Welcome to the Security Officers Briefing

1
Welcome to the Security Officers Briefing

• Tuesday, July 17th, 2007
• 1000-1200
• One Ashburton Place 21st floor

2
Agenda

• Introduction
• Security Officer Responsibilities
• Security Policy Changes and Guidance
• Signature Authorization
• Q A
• Password Reset Tutorial

3
Security Officers Briefing

• New member of security team Dan Frisoli
• Annual Dept Head review / approval of security
• Ask before you act
• KPMG - review of security centrally

4
Security Officers Briefing

• Mary Maloney
• Bureau Director, Department Assistance Bureau
• Security Officer Responsibilities
• Security Policy Changes and Guidance
• Signature Authorization
• Q A

5
Security Officer Responsibilities

• Process security requests
• Perform Password Resets for agency staff
• Review department internal controls that relate
  to MMARS security with management

6
Security Officer Responsibilities

• Assist with the Annual Department Head
  ratification process
• Review MMARS Staff Security reports quarterly
• Review and document Signature Authorizations with
  the Department Head

7
Security Officer Responsibilities

• Become familiar with all MMARS Security Policies
• Monitor organization changes
• Request immediate de-activation of security in
  situations where level of risk is elevated
• CTR Security will deactivate a UAID with a phone
  call from Primary DSO or Department Head

8
Department Head Changes

• Reminders
• New Department Head - Certification Required
• Certification form is mailed from CTR Executive
  Bureau
• Review current MMARS Security for all staff with
  Department Head
• Ratification due within 30 Days of appointment
• Designation of Security Officer Backup Security
  Officer
• Designation Forms

9
MMARS Security Policy Changes

• Annual MMARS Security review and Department Head
  approval
• New Department Heads, who were appointed within
  the 3rd Quarter (Jan-March) and have already
  approved MMARS Security, will not need to submit
  annual approval evidence.

10
MMARS Security Policy Changes

• Quarterly MMARS Security Review by Primary
  Security Officer
• Acknowledgement evidence (email) from Primary
  Security Officer will be due every quarter within
  30 days of receiving the Staff security reports

11
MMARS Security Policy Changes

• Guidance on selecting high-level security roles
• Use information about MMARS Security roles and
  what processing abilities are available to all
  agency staff to help make decisions
• Department Fiscal Administrator Role is very
  powerful
• Other combinations of roles can be too high level

12
Segregation of Duties

• Caution if a user can
• Add a vendor
• Set up an encumbrance
• Make a payment
• Process an adjustment
• Receive cash
• Reconcile cash

13
Signature Authorization MMARS Security

• MMARS Security is Role-based
• By functional area
• Department Security Officers choose roles based
  on Department Head defined Signature
  Authorization
• Administrator Role High Level (Can Submit
  Documents - may or may not have DHSA)
• User Role Lower Level (Cannot Submit)

14
Segregation of Duties Sample Model
Roles
15
MMARS Processing

• Over 90 of all transactions
• are delegated to Departments

16
MMARS Security Policy Changes

• Will include guidance on adding narrative and
  approval evidence that supports decisions made by
  the Department Head in your agency to your
  Internal Control Plan

17
Signature Authorization MMARS Security

• MMARS Security Form - User Setup Decisions
• Signature Authorization flags
• Roles

18
Signature Authorization MMARS Security
19
Signature Authorization MMARS Security
20
MMARS UAID REQUIREDEVEN IF NOT USED

• Any authorized signatory must obtain a UAID with
  Authorized Signatory flag (DHSA) in business
  function area of approval in order to be recorded
  as an official authorized signatory, even if the
  user will never touch MMARS.

21
Signature Authorization MMARS Security
22
Signature Authorization Limitations
23
MMARS is The Official Record of Fiscal Activities

• What appears in the MMARS system will be
  considered the official record or record copy
  of fiscal activities
• supersedes paper or other formats of the same
  information.

24
MMARS is The Official Record of Fiscal Activities

• Compliance responsibility remains at all times
  with the department that processes documents to
  final status.
• All MMARS entries tied to UAID (Universal Access
  ID User ID)
• MMARS tracks transaction approval
• MMARS connects fiscal transaction (through DOC
  ID) underlying paperwork and approval authority.

25
DHSA Must Support Business Needs

• Signature Authorization should be structured to
  ensure that
• there are sufficient staff authorized to approve
  contracts, transactions, payroll and other
  critical business needs during staff vacations,
  maternity leave, sick leave or other leave or
  unavailability,
• AND
• there are sufficient controls and segregation of
  duties to prevent risk of fraud and preserve
  fiscal integrity and accountability.

26
What does electronic signature of a MMARS
document mean?

• that the document they are processing and any
  supporting documentation have been approved by an
  authorized signatory of the Department head,
  secretariat and any other required prior
  approval, AND
• a copy of these approvals are available at the
  Department referencing the MMARS document number
  (DOC ID).

27

Signature Authorization MMARS Security

• Security Officer Senior Managers should meet
  regularly
• Review staff security and Signature Authorization
  status
• Submit Changes using MMARS Security Form
• Deletes are critical
• Call or e-mail with your questions
• Do you need guidance?

28
Questions
29
Security Officers Briefing

• Daniel Frisoli
• Security Technician
• Password Tutorial