||STATE OF CONNECTICUT
THE STATE COMPTROLLER
55 ELM STREET
MEMORANDUM NO. 2014-19
September 22, 2014
TO THE HEADS OF ALL STATE AGENCIES
||Chief Administrative and Fiscal Officers,
Business Managers, and Payroll and Human Resources Officers
||Comptroller's Core-CT Systems Security for
- I. PURPOSE
- This memo replaces memoranda
2011-23. The purpose of this memo
is to advise all state agencies of the importance of having appropriate internal
controls over and within the Core-CT Financial and Human Resource Management
System (HRMS) to ensure that all transactions are properly authenticated and
authorized. Guarding against unauthorized and inappropriate access to the
Core-CT system is critical because of the integration of the Financial and HRMS
Systems. Unrestricted access to the Core-CT system compromises the controls
provided by segregation of duties and other safeguards that are part of manually
- II. CONTROL ACTIVITIES
- Security in the Core-CT system is imperative and must be restricted to only
those individuals authorized to have access. The initial request for user access
to Core-CT is done via the Financial and HRMS Forms CO-1092, Agency Application
Security Request Form, which has been automated in Core-CT.
- Each agency has the responsibility to assign a Core-CT Security Liaison to be
the primary contact with the Statewide Core-CT Applications Security
Administrator. The Security Liaison is responsible for monitoring all authorized
access to the Core-CT Financials/HRMS application, and acting as point of
contact for the Core-CT Applications Security Administrator. Each agency is
responsible for developing internal security procedures for Financial, HRMS and
- III. RESPONSIBILITIES
- A. Liaison Is Responsible To:
- Work with the unit supervisor or manager to assure the proper role is
assigned and the user access is appropriate. Depending on the agency's
organizational structure, employees may have one or more roles. In addition,
more than one employee may perform the same role within an agency.
- Assure, along with the unit supervisor or manager, that there is
segregation of duties for the roles assigned.
- Submit all new, change, or delete requests using the on-line CO-1092,
Agency Application Security Request Form.
- Request new access for system users and changes to existing access.
- Maintain confidentiality of userids and passwords.
- Reset user passwords when necessary and ensure system profiles are set
up and include valid email accounts. Update user email addresses if
incorrect or missing.
- Enforce users to set up their system profile in order to utilize the
password reset feature.
- Delete access immediately upon the notice of an employee's termination,
retirement or transfer to another department/agency. When an employee
transfers from one agency to another, the employee's ID is reusable but
Core-CT access has to be re-defined by the new agency.
- Contact Core-CT Application Security Administrator with any questions
regarding userids, passwords or access.
- Audit users' access and roles. Notify the supervisor or manager of any
- Review all related on-line Security Job Aids and complete a one-day
Security Training class, as follows:
Liaison Training, Course Code SEC101 (Register through your Agency Training
- Liaison may share these responsibilities and tasks only with other authorized
liaisons within the agency. Core-CT Security Administration will not
communicate security information to unauthorized agency personnel.
- B. Each Agency Is Responsible To:
- Review each user's access and restrict that access where the access is
incompatible with the user's job description and/or does not provide proper
segregation of duties. Approve only the employee's roles and user access
required to perform the business functions.
- Enforce that userids and passwords are not shared for convenience
Enforce that userids and passwords are not attached to terminals,
desktops, or located where accessible to unauthorized personnel.
- Enforce that passwords are changed immediately if the employee suspects
that the security of his/her password has been breached.
- Correct user access when an employee has a change in responsibility within
- Agency's human resources office must provide notification to the security
liaison of an employee's termination, retirement or transfer to another
department/agency and the request for deletion of access on the date of
separation will be made by the liaison.
- Verify that the security liaison has submitted the CO-1092 to lock out
user account access immediately upon the notice of an employee's
termination, retirement, or transfer to another department/agency.
- Perform quarterly audits of agency users to identify terminated employees
who still have active userids.
