State of Connecticut Office of the State Comptroller MEMORANDUM NO. 2014-19


	STATE OF CONNECTICUT
	OFFICE OF THE STATE COMPTROLLER
Kevin Lembo State Comptroller	55 ELM STREET HARTFORD, CONNECTICUT 06106-1775	Martha Carlson Deputy Comptroller

MEMORANDUM NO. 2014-19

September 22, 2014

TO THE HEADS OF ALL STATE AGENCIES

Attention:	Chief Administrative and Fiscal Officers, Business Managers, and Payroll and Human Resources Officers
Subject:	Comptroller's Core-CT Systems Security for State Employees

I. PURPOSE: This memo replaces memoranda 2010-34 and 2011-23. The purpose of this memo is to advise all state agencies of the importance of having appropriate internal controls over and within the Core-CT Financial and Human Resource Management System (HRMS) to ensure that all transactions are properly authenticated and authorized. Guarding against unauthorized and inappropriate access to the Core-CT system is critical because of the integration of the Financial and HRMS Systems. Unrestricted access to the Core-CT system compromises the controls provided by segregation of duties and other safeguards that are part of manually operated systems.

II. CONTROL ACTIVITIES: Security in the Core-CT system is imperative and must be restricted to only those individuals authorized to have access. The initial request for user access to Core-CT is done via the Financial and HRMS Forms CO-1092, Agency Application Security Request Form, which has been automated in Core-CT.
: Each agency has the responsibility to assign a Core-CT Security Liaison to be the primary contact with the Statewide Core-CT Applications Security Administrator. The Security Liaison is responsible for monitoring all authorized access to the Core-CT Financials/HRMS application, and acting as point of contact for the Core-CT Applications Security Administrator. Each agency is responsible for developing internal security procedures for Financial, HRMS and EPM users.

III. RESPONSIBILITIES
A. Liaison Is Responsible To:

Work with the unit supervisor or manager to assure the proper role is assigned and the user access is appropriate. Depending on the agency's organizational structure, employees may have one or more roles. In addition, more than one employee may perform the same role within an agency.
Assure, along with the unit supervisor or manager, that there is segregation of duties for the roles assigned.
Submit all new, change, or delete requests using the on-line CO-1092, Agency Application Security Request Form.
Request new access for system users and changes to existing access.
Maintain confidentiality of userids and passwords.
Reset user passwords when necessary and ensure system profiles are set up and include valid email accounts. Update user email addresses if incorrect or missing.
Enforce users to set up their system profile in order to utilize the automated password reset feature.
Delete access immediately upon the notice of an employee's termination, retirement or transfer to another department/agency. When an employee transfers from one agency to another, the employee's ID is reusable but Core-CT access has to be re-defined by the new agency.
Contact Core-CT Application Security Administrator with any questions regarding userids, passwords or access.
Audit users' access and roles. Notify the supervisor or manager of any issues.
Review all related on-line Security Job Aids and complete a one-day Security Training class, as follows:
http://www.core-ct.state.ct.us/security/proc_updates.html Security Liaison Training, Course Code SEC101 (Register through your Agency Training Registration Contact)

Liaison may share these responsibilities and tasks only with other authorized liaisons within the agency. Core-CT Security Administration will not communicate security information to unauthorized agency personnel.

B. Each Agency Is Responsible To:

Review each user's access and restrict that access where the access is incompatible with the user's job description and/or does not provide proper segregation of duties. Approve only the employee's roles and user access required to perform the business functions.
Enforce that userids and passwords are not shared for convenience
between personnel.
Enforce that passwords are changed immediately if the employee suspects that the security of his/her password has been breached.
Correct user access when an employee has a change in responsibility within the agency.
Agency's human resources office must provide notification to the security liaison of an employee's termination, retirement or transfer to another department/agency and the request for deletion of access on the date of separation will be made by the liaison.
Verify that the security liaison has submitted the CO-1092 to lock out user account access immediately upon the notice of an employee's termination, retirement, or transfer to another department/agency.
Perform quarterly audits of agency users to identify terminated employees who still have active userids.

