FINANCE and HR Systems Access Guidance Document DRAFT September 2011

Transcription

1 D R A F T FINANCE and HR Systems Access Guidance Document DRAFT September 2011 Access requests for Finance, HR and CIW Systems are controlled at the campus level by the Campus Security Coordinators. The Campus Security Coordinator must verify that an access request is appropriate and that all requirements for access have been fulfilled in accordance with the guidelines presented in this document, then pass the signed request form along to the Access Management Provisioning team, a division of University Information Systems (UIS). Once requests are approved at the campus level, the Access Management Provisioning team (AMPS) with University Information Systems (UIS) reviews and grants the requested access and maintains documentation related to those requests. FIN and HRMS Campus Security Coordinator contact information can be found in Exhibit I of this document; a quick link is below: AMPS also maintains a website containing access guidance information, links to access request forms, and current lists of Campus Security Coordinators. The AMPS website is located at: AMPS will maintain records of operator information, including any subsequent changes in user access, and will generate reports as set forth in these guidelines, or at the request of the campus security coordinators, for purposes of periodic system access review. As a general rule, these access reviews will be initiated and conducted by the Campus Security Coordinators. I. STANDARD SYSTEM ACCESS PROCESS A. Access Request Forms General Information AMPS maintains links to all access request forms (with the exception of some HR forms administered through Payroll & Benefit Services) on their website. Most forms are electronic and use electronic signature and routing applications, allowing for prompt delivery through . Currently, forms may also be faxed to AMPS or scanned and sent as attachments. Access requests may also be submitted through SupportWorks (with a scanned copy of the signed access request form). Requestors complete the required system access request form, obtain supervisor approval and send the completed and signed forms to the appropriate Campus Security Coordinator.* Forms are available on the AMPS website at: Forms include: FIN Access Request FIN Specialized Access Request Developer Account Request* HRMS System Access Request HRMS Specialized Access HRMS Compensating Controls Certification HRMS Tree Change Request CIW Access Request Discontinue Access Request * Developer Access Request forms are administered through AMPS, but require additional approvals. FIN Developer Access Requests require approval from the Director of Financial Reporting Systems and the Director of Application Development. HRMS Developer Access Request Forms must also be approved by the Director of Application Development. DRAFT - 1

2 B. Access Request Review Process As noted earlier, requests for access to FIN, HRMS and/or CIW systems are initiated by the individual operator and his/her supervisor. Both the operator and his/her supervisor must sign the request form and forward that to the appropriate Campus Security Coordinator. Campus Security Coordinators review requests and complete the following steps: 1) Check for existing PeopleSoft Operator ID (OPID) - Does the individual requesting access already have a PeopleSoft Operator ID (in FIN, HRMS or ISIS)? In most cases, a new ID will not be necessary. OPIDs attached to one individual should never be reused for another individual. In some cases, multiple OPIDs for a single individual may exist in FIN or HRMS. Clarification may be needed from the operator/supervisor as to which of these IDs should be used for the access request submitted. Instructions for checking existing PeopleSoft Operator IDs are contained in Exhibit II of this document. 2) Verify training completion - Training is required before access to PeopleSoft systems can be granted. In all cases, the general IT Security training (Course # U Information Security and Privacy, available through SkillSoft) must be completed before access can be granted. A more detailed listing of training required for specific FIN and HR roles is included in Exhibits III and IV. Training requirements for specific roles are also noted on the FIN and HR access request forms. Campus Security Coordinators must verify that all required on-line and classroom training has been completed and that a passing grade (70% or better) has been achieved, where applicable.* If all training is not completed, but FIN access is required immediately, please refer to section I-C (below) for provisions for granting temporary access in FIN. Please note that all required training must be completed in order to receive HRMS Access; there are no provisions for temporary access in HRMS. * Not all SkillSoft courses are graded; in some cases, course completion is all that is recorded. Instructions for verifying training can be found in Exhibit II of this document. Instructions for verifying training completion in HRMS are contained in Exhibit V of this document. 3) After training has been verified, review and qualify the request: Are special approvals required (see Section IA)? If so, have they been obtained? Is Incompatible Access being requested (check new roles requested against existing roles, if applicable)? If so, review Section II below for guidance. Is the access requested appropriate for the user? For example, does the person need to see personal information as part of his or her job duties? Does the person need to see information from all campuses? Can the user get what he or she needs from CIW without opening access to critical financial tables? Does the person have the appropriate row level security to be given access to certain HRMS roles? Does the user have multiple PeopleSoft IDs? If so, please ensure that appropriate justification is provided for the new ID request. In most cases, multiple IDs are necessary only for those with PeopleSoft administration responsibilities (e.g., UIS employees). DRAFT - 2

3 Campus Specific Qualification Guidelines (UCCS): Ensure that UCCS departments are not requesting Cash Transfer Journal Entry or Cash Transfer Approval roles as well as Budget Journal Approval. Personnel in the Resource Management Division are the only personnel who may have these roles. Campus Specific Qualification Guidelines (UCD): Ensure that UCD departments are not requesting Journal Entry (JE) Approval roles for their employees (JE Actuals Approval and JE Cash Transfer Approval). These JE Approval roles cannot be granted to anyone outside of the Finance and Grants and Contracts area. 4) Submitting the Request Access request forms are designed to logically move from one approver to the next, using electronic routing. If the form has been sent to AMPS out of sequence, i.e. before the operator s supervisor and/or Campus Security Coordinator have signed, the form will be returned to the individual who submitted it, along with an explanation of proper routing procedures. Once the Campus Security Coordinator has reviewed and approved the request, it can be submitted electronically by clicking the routing button on the form. If a hard copy or scanned copy of a request form is used, a scanned copy of the signed request form can be submitted to AMPS as an attachment by sending it to PSAccess@cu.edu, or it can be attached to a Supportworks access request ticket. Hardcopy forms can also be faxed to AMPS at Request Flow Operator Signature Supervisor Signature Security Coordinator Signature* AMPS * Depending on the access requested, additional signatures may be required before or after the access coordinator s signature (e.g., Incompatible Access requests require an Incompatible Access reviewer signature before routing to the Security Coordinator; University Controller signature for All Funds access requests, and director signature(s) for developer access requests are required prior to routing to AMPS). DRAFT - 3

