COLORADO DEPARTMENT OF LABOR AND EMPLOYMENT Arapahoe Street Denver, CO

Transcription

1 STANDARD PROCEDURE COLORADO DEPARTMENT OF LABOR AND EMPLOYMENT 1515 Arapahoe Street Denver, CO Number... Effective Date...12/13/90 Supersedes... Revision Date... Executive Director's SP-71 Approval... Under Revision... Document Title: SP-71 Computer Systems Access and Security Clearance Document Category: Automation Technology Subject Matter: Computer Management Originator: Number of Pages: 11 Contact: Contact Phone: Body: I. PURPOSE This procedure is administered by the Investigations and Criminal Enforcement Section (ICE) and is effective on the date shown in the heading. The purpose of this procedure is to minimize the potential for a USER to obtain transaction level access to CDLE Computer Systems or other NON-CDLE Computer Systems presenting opportunities for financial gain by illegal means or with fraudulent intentions. Transaction level access is that condition which allows one to create, modify or delete any data element in any record or file of any application program or any operating system within Computer Systems. This document establishes procedures for: A. Authorizing USERs to obtain transaction level access to such CDLE Computer Systems. B. Authorizing CDLE Employees to obtain access to such NON-CDLE Computer Systems. C. Conducting an ADP Security Clearance. The DEPARTMENT has the obligation to protect the taxpayers' investment in the assets and information used to conduct necessary government operations. This responsibility is made more complicated by the need for computer systems and the enormous impact these systems have on the way business obligations are satisfied. Since computer systems can be surreptitiously subverted for illegal purposes, possibly causing severe financial losses to Colorado taxpayers or possibly disrupting the Department's ability to serve Colorado citizens, the following criteria are established: 1. Any USER requiring transaction level access to any CDLE computer system in which opportunities exist for illicit financial gain, must comply with the procedures described herein. This does not include current USERs who have transaction level access or new users needing "inquiry or read only" access to such CDLE computer systems. The two CDLE applications currently identified as having potential opportunities for illicit financial gain are CUBS and CATS. These applications are designated as security-sensitive applications. 2. Any CDLE employee requiring access to such NON-CDLE Computer Systems must comply with the procedures described herein. This may include USERs currently having any level of

2 transaction access and will include all new CDLE USERs requiring transaction access to NON-CDLE Computer Systems. NON-CDLE USERs (i.e., local partners and community based organizations) seeking access to NON-CDLE Computer Systems must request such authorization directly from the NON-CDLE Computer System Owner. USER, as defined herein, is anyone requiring access to the CDLE or NON-CDLE Computer Systems in order to perform an authorized function or series of functions 3. The security clearance procedures defined herein will be implemented to determine whether any USER requesting transaction level access or requesting that any transaction level access be added to his/her existing access should be given that privilege. If it is deemed that access should not be granted, access will be denied and the user requesting access may be subject to other appropriate administrative action based on the grounds for denial. II. POLICY This procedure supplements the USER security and access authorization elements set forth in the CDLE ADP Security Policy (transmitted under DL (OIS) ) and the ADP security procedures manual that is restricted to Local Security Coordinators. III. OBTAINING ACCESS TO CDLE COMPUTER SYSTEMS CDLE Cost Center Managers are responsible for approving all CDLE employees access to CDLE Computer Systems. Only Cost Center Manager signatures will be accepted by OIS for the processing of documents and forms requesting such access. Requests for access to CDLE Computer Systems by other than CDLE employees must be approved by the appropriate "CDLE contracting authority" as defined in section B of this procedure. The following describes the procedures for obtaining access to CDLE Computer Systems: A. CDLE USER/EMPLOYEE 1. The Cost Center Manager will: a. Inform the USER of all stipulations and restrictions relative to his/her use of CDLE Computer Systems as outlined in the CDLE ADP Security Policy. b. Obtain a completed and signed "Statement of Personal Compliance" form from the USER (sample attached). This form will be forwarded to the CDLE Personnel Unit for inclusion in the individual's file and made available during periods of compliance review. Copies may be retained by Cost Center Managers if they so desire. c. Obtain a completed and signed "Computer Access: Authorization to Conduct Security Clearance" form (sample attached). This form is required IF the USER is authorized for first-time transaction level access or is being authorized for additional transaction level access to a security-sensitive application(s) and has not had a security clearance performed within the last twelve calendar months. Send the signed form to Investigations and Criminal Enforcement Section (ICE). IF the USER declines to authorize an ADP security clearance: 1) The Cost Center Manager will cease all activity related to authorizing CDLE Computer System transaction access to security-sensitive applications for the USER. 2) The USER must check the "declination box", sign the form and provide a written explanation of