IV. PROCEDURES
The following are the procedures for submitting the on-line CO-1092 security application requests.: 1. The supervisor or manager of the unit initiates the request, and forwards it to the agency security liaison. Agencies will develop a procedure for requesting roles and user access as part of their security procedures.
: 2. The liaison reviews the request and verifies that the requested roles and user access assigned are appropriate. Then the liaison enters the request into Core-CT's electronic CO-1092. The liaison clicks on the submit button to route the CO-1092 triggering a workflow process that sends the request to the designated approving manager or supervisor for review and approval.
: 3. Once the CO-1092 has been submitted, the supervisor or manager will receive a request to approve the CO-1092. The supervisor or manager reviews the CO-1092 for accuracy and, if it is correct, approves it. The CO-1092 is then automatically sent for the appropriate Central Authorization before the request is processed. If there is segregation of duties, the request is approved. If not, it is denied. Under no circumstances will the submitted CO-1092 be altered by any of the Central Authorization staff or the Core-CT Security Team. If there is information missing on the appendix page, agencies will be allowed to submit a new appendix page.
: NOTE: Policy for Financial Roles - If an agency submits a security request for a new employee or changes to an existing employee's role for ?Final Approver? in encumbrance or expenditure, they must submit an updated Claims Authorization Form (CO-512) to the Office of the State Comptroller, Accounts Payable Division before the security request can be approved.
: 4. Core-CT Security Administration will process the request and communicate the completion to the agency security liaison and communicate with the security liaison a userid and password, if applicable.
: 5. Retention period for the CO-1092's is two years from the date that an employee separates from the agency. Original copy is retained by the submitting agency. Destruction can occur after minimum retention period and submission to the State Library for approval of form RC-100.
: 6. An on-going audit of agency HRMS and financial roles is conducted by the State Comptroller's Administrative Services Division's Statewide Fiscal Policy Unit, Accounts Payable Division, Budget & Financial Analysis Division, Payroll Services Division and Core-CT staff of both the State Comptroller and Department of Administrative Services for compliance with segregation of duties and standards of access.

V. PASSWORD SECURITY POLICIES: Authorized agency security liaisons are responsible for resetting passwords for users in their agencies. The automated password reset feature is on the Core-CT logon page.; The following password security policies are in effect:

All passwords expire in ninety (90) days.
Users will be warned for fifteen (15) days prior to the password expiration.
Five (5) logon attempts are allowed before the account is locked out.
The password cannot match the userid.
The password must be at least eight (8) characters in length, three (3) of which must be digits. Six (6) passwords are retained in the system.
Both alphabetic and numerical characters are allowed.
Passwords should be obscure rather than obvious.
All users with valid email addresses must set up their user profile in
Core-CT to be able to use the password reset feature in Core-CT.
Only authorized agency security liaisons can request password resets.

Distribution of the userids and passwords should be hand delivered or emailed by the agency security liaison. The security liaison should inform agency personnel of the password guidelines and policies, procedures for password and access problems, and who to contact.
: Any problems associated with userids or passwords must be communicated through the agency security liaison. Agency personnel are not to contact the Core-CT Security Administration directly.

VI. QUESTIONS
: Questions may be directed to the State Comptroller's Office as follows:; Memorandum Interpretation and Security Procedures and Internal Controls; Administrative Services Division's Statewide Fiscal Policy Unit, (860) 702-3440; Central Review (Segregation of Duties); Administrative Services Division's Statewide Fiscal Policy Unit, (860) 702-3440
Accounts Payable Division, (860) 702-3391 or 702-3393
: On-Line CO-1092 Process and Assistance
Agency's Security Liaisons: http://www.core-ct.state.ct.us/security

KEVIN LEMBO
STATE COMPTROLLER

KL:ED

Return to Index of 2014 Comptroller's Memoranda
Return to Comptroller's Home Page