[Cobo] FW: Reminder Security Announcement

[LeFlore, Bobby]

-----Original Message-----
From: owner-core-general at youroklahoma.com
[mailto:owner-core-general at youroklahoma.com]On Behalf Of
jeanie.robards at osf.state.ok.us
Sent: Thursday, July 08, 2004 5:22 PM
To: core-general at youroklahoma.com
Subject: Reminder Security Announcement 






Communication Liaison;

This Security reminder is for Procurement, General Ledger, Accounts Payable
and Human Resources professional CORE end users.

The CORE Security Team is seeing several violations of the State and OSF
Security Policy. Below are some points from both the policy and the CORE
OSF 301 Form provided as a reminder to your end users.

The Office of State Finance will adhere to all Security Policies for all
applications in which they provide service, including all the PeopleSoft
applications which are currently or planned to be installed.  There will
not be any tolerance of a policy breach and any breach will be handled in
accordance with the published Security Policies.

State and OSF Security Policy
2.1   Information Confidentiality

The overriding premise is that all information hosted or created by a State
Agency  is  property  of the State.  As such, this information will be used
solely  for  performance  of  position  related  duties.   Any transfers or
disclosures are governed by this rule.

The  confidentiality of all information created or hosted by a State Agency
is  the  responsibility  of  all State Agencies.  Disclosure is governed by
legislation,   regulatory  protections,  rules  as  well  as  policies  and
procedures  of  the  State  and of the owning State Agency.  The highest of
ethical  standards  are  required  to prevent the inappropriate transfer of
sensitive or confidential information.

Release   of   information   is   strictly   for   job  related  functions.
Confidentiality is compromised when knowingly or inadvertently, information
crosses the boundaries of job related activities.

Users  must  be required to follow good security practices in the selection
and  use  of  passwords.   Passwords provide a means of validating a user’s
identity  and  thereby  establish  access  rights to information processing
facilities or services.  All agency staff must be advised to:
§  keep passwords confidential,
§  avoid keeping a paper record of passwords, unless this can be stored
   securely,
§  change passwords whenever there is any indication of possible system or
   password compromise,
§  select quality passwords with a minimum length of eight characters which
   are:
   §  easy to remember,
   §  not based on anything somebody else could easily guess or obtain
      using person related information, e.g. names, telephone numbers and
      dates of birth etc.,
   §  free of consecutive identical characters or all-numeric or
      all-alphabetical groups,
§  change passwords at regular intervals (passwords for privileged accounts
   should be changed more frequently than normal passwords),
§  avoid reusing or cycling old passwords,
§  change temporary passwords at the first log-on,
§  not include passwords in any automated log-on process, e.g. stored in a
   macro or function key, and
§  not share individual user passwords.

2.4   Information Security
The  State  Agency  Director whose Agency collects and maintains (owns) the
information   is   responsible   for   interpreting   all   confidentiality
restrictions   imposed  by  laws  and  statutes  as  well  as  establishing
information  classification  and approving information access.  The hosting
State   Agency   will   staff  a  Security  Administration  function  whose
responsibility  will  be  operational  control and timely implementation of
access privileges.

System  limitations  may  prevent  all  of  the  following procedures to be
implemented, however, when possible, these rules apply:
§  Passwords will be required to be a minimum of 8 characters long,
   containing at least one (1) numeric character.
§  Passwords will expire in a maximum of 90 days.
§  Passwords will be deactivated if not used for a period of 60 days.
§  Passwords for a given user should not be reused in a 12 month period.

The  State  Agencies  that  access  the  systems have the responsibility to
protect  the confidentiality of information which they use in the course of
their assigned duties.

6.2   Password Resets
Password  resets  are the responsibility of the hosting state agency’s help
desk function.  Identities of requestors will be verified by the help desk,
logged and confirmed back to the user at the respective State Agency.

It  is  the  responsibility  of  the  requestor from all State Agencies, in
requesting  a  password  reset,  to  confirm  their  identity.  This may be
accomplished by:
§  Providing their name.
§  Answering a unique question and answer submitted on sign up, such as:
   place of birth, mother’s maiden name, etc.).
§  Providing additional information as may be requested, such as:
   §  Agency
   §  Phone number

The responsibility of the host agency’s Help Desk is to:
§  Confirm the identity of the requestor.
§  Report all suspicious activity to the security Administrator
   immediately.  Discrepancies in answers, inability to provide the correct
   User ID, frequent requests for changes to the same User ID, or obvious
   password sharing constitute security breaches and will be reported.
§  Reset the password.
§  Log details of the call.
§  Confirm the password reset to the user registered to the User ID via
   email.
§  Report activity monthly to each State Agency involved.

OSF 301 Form Security Section:
"Users are responsible for protecting their access authorization and must
take steps to prevent others from using their User ID.  Users will
construct good passwords and manage them securely, keeping their passwords
secret and not sharing them with others.  If a user has reason to believe
that others have learned his/her password, the user will change the
password and notify the Help Desk of the situation.  Users will not attempt
to use the logons and passwords of others."

"If a user finds that they have access to data they believe they are not
authorized to view, they will exit from that data and report the problem to
OSF Security."


If you have any questions concerning the policy or OSF Form 301, please
call Michael Lovero, Help Desk 521-2444 or Ken Ontko, OSF Security
522-4531.


Jeanie Robards
CORE project
3812 North Sante Fe, Suite 100
Oklahoma City, OK 73118
Phone:      405 962-2420
Fax:  405 521-9983
E-Mail:     Jeanie.Robards at osf.state.ok.us