[Cobo] FW: Reminder Security Announcement
LeFlore, Bobby
bleflore at osrhe.edu
Mon Jul 12 13:08:47 CDT 2004
-----Original Message-----
From: owner-core-general at youroklahoma.com
[mailto:owner-core-general at youroklahoma.com]On Behalf Of
jeanie.robards at osf.state.ok.us
Sent: Thursday, July 08, 2004 5:22 PM
To: core-general at youroklahoma.com
Subject: Reminder Security Announcement
Communication Liaison;
This Security reminder is for Procurement, General Ledger, Accounts Payable
and Human Resources professional CORE end users.
The CORE Security Team is seeing several violations of the State and OSF
Security Policy. Below are some points from both the policy and the CORE
OSF 301 Form provided as a reminder to your end users.
The Office of State Finance will adhere to all Security Policies for all
applications in which they provide service, including all the PeopleSoft
applications which are currently or planned to be installed. There will
not be any tolerance of a policy breach and any breach will be handled in
accordance with the published Security Policies.
State and OSF Security Policy
2.1 Information Confidentiality
The overriding premise is that all information hosted or created by a State
Agency is property of the State. As such, this information will be used
solely for performance of position related duties. Any transfers or
disclosures are governed by this rule.
The confidentiality of all information created or hosted by a State Agency
is the responsibility of all State Agencies. Disclosure is governed by
legislation, regulatory protections, rules as well as policies and
procedures of the State and of the owning State Agency. The highest of
ethical standards are required to prevent the inappropriate transfer of
sensitive or confidential information.
Release of information is strictly for job related functions.
Confidentiality is compromised when knowingly or inadvertently, information
crosses the boundaries of job related activities.
Users must be required to follow good security practices in the selection
and use of passwords. Passwords provide a means of validating a user’s
identity and thereby establish access rights to information processing
facilities or services. All agency staff must be advised to:
§ keep passwords confidential,
§ avoid keeping a paper record of passwords, unless this can be stored
securely,
§ change passwords whenever there is any indication of possible system or
password compromise,
§ select quality passwords with a minimum length of eight characters which
are:
§ easy to remember,
§ not based on anything somebody else could easily guess or obtain
using person related information, e.g. names, telephone numbers and
dates of birth etc.,
§ free of consecutive identical characters or all-numeric or
all-alphabetical groups,
§ change passwords at regular intervals (passwords for privileged accounts
should be changed more frequently than normal passwords),
§ avoid reusing or cycling old passwords,
§ change temporary passwords at the first log-on,
§ not include passwords in any automated log-on process, e.g. stored in a
macro or function key, and
§ not share individual user passwords.
2.4 Information Security
The State Agency Director whose Agency collects and maintains (owns) the
information is responsible for interpreting all confidentiality
restrictions imposed by laws and statutes as well as establishing
information classification and approving information access. The hosting
State Agency will staff a Security Administration function whose
responsibility will be operational control and timely implementation of
access privileges.
System limitations may prevent all of the following procedures to be
implemented, however, when possible, these rules apply:
§ Passwords will be required to be a minimum of 8 characters long,
containing at least one (1) numeric character.
§ Passwords will expire in a maximum of 90 days.
§ Passwords will be deactivated if not used for a period of 60 days.
§ Passwords for a given user should not be reused in a 12 month period.
The State Agencies that access the systems have the responsibility to
protect the confidentiality of information which they use in the course of
their assigned duties.
6.2 Password Resets
Password resets are the responsibility of the hosting state agency’s help
desk function. Identities of requestors will be verified by the help desk,
logged and confirmed back to the user at the respective State Agency.
It is the responsibility of the requestor from all State Agencies, in
requesting a password reset, to confirm their identity. This may be
accomplished by:
§ Providing their name.
§ Answering a unique question and answer submitted on sign up, such as:
place of birth, mother’s maiden name, etc.).
§ Providing additional information as may be requested, such as:
§ Agency
§ Phone number
The responsibility of the host agency’s Help Desk is to:
§ Confirm the identity of the requestor.
§ Report all suspicious activity to the security Administrator
immediately. Discrepancies in answers, inability to provide the correct
User ID, frequent requests for changes to the same User ID, or obvious
password sharing constitute security breaches and will be reported.
§ Reset the password.
§ Log details of the call.
§ Confirm the password reset to the user registered to the User ID via
email.
§ Report activity monthly to each State Agency involved.
OSF 301 Form Security Section:
"Users are responsible for protecting their access authorization and must
take steps to prevent others from using their User ID. Users will
construct good passwords and manage them securely, keeping their passwords
secret and not sharing them with others. If a user has reason to believe
that others have learned his/her password, the user will change the
password and notify the Help Desk of the situation. Users will not attempt
to use the logons and passwords of others."
"If a user finds that they have access to data they believe they are not
authorized to view, they will exit from that data and report the problem to
OSF Security."
If you have any questions concerning the policy or OSF Form 301, please
call Michael Lovero, Help Desk 521-2444 or Ken Ontko, OSF Security
522-4531.
Jeanie Robards
CORE project
3812 North Sante Fe, Suite 100
Oklahoma City, OK 73118
Phone: 405 962-2420
Fax: 405 521-9983
E-Mail: Jeanie.Robards at osf.state.ok.us
More information about the Cobo
mailing list