3 the reasons for the declination. 3) The Cost Center Manager will forward the signed declination form and written explanation to ICE. d. Complete and sign a "CDLE Employee Request for Access" form. Send the completed form to the Office of Information Systems (OIS) Customer Assistance for processing. e. The OIS Director is responsible for obtaining a signed Notice of Personal Compliance and a signed security clearance form from each individual contracted for overflow ADP services. 2. OIS will: a. Verify the proper completion and authorization of the "CDLE Employee Request for Access" form. IF any documentation elements are incomplete or missing, all documents will be returned to the originating Cost Center Manager for appropriate action and no further action will be taken. b. Process the requested USER access and contact the Cost Center Manager with the access information. c. Notify the CDLE Controller of the appropriate billing code associated with the new USERID. 3. The ICE will: a. Record/log the receipt of all documents and perform all activities related to security clearances or declinations in a timely and trackable manner. b. IF the USER's security clearance report is accepted, the ICE will make the appropriate notation on the form and retain the original form for future reference. It is not required that notification of acceptable security clearance be sent to the USER, appropriate Cost Center Manager or CDLE ADP Security Administrator. c. IF the USER's security clearance is not acceptable, ICE will: 1) Notify the CDLE ADP Security Administrator by telephone to immediately revoke the USER's access to all CDLE and NON-CDLE Computer Systems' security-sensitive applications. A follow-up written notification will be provided and will be signed and dated by the CDLE ADP Security Administrator as verification of USER access revocation and returned to the ICE. 2) Verbally notify the appropriate Appointing Authority, who, in turn, will verbally notify the Cost Center Manager of the revocation of existing transaction access and that the USER is restricted from any further transaction access. Reinstatement of the USER's access will be based upon the decision of the Executive Director. 3) Maintain a USER case file relative to all phases of the security clearance, investigative efforts and the final decision. d. IF the USER declines to authorize a security clearance, ICE will maintain a case file relative to the information gathered and present the findings to the Executive Director for decision. 4. The Executive Director will: a. Review the "reason for declination findings" resulting from investigative efforts presented by ICE, or;

4 b. Review the "reason for unacceptable security clearance findings" resulting from investigative efforts presented by ICE. c. Render a decision as to the USER's CDLE Computer Systems access and employment status in the Department. 1) Normally, the affected USER will be given the option, not a right, to transfer to another position which does not require transaction level access to a security-sensitive application(s), IF such a position is available and IF the USER is otherwise qualified. 2) IF such a position is not available, the Executive Director will then consider further action and the options available under Chapters 8 and 9 of the Colorado State Personnel Rules and Regulations. These options include termination of employment. d. Notify the appropriate Appointing Authority of the decision. The Appointing Authority will coordinate the decision and any required actions with the Personnel Director and/or ICE. B. NON-CDLE USER/EMPLOYEE Only the Executive Director has the authority to negotiate contracts resulting in CDLE Computer Systems access for USERs employed by vendors and their agents, state, federal and foreign agencies. CDLE Cost Center Managers have the authority to negotiate contracts resulting in CDLE Computer Systems access for USERs employed by local agencies/entities (Community Based Organizations, etc. The Executive Director and CDLE Cost Center Managers will be referred to hereafter as the "CDLE Contracting Authority" for the purpose of this procedure. 1. The CDLE Contracting Authority will: a. Coordinate all aspects of "acceptable security clearance" with the contracting agency/entity; specifically: 1) Cease all activities related to requesting transaction level access to security-sensitive applications (e.g. the currently identified CUBS and/or CATS), IF a NON-CDLE USER declines to provide security clearance documentation; otherwise, 2) Obtain an "acceptable security clearance" based upon the "security clearance" criteria set forth in the contract negotiated between CDLE and the agency/entity. The basic elements of this criteria are: a) The criminal record check must be arranged through a legitimate law enforcement agency. b) The criminal record check must fully identify the issuing law enforcement agency and must bear the signature of the issuing law enforcement official. c) The criminal record check must reveal that the NON-CDLE USER has no job-related felony conviction arising from an offense(s) occurring in the five-year period preceding the request for new or additional transaction level access to security-sensitive applications, or such transaction level access will not be granted. d) The NON-CDLE USER or contracting agency/entity must be responsible for all costs of the criminal record check. IF a NON-CDLE USER receives an "unacceptable security clearance", the contracting agency/entity will not submit a request to the CDLE Contracting Authority for CDLE Computer Systems transaction level access for that USER.

5 b. Obtain a completed and signed "Statement of Personal Compliance" form for each NON-CDLE USER requesting access. c. Complete and sign an "Employee Request for Access" form. This form may be the Departments form or another agencies form as long as it contains all information required by CDLE for processing. d. Send the completed and signed "Employee Request for Access" form along with the completed and signed "Statement of Personal Compliance" to OIS. If transaction level (update) access is being requested send the original proof of security clearance document to ICE. 2. The ICE will: a. Verify that the security clearance is acceptable and mark the "Employee Request for Access" form appropriately. b. Retain the original proof of security clearance document for future reference. c. Send the "Employee Request for Access" form to the CDLE ADP Security Administrator for processing. 3. OIS will: a. Verify the proper completion and authorization of the "Employee Request for Access" form. b. Process the requested USER access and notify the CDLE Contracting Authority of all accesses granted. c. Notify the CDLE Controller of the appropriate billing code associated with the new USERID. IV. OBTAINING ACCESS TO NON-CDLE COMPUTER SYSTEMS Access to NON-CDLE Computer Systems will be determined, coordinated and processed in the following manner: A. OIS Customer Assistance will be the primary contact between CDLE and all other NON-CDLE Computer System Security Administrators. B. All requests for access will be coordinated through the OIS in accordance with NON-CDLE Computer Systems security/access policies and procedures. C. Access will be administered by the NON-CDLE Computer System Owner, who has the exclusive right to authorize or revoke access. D. CDLE Cost Center Managers will: 1. Notify the CDLE ADP Security Administrator in writing of all CDLE USERs requiring transaction access to NON-CDLE Computer Systems security-sensitive applications as identified herein (none at present). This notification will include an accurate and detailed description of the information/data needed by the USER. 2. Provide any additional information and perform any procedural elements requested by the CDLE ADP Security Administrator on behalf of the NON-CDLE Security Administrator. 3. NOT become involved with NON-CDLE USER requests for access to other NON-CDLE Computer