- IV. PROCEDURES
- The following are the procedures for submitting the on-line CO-1092 security
- 1. The supervisor or manager of the unit initiates the request, and forwards
it to the agency security liaison. Agencies will develop a procedure for
requesting roles and user access as part of their security procedures.
- 2. The liaison reviews the request and verifies that the requested roles and
user access assigned are appropriate. Then the liaison enters the request into
Core-CT's electronic CO-1092. The liaison clicks on the submit button to route
the CO-1092 triggering a workflow process that sends the request to the
designated approving manager or supervisor for review and approval.
- 3. Once the CO-1092 has been submitted, the supervisor or manager will
receive a request to approve the CO-1092. The supervisor or manager reviews the
CO-1092 for accuracy and, if it is correct, approves it. The CO-1092 is then
automatically sent for the appropriate Central Authorization before the request
is processed. If there is segregation of duties, the request is approved. If
not, it is denied. Under no circumstances will the submitted CO-1092 be altered
by any of the Central Authorization staff or the Core-CT Security Team. If there
is information missing on the appendix page, agencies will be allowed to submit
a new appendix page.
- NOTE: Policy for Financial Roles - If an agency submits a security request
for a new employee or changes to an existing employee's role for “Final
Approver” in encumbrance or expenditure, they must submit an updated Claims
Authorization Form (CO-512) to the Office of the State Comptroller, Accounts
Payable Division before the security request can be approved.
- 4. Core-CT Security Administration will process the request and communicate
the completion to the agency security liaison and communicate with the security
liaison a userid and password, if applicable.
- 5. Retention period for the CO-1092's is two years from the date that an
employee separates from the agency. Original copy is retained by the submitting
agency. Destruction can occur after minimum retention period and submission to
the State Library for approval of form RC-100.
- 6. An on-going audit of agency HRMS and financial roles is conducted by the
State Comptroller's Administrative Services Division's Statewide Fiscal Policy
Unit, Accounts Payable Division, Budget & Financial Analysis Division, Payroll
Services Division and Core-CT staff of both the State Comptroller and Department
of Administrative Services for compliance with segregation of duties and
standards of access.
- V. PASSWORD SECURITY POLICIES
- Authorized agency security liaisons are responsible for resetting passwords for
users in their agencies. The automated password reset feature is on the Core-CT
The following password security policies are in effect:
- All passwords expire in ninety (90) days.
- Users will be warned for fifteen (15) days prior to the password expiration.
- Five (5) logon attempts are allowed before the account is locked out.
- The password cannot match the userid.
- The password must be at least eight (8) characters in length, three (3) of
which must be digits. Six (6) passwords are retained in the system.
- Both alphabetic and numerical characters are allowed.
- Passwords should be obscure rather than obvious.
- All users with valid email addresses must set up their user profile in
Core-CT to be able to use the password reset feature in Core-CT.
- Only authorized agency security liaisons can request password resets.
- Distribution of the userids and passwords should be hand delivered or emailed
by the agency security liaison. The security liaison should inform agency
personnel of the password guidelines and policies, procedures for password and
access problems, and who to contact.
- Any problems associated with userids or passwords must be communicated
through the agency security liaison. Agency personnel are not to contact the
Core-CT Security Administration directly.
- VI. QUESTIONS
- Questions may be directed to the State Comptroller's Office as follows:
- Memorandum Interpretation and Security Procedures and Internal Controls
Administrative Services Division's Statewide Fiscal Policy Unit, (860) 702-3440
- Central Review (Segregation of Duties)
Administrative Services Division's Statewide Fiscal Policy Unit, (860) 702-3440
Accounts Payable Division, (860) 702-3391 or 702-3393
- On-Line CO-1092 Process and Assistance
Agency's Security Liaisons:
Return to Index of 2014 Comptroller's Memoranda
Return to Comptroller's Home Page