Commonwealth of Massachusetts Office of the Comptroller Information Technology Division

1
Commonwealth of Massachusetts Office of the
ComptrollerInformation Technology Division
Security Officers Briefing

• April 23, 2009

2
Agenda

• Introduction
• Annual Security Approval
• MMARS - preview new security transaction
• PartnerNet Security
• CIW Security Update
• Intempo Upgrade
• Information Security / Sensitive data
• QA

3

• Martin Benison
• Comptroller

4

• Department Head Security Review and Approval
• Due by June 30th

5
Audit Findings - Security

• Access to Systems
• Password maintenance
• Data Security

6
Internal Controls

• Should reflect security
• Must be updated annually

7
Security Review and Approval

• Semi Annual Certification
• Department Heads Close / Open no later than June
  30th
• DSO Calendar Year end no later than December 31st

8

• Dan Frisoli
• Security Administrator
• Office of the Comptroller

9
UDOC and UDOCPR

• MMARS User Security Management

10
What can be done with UDOC?

• Create a New User
• Add security roles
• Add DHSA
• Update an Existing User
• Add and/or remove security roles
• Add and/or remove DHSA
• Inactivate and Existing User
• User is locked out and flagged as INACTIVE

11
Who has access to UDOC?

• Only Department Security Officers (DSOs) will
  have access to view, edit and submit UDOC.

12
Where is UDOC?

• UDOC is located in the MMARS Financial
  application
• UDOC transactions will appear in the same Doc
  Catalog as other financial transactions such as
  CTs and PRCs

13
How to Create a New User
14
Enter User Data
15
Enter Password and DHSA
16
Select Security Roles
17
Workgroup

• All users must be assigned workgroup 27
• Workgroup 27 provides all of the business
  functions links that one would see at the top of
  the screen in MMARS and LCM.

18
MMARS Business Function links
19
LCM Business Function links
20
Add Workgroup
21
VALIDATE SUBMIT UDOC
22
ALL UDOCS will go to workflow

• When a UDOC is submitted it will go to workflow
  to be reviewed by CTR Security Administration
• If a UDOC is determined to be incorrect it will
  be rejected
• An email will be sent to the DSO explaining what
  needs to be corrected

23
QUESTIONS?
24
How to Update a User

• Change last name, phone number, email
• Add and/or remove DHSA
• Add and/or remove Security Roles

25
1. Enter UAID2. Select Populate from Existing
User link
26
Users data is pulled into the UDOC
27
Add security roleValidate and Submit
28
Questions?
29
How to inactivate a User

• Users can be INACTIVATED in MMARS but their
  records will remain in the system.
• Security Reports will reflect INACTIVATED users.

30
Enter UAID to be INACTIVATEDSelect Populate
from Existing User
31
Select INACTIVESelect LOCKED OUT
32
The User is now marked as INACTIVE on SCUSER and
will not be able to access MMARS
33
Questions?
34
UDOCPR

• UDOCPR is used ONLY for Password Resets
• The UDOCPR does not go to workflow

35
Who has access to UDOCPR?

• All DSOs will have access to UDOCPR
• A separate role called HELPDESK can be assigned
  to Help Desk Representatives. This role will
  provide access to UDOCPR but NOT UDOC

36
How to Unlock a User and Reset their Password
37
Enter the UAIDSelect Populate from Existing
User
38
Reset the Bad Logins Count to 0Uncheck the
Locked Out check boxEnter a temporary Password
39
Validate and Submit the UDOCPR
40
Inform the user

• The DSO or Help desk representative should inform
  the user of the new password.

41
Questions?
42

• Mary Maloney
• Department Assistance Bureau
• Office of the Comptroller

43
Security Information Available

• Security Policies
• Security Forms

44
Security Review and Approval

• Enterprise Security Reports
• SECMMARS
• SECHRCMS
• SECCIW
• SECINTEM

45
Security Review

• Broad system access involves risks that must
  be managed
• Segregation of duties and post -audit review
  of work performed

46
Security Practices

• Review of systems security is key to assuring
  that access reflects current responsibilities and
  changes in personnel

47
PartnerNet Security

• PartnerNet - status
• New Applications
• Internal Control Questionnaire
• Financial Reporting
• GAAP
• Statutory Receivables
• Fixed Assets
• Component Unit reporting / Higher Ed

48
PartnerNet Maintenance

• DSO can
• add new users
• enter/ modify e-mail addresses supports user self
  service
• reset passwords
• request additional access

49
PartnerNet Security

• New Form add form in

50

• Maureen Robbie
• CIW Customer Support Manager
• Information Technology Division

51

Changes to CIW Security

• UMass new security role
• SW need CIW board approval
• Departmental UMass users
• PCRS PARIS no longer available
• (data will not be in New Warehouse)

52

Changes to CIW Security

• Classic MMARS
• Org level no longer available
• Affected users moved to Departmental access as of
  4/6/2009
• Departmental security officers were notified by
  Comptrollers Office

53

Changes to CIW Security
PMIS/CAPS SSN number key to views Restrict
access to 2 users per department 1 personnel
staff 1 payroll staff to be
implemented (Governors Executive Order 504)
54

