State of Connecticut Office of the State Comptroller MEMORANDUM NO. 99-7

The Seal of the Office of the State Comptroller

MEMORANDUM NO. 99-7

March 5, 1999

TO THE HEADS OF ALL STATE AGENCIES

ATTENTION:	Commissioners, Chief Financial Officers, Business Managers and Payroll Officers

SUBJECT:	Comptroller's Financial Systems Security

PURPOSE

The purpose of this memo is to advise all State Agencies of the importance of having appropriate internal controls over and within automated systems to ensure that transactions are properly authenticated and authorized. A key security issue in an automated system is unauthorized transaction processing. Guarding against unauthorized or inappropriate transaction processing is critical because of the integration of automated systems. An automated system concentrates accounting records and transaction processing capabilities in one system. Unrestricted access to automated systems compromises the controls provided by segregating duties and other safeguards that are usually part of manually operated systems.

CONTROL ACTIVITIES

Security in automated systems is imperative so that only those individuals authorized have access to on-line transaction processing capabilities. The initial request for user access to systems is done via Form CO-1057, Agency On-Line Security Form. Each agency has the responsibility of requesting the deletion of an employee's user identification code/password immediately upon notice of his or her termination, retirement or transfer to another agency. Each agency must monitor the following to ensure that identification codes and passwords are properly effective:

User-ID codes and passwords are maintained confidentially - user-ID's and passwords are not shared for convenience between personnel.
User-ID codes and passwords should not be attached to terminals, desk tops, or located where accessible to unauthorized personnel.
Access should be altered (via Form CO-1057) when an employee has a change in responsibility within an agency.
Passwords should be changed immediately if the employee suspects that the security of his or her password has been breached.
Review each user's access and restrict that access where the access is incompatible with the user's job description.

GUIDELINES AND PROCEDURES

In Memorandum No. 95-66, the Office of the State Comptroller requested that each agency head designate a single contact person and backup for the Comptroller's Financial Systems (Central Accounting System, Payroll System, and Retirement Data Base System). A list of designated agency contact individuals is on file with the Comptroller's Information Technology Division. If an agency has not designated a contact person, they must complete the attached form and list the person(s) that should be contacted regarding User Identification and Password access to the Comptroller's Financial Systems. This form must be completed and sent to the Comptroller's Office. When an agency needs to submit an Agency On-Line Security Form (CO-1057), the designated agency liaison should fax or mail the CO-1057 to:

Office of the State Comptroller
Information Technology Division
55 Elm Street
Hartford, CT 06106
Attn: Diane Campbell

or Fax No. (860) 702-3699

The agency liaison will be contacted by the Comptroller's Information Technology Division when the Agency On-Line Security Form (CO-1057) has been approved and the identification code/password has been assigned. The liaison must then give this information to the designated user.

In the event of a password problem, the designated user should inform the agency liaison, who should then contact the Comptroller's Office. The request to delete a user should be made in the following manner. Agency management makes a request to the designated agency liaison to delete the user. The liaison sends a memo addressed to:

Office of the State Comptroller
Information Technology Division
55 Elm Street
Hartford, CT 06106
Attn: Diane Campbell

or Fax No. (860) 702-3699

The memo should state the name of the employee, employee number and the reason for the deletion.

GENERAL

Questions may be directed as follows:

On-Line Security:	Office of the State Comptroller
	Information Technology Division

	Diane Campbell	(860) 702-3613
	Nayda Flores	(860) 702-3614

Memorandum Interpretation:	Policy Services Division	(860) 702-3434

NANCY WYMAN
STATE COMPTROLLER

Attachment

COMPTROLLER'S FINANCIAL SYSTEMS
AGENCY CONTACT PERSON FOR AGENCY ON-LINE SECURITY

In the space that follows, please list the person(s) that should be contacted regarding Agency

On-Line Security for the Comptroller's Financial Systems (Central Accounting System, Payroll System and Retirement System). Payroll System add Level (2). Accounting System add agency number. Attach copies, if necessary, to provide for additional liaisons. One sheet per system.

Primary Contact		Backup Contact


Name	__________________________	Name	__________________________

Title	__________________________	Title	__________________________

Agency	__________________________	Agency	__________________________

Address	__________________________	Address	__________________________
			__________________________

Level(2)/Agency No.	_______________	Level(2)/Agency No.	_______________


Phone	_________________________	Phone	_________________________
Fax	_________________________	Fax	_________________________

Please check applicable system:


Accounting	___________	Payroll	____________	Retirement	____________

Authorized Agency Signature ________________________________________________

Mail or fax the form to: Diane Campbell
Information Technology Division
Office of the State Comptroller
55 Elm Street
Hartford, Connecticut 06106

Fax No. (860)-702-3699. Thank you for your cooperation and assistance.

NW:CH

Back to Comptroller's Home Page
Back to Index of Comptroller's Memoranda