|To:||Security Officers and Chief Fiscal Officers|
|From:||Martin J. Benison, Comptroller|
Paul Dietl, Chief Human Resource Officer
Anne Margulies, Assistant Secretary for IT and CIO
|Date:||May 20, 2009|
|Re:||Department Head Annual Approval - Statewide Enterprise Systems Security||Comptroller Memo|
|Approval of transactions to "Final" status in the state financial systems serve as an affidavit from the Department Head to the Comptroller that transactions comply with State Finance Law and the documents are accurate and complete, the expenditure or other obligation is supported by sufficient legislatively authorized funds and is made in accordance with the Department's legislative mandates and funding authority, and complies with all applicable laws, regulations, policies and procedures.. Annually, Department Heads are asked to review and confirm employees they have authorized to access, process and approve transactions in enterprise systems on their behalf. Department Heads have legal spending authority for their appropriations and are responsible for assuring that employees' access to automated systems reflect their job duties and is not broader than necessary. |
The Enterprise Security Policy requires Department Heads to certify security access to enterprise systems annually in conjunction with Closing and Opening. The policy also requires Department Security Officers to certify security access at the end of the calendar year, thus a formal review is performed every six months. This review includes all enterprise systems:
- CIW: The Commonwealth Information Warehouse provides access to financial, labor cost management, time and attendance, human resources, and payroll data for MMARS, LCM, UMASS, and HR/CMS, as well as, a variety of historical databases-Classic MMARS, PMIS and CAPS. CIW contains confidential data that is protected by both federal and state privacy laws. While employees should have access to data needed to do their job, no employee should have access to personally sensitive information unless it is necessary to perform job duties.
- HR/CMS : The Human Resource/Compensation Management System supports time and attendance, human resources, and payroll. HR/CMS contains confidential data that is protected by both federal and state privacy laws. While employees should have access to data needed to do their job, no employee should have access to personally sensitive information unless it is necessary to perform job duties.
- Intempo : The on-line security system through which your Department Security Officer and Security Administrators request access to these enterprise systems through the Information Technology Division.
- MMARS/LCM : The Massachusetts Management Accounting and Reporting System, including the Labor Cost Management sub-system, supports the financial functions performed by Commonwealth agencies. MMARS contains confidential data that is protected by both federal and state privacy laws. While employees should have access to data needed to do their job, no employee should have access to personally sensitive information unless it is necessary to perform job duties.
NOTE: As you are reviewing security, please be aware that enterprise systems may also include the ability to download specific data elements to spreadsheets or databases. Special care should be taken to limit employees who can run queries containing personal data fields or combinations of data fields that create a risk of identity theft under M.G.L. c. 93H. In addition, to ensure against security breaches, spreadsheets or databases with sensitive data should be treated with the highest-level security and not be saved to generally accessible folders. Hard copy printouts should not be left in non-secured locations or thrown away in the regular trash or recycle bins without being shredded. Once the spreadsheet or database is no longer needed, departments must ensure that these files and printouts are properly destroyed in accordance with the requirements of M.G.L. c. 93I.
Certification must come directly from the Department Head, either as an e-mail from their account or as a hard copy with the Department Head's signature. The preferred method is on the Department Head Annual Approval of Statewide Enterprise Systems Security Form and e-mailed to firstname.lastname@example.org no later than June 5, 2009. This date will assure that needed changes are completed prior to the June 30 year end report used by the auditors. The latest enterprise security reports are available via Doc Direct as of May 1, 2009.
The Comptroller's Office is available to answer any questions and assist you with MMARS issues [Dan Frisoli at (617) 973-2614 or Mary Maloney at (617) 973-2695]. ITD is available to answer any questions and assist you with security for CIW, HR/CMS and Intempo. Contact CommonHelp at (866) 888-2808.
Thank you for your prompt attention to this task.