Changes to CIW Security
Intempo form CIW changes not reflected on
Intempo form ITDs System Security
Administration will monitor
55

• Stephanie Zierten
• Deputy General Counsel
• Information Technology Division

56
Executive Order 504Legal Refresher
Before EO504

• Commonwealths Information Technology Division
  (ITD)
• Commonwealths Enterprise Security Board (ESB)
• Cross section of Commonwealth agencies and local
  governments which oversee the Commonwealths
  security.
• Created by ITD in 2001 but lacked legal standing
• Worked together to create policies on
• Enterprise Information Security Policy
• Cybercrime and Security Incidents
• Electronic Messaging
• Data Classification
• Remote Access
• Wireless

57
Executive Order 504Legal Refresher
What does it change

• Doesnt Change
• Any preexisting contractual obligations
• Any preexisting security or privacy laws
• Isnt mandated for
• Non-Executive Agencies
• Legislature, Trial Courts, Authorities

58
Executive Order 504Legal Refresher
All Executive Agencies Must

• Develop a written Information Security Program
  (ISP), including an Electronic Security Plan
• Personal data and personal information security
  must be addressed by an Electronic Security
  Plan (ESP) (More on these in a few minutes)
• Manage vendors/contractors
• Verify all vendors/contractors have acceptable
  security controls to prevent data breaches
• Follow mandatory ITD standards for verifying
  competence and integrity of contractors and
  subcontractors and
• Incorporate required certifications into
  contracts.
• Have Agency Head Certify all Programs, Plans,
  Self-Audits and Reports

59
Executive Order 504Legal Refresher
All Executive Agencies Must

• Appoint an Information Security Officer (ISO)
  (really a Security and Privacy Officer) who
• Reports directly to Agency head
• Coordinates Agencys compliance with
• EO504
• Federal and state laws and regulations (privacy
  and security)
• ITD enterprise security policies and standards
• Although not required by EO 504, ISO to
  coordinate compliance with contractual security
  and privacy obligations as well.

60
Executive Order 504Legal Refresher

• Basic Requirements -- ISP
• Adopt and implement the maximum feasible
  measures reasonably needed to ensure the
  security, confidentiality and integrity of
• Personal Information as defined in the Security
  Freezes and Notification of Data Breaches Statute
  (G.L. 93H)
• Personal Data as defined under FIPA
• Personal Information (G.L. 93H)
• Residents first name (or initial) and last name
  in combination with
• Social security number
• Drivers license (or state issued i.d.) number or
• Financial account number
• Personal Data under FIPA
• Any information which, because of name,
  identifying number, mark or description can be
  readily associated with a particular individual.
• Except information that is contained within a
  public record (G.L. c. 4 7(26)).

61
Executive Order 504Legal Refresher

• ISP/ESP
• Develop and implement written information
  security programs
• Cover all personal information (not
  restricted to electronic
• information)
• Electronic personal data must be
  addressed in a subset of the
  Information Security
• Program (ISP) called an
  electronic security
• plan (ESP)

62
Executive Order 504Legal Refresher
All Executive Agencies (ISOs) must also

• Submit certified agency ISP and ESP to ITD
• More on this later
• Self audit ISPs and ESPs at least every year
• assessing the state of their implementation and
  compliance with guidelines, standards, and
  policies issued by ITD, and with all applicable
  federal and state privacy and information
  security laws and regulations
• Have all employees attend mandatory information
  security training
• Staff, Supervisors, Managers, and Contractors
• How to identify, maintain and safeguard records
  and data
• Fully cooperate with ITD to fulfill ITD
  responsibilities

63

Executive Order 504Legal Refresher
Compliance

• How is this enforced?
• ITD, with the approval of the Executive Office of
  Administration and Finance will determine
  remedial action for agencies in violation of
  EO504 and impose terms and conditions on agency
  IT funding.

64
Executive Order 504Legal Refresher
ITD must

• Implement its own ISP and ESP
• Following Approval by an independent party (Peer
  Review)
• Issue guidelines on developing and implementing
  ISPs and ESPs (More on this
  in a few minutes)
• Review all ISP/ESPs and ESP audits
• Review agencies compliance

65
EO504Enterprise Information Security Policy
(Updated)
66
EO504Enterprise Information Security Policy
(Updated)

• Assists management in defining a framework that
  establishes a secure environment.
• Overarching structure provided for achieving
  confidentiality, integrity and availability of
  both information assets and IT Resources
• Information Security Management Program
• Risk Assessment
• Risk Treatment
• Security Policy, Policy Adoption and
  Documentation Review

67
Next Steps

• Department Head approval
• UDOC Implementation schedule
• Training
• Job aids
• New PartnerNet form to be posted
• Webcast to be posted

68
Contact Information

• CommonHelp 866-888-2808
• CTR Helpdesk 617-973-2468
• Dan Frisoli CTR Security
• 617-973-2614
• Comptrollers Security mailbox
• SecurityRequest_at_MassMail.State.MA.US