are allowed.
- Passwords should be obscure rather than obvious.
- All users with valid email addresses must set up their user profile in
Core-CT to be able to use the password reset feature in Core-CT. Please use
the following link for instructions on setting up user profile:
http://www.core-ct.state.ct.us/security/pps/pwreset.pps
- Only authorized agency security liaisons can request password resets
from a Core-CT Application Security Administrator, when necessary.
- Effective November, 2011, primary Agency Security Liaisons will have the
ability to reset passwords in their agencies.
Distribution of the User-IDs and passwords should be hand delivered or
emailed by the agency security liaison. Agency personnel should be informed of
the password guidelines and policies, procedures for password and access
problems, and who to contact. Any problems associated with User ID's or
passwords must be communicated through the Agency Security Liaison. Agency
personnel are not to contact the Core-CT Security Administration directly.
V. QUESTIONS
Questions may be directed to the State Comptroller's Office as follows:
- Memorandum Interpretation and Policy Procedures
Budget and Financial Analysis Division, (860) 702-3440
Central Review (Segregation of Duties)
Accounts Payable Division, (860) 702-3391 or 702-3393
Security Guidelines and Procedures
Agency's Security Liaison:
http://www.core-ct.state.ct.us/security/xls/scrty_liaisons.xls
KEVIN LEMBO
STATE COMPTROLLER
Return to Index of 2011 Comptroller's Memoranda
Return to Index of Comptroller's Memoranda
Return to Comptroller's Home Page