System and Application access capabilities are designed to allow users to log on to a system and/or application to perform functions or tasks necessary for them to do their jobs. There are varying degrees of access that can be granted to users from inquiry only to the ability to update and change system and application programs and data. By not adequately administering and controlling system security and access capabilities, system and application programs and data can be compromised and inappropriate transactions can be processed. System and application owners should develop and implement policies and procedures and adequately train users to ensure that system and application security and access controls are adequate. The following are general guidelines to follow to help in this regard.
1. System users should be trained to secure their access identifications (IDs) and passwords. They should not be written down and left in a location that that is not properly secured. MOST IMPORTANTLY, ACCESS IDS AND PASSWORDS SHOULD NEVER BE SHARED WITH OR USED BY OTHER EMPLOYEES.
2. Individual access IDs and passwords should be unique to the user and should be unusual enough so that others cannot guess what a user's access ID or password may be. For instance do not use your name or the name of a child, telephone extensions, initials, birth dates or other commonly known information. Ideally, access IDs should be at least four digits long and contain both alpha and numeric characters.
3. When users are first granted access to a system or application or when a system or application is upgraded, system administrators may assign users generic passwords.For instance, an administrator may give a new user with the name John C. Doe an ID of JCD1 and will assign them the same password. When the SmartStream Financial Management System was recently upgraded, all users were assigned "password" as their password. Users should change these generic passwords to unique self-assigned passwords immediately.
4. Each user should have only one ID and password. We have noted instances where certain users have two or more IDs and/or passwords.This is redundant and unnecessary and can cause problems with administering and controlling system and application access.
5. When systems or applications are being developed and implemented or upgraded, it is not unusual to provide programmers and consultants with access capabilities that allow them to perform most if not all functions. It is important that the access IDs and passwords for these individuals are terminated prior to putting the system, application or upgrade into production.
6. Throughout the City and the Hartford Public School System (HPSS), employees are regularly being hired, retiring or changing positions and/or responsibilities. It is imperative that, when these employee changes occur, system owners determine the extent of any related changes that are required to access IDs and passwords. When an employee retires or is no longer employed by the City or HPSS all of their access IDs and passwords should be immediately deactivated in all systems and/or applications.In addition, when an employee changes jobs or responsibilities, system owners need to determine if they still need the same access capabilities in their new position and make changes as deemed appropriate. In certain instances, the responsibility for system security administration is shared with the system owner and Metro Hartford Information Services (MHIS). In addition, the Personnel department regularly notifies MHIS of personnel changes including new hires, terminations and moves. It is very important that both MHIS and system owners are notified of any and all employee changes in a timely manner so they can update system security and access accordingly.
7. Many systems and applications have options that provide a certain level of control over access IDs and passwords. These options should be utilized to the greatest extent possible. Some of these options are as follows:
8. Two individuals should be trained to be able to administer system security and access capabilities for each system or application.
To ensure the integrity of the City's/HPSS's systems, applications, programs and data is maintained, it is imperative that system and application owners develop, implement and maintain adequate policies, procedures and controls regarding system security and access.
If you have any questions or concerns regarding security and access controls for any system or application please contact Internal Audit at 543-8568 or MHIS at 695-8411.