July 12, 2004
The CORE Security Team is seeing several violations of the State and OSF Security Policy. Below are some points from both the policy and the CORE OSF 301 Form provided as a reminder to your end users.
The Office of State Finance will adhere to all Security Policies for all applications in which they provide service, including all the PeopleSoft applications which are currently or planned to be installed. There will not be any tolerance of a policy breach and any breach will be handled in accordance with the published Security Policies.
The overriding premise is that all information hosted or created by a State Agency is property of the State. As such, this information will be used solely for performance of position related duties. Any transfers or disclosures are governed by this rule.
The confidentiality of all information created or hosted by a State Agency is the responsibility of all State Agencies. Disclosure is governed by legislation, regulatory protections, rules as well as policies and procedures of the State and of the owning State Agency. The highest of ethical standards are required to prevent the inappropriate transfer of sensitive or confidential information.
Release of information is strictly for job related functions. Confidentiality is compromised when knowingly or inadvertently, information crosses the boundaries of job related activities.
Users must be required to follow good security practices in the selection and use of passwords. Passwords provide a means of validating a user’s identity and thereby establish access rights to information processing facilities or services. All agency staff must be advised to:
The State Agency Director whose Agency collects and maintains (owns) the information is responsible for interpreting all confidentiality restrictions imposed by laws and statutes as well as establishing information classification and approving information access. The hosting State Agency will staff a Security Administration function whose responsibility will be operational control and timely implementation of access privileges.
System limitations may prevent all of the following procedures to be implemented, however, when possible, these rules apply:
The State Agencies that access the systems have the responsibility to protect the confidentiality of information which they use in the course of their assigned duties.
Password resets are the responsibility of the hosting state agency’s help desk function. Identities of requestors will be verified by the help desk, logged and confirmed back to the user at the respective State Agency.
It is the responsibility of the requestor from all State Agencies, in requesting a password reset, to confirm their identity. This may be accomplished by:
The responsibility of the host agency’s Help Desk is to:
"Users are responsible for protecting their access authorization and must take steps to prevent others from using their User ID. Users will construct good passwords and manage them securely, keeping their passwords secret and not sharing them with others. If a user has reason to believe that others have learned his/her password, the user will change the
password and notify the Help Desk of the situation. Users will not attempt to use the logons and passwords of others."
"If a user finds that they have access to data they believe they are not authorized to view, they will exit from that data and report the problem to OSF Security."
If you have any questions concerning the policy or OSF Form 301, please call the OSF Help Desk at (405) 521-2444.