Commonwealth of Massachusetts Office of the Comptroller Information Technology Division

1
Commonwealth of Massachusetts Office of the
ComptrollerInformation Technology Division
Security Officers Briefing

• May 21, 2008

2
Agenda

• MMARS Security
• Review process
• Managing changes
• DocDirect Overview
• Next Steps
• Additional Assistance
• Key Contacts

• Introduction
• Statewide Enterprise Security Policy
• Annual Approval Process
• New Security Reports
• ITD
• CIW and HR/CMS
• InTempo
• Access to Sensitive Data

3

• Martin Benison
• Comptroller

4
New Enterprise Security Policy

• Issued jointly CTR / ITD
• Annual Dept Head Approval

5
Audit Findings - Security

• Need for formal sign off by Department Head
• Use discretion with High Level Roles
• Mitigating Controls

6
Internal Controls

• Should reflect security
• Should be updated annually

7
New Policy Overview

• New reports
• Annual Review
• Sensitive Data

8
New Reports

• SECMMARS
• SECHRCMS
• SECCIW
• SECINTEM

9
New Policy Overview

• Procedures remain the same
• MMARS access via CTR
• CIW, HR/CMS, InTempo via ITD
• Guidance on Selecting access

10

• Department Head Responsibility
• DSO Responsibility
• CFO Responsibility

11
Security Review

• Broad system access involves risks that must be
  managed
• Segregation of duties and review of work
  processed

12
Security Practices

• Best Practices
• Review of systems security is key to assuring
  that access reflects current responsibilities and
  changes in personnel

13

• Executive Office of Administration and Finance
• Information Technology Division

14
Statewide Enterprise System Security Policy

• ITD Reports
• HR/CMS, CIW InTempo changes

15
ITD Reports HR/CMS, CIW Intempo changes

• Collaboration with CTR ITD
• New HR/CMS CIW Reports
• InTempo
• New Report Access Changes
• Access to Sensitive Data

16
New HR/CMS CIW Reports

• Collaboration with CTR - policy issued jointly by
  Comptroller and Chief Information Officer
• The following reports are available
• SECHRCMS for HR/CMS application user security
• SECCIW for Commonwealth Information Warehouse
  user security
• HR/CMS and CIW Reports are based on security
  roles
• Reports are run the first of every month and
  posted to document direct

17
New HR/CMS CIW Reports

• Access to reports is restricted to primary
  Department Security Officers, CFOs MMARS
  Liaisons, Department Heads
• Reports should be reviewed to determine staff
  have the relevant access required for their
  current business role.
• When granting access to staff
• Determine relevant business function
• HR, Payroll, Time and Labor, Financial
• Level of access required Add, update or display
• Sensitive nature of the data

18
Intempo Reports

• New report - SECINTEM
• Lists users who are authorized to use InTempo to
  submit requests for UAIDs for a department
• Security Access Changes
• To change a users access to HR/CMS and CIW use
  InTempo to retrieve the current security roles
  and submit the changes as required
• Only Departmental Security Officers and their
  backups can submit these changes

19
Access to Sensitive Data

• Security Freeze Breach Notification Law
  (Chapter 93H)
• Enterprise Information Security Standards Data
  Classification (Enterprise Security Policy)
• Protection of Sensitive Agency Information (CIO
  Advisory Memorandum - June 5, 2007)

20
MMARS Security Reports

• Process for Review
• Coordinate approval process with Department Head
• New Responsibility for Key Contacts
• Review staff roles and processing ability with
  Department Head
• DHSA Designations

21
MMARS Security Reports

• Mitigate Processing Risks
• DFISC Authorization
• Need vs Segregation of Duties
• DHSA Designation vs DHSA Processing and Cleanup
• Encumbrances Payment Combinations
• High level role analysis
• Shared Service Agency -- Department Head Approval
  of Shared Processing

22
MMARS Security Reports

• Review Current Model
• Internal Control Plan matched to MMARS Security
• RememberMMARS Security is flexible
• Identify and manage duties by functional area
• Restriction limitations defined and
  incorporated into ICP

23
MMARS Security Reports

• Manage Changes to MMARS Security
• MMARS Security Request Form
• Form has been updated
• New Structure with selections
• New Email
• Submit the form electronically

24
How to Use Doc Direct

• Live Doc Direct walkthrough
• Live MMARS Security Report walkthrough

25
Next Steps

• Review Reports
• DSO, CFO, Senior Management
• Submit changes as appropriate
• Review next monthly reports
• Department Head sign off

26
Additional Assistance

• One-on-one workgroups
• Discuss Segregation of duties
• Web Casts

27
Contact Information

• CommonHelp 866-888-2808
• CTR Helpdesk 617-973-2468
• Comptrollers Security mailbox
• SecurityRequests_at_MassMail.State.MA.US