COMPTROLLER'S SEAL STATE OF CONNECTICUT
STATE OF CONNECTICUT
OFFICE OF THE STATE COMPTROLLER
Kevin Lembo
State Comptroller
55 ELM STREET
HARTFORD, CONNECTICUT
06106-1775
Martha Carlson
Deputy Comptroller

MEMORANDUM NO. 2014-19

September 22, 2014

TO THE HEADS OF ALL STATE AGENCIES

Attention:   Chief Administrative and Fiscal Officers, Business Managers, and Payroll and Human Resources Officers
Subject:   Comptroller's Core-CT Systems Security for State Employees
I. PURPOSE
 
This memo replaces memoranda 2010-34 and 2011-23. The purpose of this memo is to advise all state agencies of the importance of having appropriate internal controls over and within the Core-CT Financial and Human Resource Management System (HRMS) to ensure that all transactions are properly authenticated and authorized. Guarding against unauthorized and inappropriate access to the Core-CT system is critical because of the integration of the Financial and HRMS Systems. Unrestricted access to the Core-CT system compromises the controls provided by segregation of duties and other safeguards that are part of manually operated systems.
 
II. CONTROL ACTIVITIES
 
Security in the Core-CT system is imperative and must be restricted to only those individuals authorized to have access. The initial request for user access to Core-CT is done via the Financial and HRMS Forms CO-1092, Agency Application Security Request Form, which has been automated in Core-CT.
 
Each agency has the responsibility to assign a Core-CT Security Liaison to be the primary contact with the Statewide Core-CT Applications Security Administrator. The Security Liaison is responsible for monitoring all authorized access to the Core-CT Financials/HRMS application, and acting as point of contact for the Core-CT Applications Security Administrator. Each agency is responsible for developing internal security procedures for Financial, HRMS and EPM users.
 
III. RESPONSIBILITIES
 
A. Liaison Is Responsible To:
Liaison may share these responsibilities and tasks only with other authorized liaisons within the agency. Core-CT Security Administration will not communicate security information to unauthorized agency personnel.
 
B. Each Agency Is Responsible To:
IV. PROCEDURES
 
The following are the procedures for submitting the on-line CO-1092 security application requests.
 
1. The supervisor or manager of the unit initiates the request, and forwards it to the agency security liaison. Agencies will develop a procedure for requesting roles and user access as part of their security procedures.
 
2. The liaison reviews the request and verifies that the requested roles and user access assigned are appropriate. Then the liaison enters the request into Core-CT's electronic CO-1092. The liaison clicks on the submit button to route the CO-1092 triggering a workflow process that sends the request to the designated approving manager or supervisor for review and approval.
 
3. Once the CO-1092 has been submitted, the supervisor or manager will receive a request to approve the CO-1092. The supervisor or manager reviews the CO-1092 for accuracy and, if it is correct, approves it. The CO-1092 is then automatically sent for the appropriate Central Authorization before the request is processed. If there is segregation of duties, the request is approved. If not, it is denied. Under no circumstances will the submitted CO-1092 be altered by any of the Central Authorization staff or the Core-CT Security Team. If there is information missing on the appendix page, agencies will be allowed to submit a new appendix page.
 
NOTE: Policy for Financial Roles - If an agency submits a security request for a new employee or changes to an existing employee's role for “Final Approver” in encumbrance or expenditure, they must submit an updated Claims Authorization Form (CO-512) to the Office of the State Comptroller, Accounts Payable Division before the security request can be approved.
 
4. Core-CT Security Administration will process the request and communicate the completion to the agency security liaison and communicate with the security liaison a userid and password, if applicable.
 
5. Retention period for the CO-1092's is two years from the date that an employee separates from the agency. Original copy is retained by the submitting agency. Destruction can occur after minimum retention period and submission to the State Library for approval of form RC-100.
 
6. An on-going audit of agency HRMS and financial roles is conducted by the State Comptroller's Administrative Services Division's Statewide Fiscal Policy Unit, Accounts Payable Division, Budget & Financial Analysis Division, Payroll Services Division and Core-CT staff of both the State Comptroller and Department of Administrative Services for compliance with segregation of duties and standards of access.
 
V. PASSWORD SECURITY POLICIES
 
Authorized agency security liaisons are responsible for resetting passwords for users in their agencies. The automated password reset feature is on the Core-CT logon page.

The following password security policies are in effect:
Distribution of the userids and passwords should be hand delivered or emailed by the agency security liaison. The security liaison should inform agency personnel of the password guidelines and policies, procedures for password and access problems, and who to contact.
 
Any problems associated with userids or passwords must be communicated through the agency security liaison. Agency personnel are not to contact the Core-CT Security Administration directly.
 
VI. QUESTIONS
 
Questions may be directed to the State Comptroller's Office as follows:
Memorandum Interpretation and Security Procedures and Internal Controls

Administrative Services Division's Statewide Fiscal Policy Unit, (860) 702-3440
Central Review (Segregation of Duties)

Administrative Services Division's Statewide Fiscal Policy Unit, (860) 702-3440
Accounts Payable Division, (860) 702-3391 or 702-3393
 
On-Line CO-1092 Process and Assistance
Agency's Security Liaisons: http://www.core-ct.state.ct.us/security

KEVIN LEMBO
STATE COMPTROLLER

KL:ED

Return to Index of 2014 Comptroller's Memoranda
Return to Comptroller's Home Page