6 E. OIS will: Systems. The NON-CDLE USER will be directed to contact the NON-CDLE Computer System Owners. 1. When applicable, request that the Executive Director negotiate a contract or agreement for system access between CDLE and the NON-CDLE Computer System Owners. 2. Insure that all NON-CDLE Computer Systems access and security requirements are satisfied per contract. 3. Process all forms and/or documentation related to security-sensitive application(s) transaction access authorization. 4. Coordinate billing arrangements with the CDLE Controller. 5. Maintain a record of all authorized USERs and coordinate it with CDLE Cost Center Managers based upon the USER's employment status. V. SECURITY CLEARANCE CRITERIA Security clearance for transaction level access to CDLE Computer Systems' security-sensitive applications, by any CDLE or NON-CDLE USER or to NON-CDLE Computer Systems' security-sensitive application(s), by CDLE USERs will be the responsibility of ICE and will be recognized as an ICE priority task. A. SECURITY CLEARANCE CONVICTION CATEGORIES 1. A criminal record check will be performed with respect to job-related felony convictions arising from offenses that occurred during the previous five-year period. 2. Job-related conviction categories include, but are not necessarily limited to, the following: a. Theft b. Robbery c. Burglary d. Fraud e. Forgery f. Embezzlement g. Computer Crime h. Other white-collar or government operations crimes 3. Only actual job-related criminal felony convictions, not arrests, will be considered as a factor relating to the USER's suitability for computer transaction level access to security-sensitive applications. Felony convictions arising out of an offense occurring more than five years prior to the date of ICE review of the USER will not be considered. Felony conviction, as defined herein, is considered to include a plea of nolo contendere or acceptance of a deferred sentence when a felony charge was made. B. THE ICE CHIEF SPECIAL INVESTIGATOR RESPONSIBILITIES 1. Maintain all internal ICE procedures related to this standard procedure and make them available during periods of compliance review. 2. Conduct criminal record background checks of USERs in accordance with United States Department of Justice regulations. While a USER is required to submit a "Computer Access: Authorization to Conduct Security Clearance" form, or proof of acceptable security clearance document, each time new or additional

7 transaction level access to security-sensitive applications is being sought after July 1, 1990, ICE is required to conduct or request only one complete criminal background check on that USER in any twelve-month period. VI. LOCATION OF ALL SECURITY ACCESS FORMS The only forms that will be accepted for the purposes of authorizing access to CDLE Computer Systems are: A. Computer Access: Authorization for Security Clearance Form. (Sample attached) B. Statement of Personal Compliance Form. (Sample attached) C. CDLE Employee Request for Access Form. D. NON-CDLE Employee Request for Access Form. E. Other agencies access Request forms as specified in paragraph III B 1 c, above. * A copy of these forms will be supplied to all Cost Center Managers, Local Security Coordinators and NON-CDLE Security Coordinators by the OIS Customer Assistance for local reproduction. All forms required to access NON-CDLE Computer Systems will be made available by OIS Customer Assistance upon request. VII. QUESTIONS CONCERNING SECURITY CLEARANCE OR COMPUTER ACCESS Questions regarding the security clearance criteria and procedures, or the current status of an ongoing security clearance investigation, should be addressed to: CDLE ICE Chief Special Investigator Investigations and Criminal Enforcement Section 600 Grant Street, Suite 900 Denver, CO Phone: (303) Questions related to the CDLE ADP Security Policy and its supplemental procedures, or the preparation of the above noted forms, should be addressed to: Attachments : CDLE ADP Security Administrator, c/o Customer Assistance Office of Information Systems 251 East 12th Avenue, Room 313 Denver, CO Phone: (303) Statement of Personal Compliance Form. Computer Access: Authorization for Security Clearance Form. CDLE Employee Request for Access Form. NON-CDLE Employee Request for Access Form.

8 Supporting Documents Press the associated DocLink below to view the Supporting Document(s) - Supporting Document (CDOLE Computer Access: Authorization to Conduct Security Clearance) - Supporting Document (Statement of Personal Compliance Relating to the Access and Use of CDOLE Computer Systems)