4 5) Processing the Request AMPS Upon receipt of the access request form, AMPS will check signatures, then send an acknowledgement to the user, supervisor and Campus Security Coordinator confirming that the request has been received. AMPS will then grant the access requested, make the appropriate entries in the PeopleSoft systems, and maintain a copy of the entire Access Request Form (including the Compensating Controls page and any other documentation accompanying the Access Request Form) per the Administrative Policy Statement Retention of University Records. When processing is complete, AMPS will send an to the operator, supervisor, and Campus Security Coordinator notifying them that the operator s access request has been finalized, and advising the operator as to when access will be available. C. Temporary Access Because classroom-based training is required for some FIN roles, and because that training is not always readily available, it may be necessary to grant operator access on a temporary basis, until all classroom training can be completed. If all required online training courses have been completed with a passing grade (70% or better), Campus Security Coordinators and AMPS may, at their discretion, grant temporary (90-day) FIN access to an operator. Temporary access will not be granted for HRMS roles. Campus Security Coordinators should note on the FIN access request form that access is Temporary. Campus Security Coordinators should maintain records of these temporary access situations and follow-up as outlined below: 1) Campus Security Coordinators will track all FIN temporary access requests to ensure that all required training is completed within 90 days. Reminder s should be sent to the user and his/her supervisor at 30 and 60 days, with a final notice at 90 days. 2) If the required training is not completed, the Campus Security Coordinators will notify AMPS and request that the operator s FIN access be terminated no later than three days after the final notice is sent. If the Campus Security Coordinator determines that there are extenuating circumstances that may justify continuation of access for another 60 days (e.g., required training has not been offered, personal hardship, etc.), Campus Security Coordinators must document those circumstances and maintain those records. 3) Campus Security Coordinators must send an notification to the user and the Supervisor/Sponsor notifying them when FIN access is discontinued. II. INCOMPATIBLE ACCESS A. Definition Incompatible Access (IA) occurs when employees have roles that allow them access that bypasses the normal segregation of duties (e.g., both create and approve roles for journal entries, purchase orders, etc.). Ideally, granting this type of access should be limited or avoided altogether, if possible; however, in some cases, incompatible access roles may be necessary to conduct business (e.g., departments with a limited number of personnel). Currently the following role-pairs constitute Incompatible Access in FIN: JE Budget + Approve Budget Journals JE Actual + Approve Journals JE Transfer + Approve Journals DRAFT - 4

5 Purchase Order (PO) + Approve PO (and/or Departmental Purchase Orders) Requisitions + Approve Requisitions (PO, SPO) Vendor Manager + Voucher Entry (AP Manager) epro Requester + epro Approver (CU Marketplace) Currently, the following role-pairs constitute Incompatible Access in HRMS: Time Collection and Time Entry Approval Roles Payroll Personnel Liaison/Time Entry Approval Payroll Personnel Liaison/Job Data Hiring Approval Payroll Personnel Liaison/One-time Payment Approval Campus HR Role Please note that other University systems contain role pairings that may give operators incompatible access, such as MyLeave (supervisors who have the ability to both create & approve employee timesheets and Payroll Personnel Liaisons (PPLs) who can also approve timesheets). While this access is not directly controlled by AMPS or the Campus Security Coordinators, everyone should be mindful of this when reviewing and granting access in PeopleSoft. B. Granting Incompatible Access If someone has requested Incompatible Access, then the Campus Security Coordinator will: 1) Review the request to determine that the justification for the Incompatible Access request is legitimate. 2) Ensure that an appropriate compensating control has been identified on the access request form. 3) Make sure an Incompatible Access Reviewer has been identified, and verify that the Reviewer is an Active Employee. It is strongly recommended that the reviewer is either the supervisor or sponsor of the employee requesting access and is, therefore, in a position to challenge the appropriateness of transactions done using Incompatible Access. Campus Specific Guidelines (UCD): The Campus Security Coordinator must notify the appropriate campus personnel so they are aware of new Incompatible Access requests. If within a department, ensure that the Department Fiscal Manager is approving the request even if he or she is not the Reviewer. The Denver campus is (1) working to reduce the number of Faculty performing the Reviewer function and (2) trying to work with departments to adjust access profiles for the purpose of eliminating IA. 4) Campus Security Coordinator approves and sends request to AMPS. 5) AMPS will grant the access and enter the person into the Incompatible Access panel in FIN with the effective date and the Reviewer s information. HRMS does not have this panel for recording IA users and reviewers, although a method for systematically storing this information is being explored. Accordingly, information on HRMS Incompatible Access operators and reviewers is maintained and monitored by the Campus Security Coordinators. 6) AMPS will maintain the Access Request Form including the Incompatible Access section. HR Campus Security Coordinators maintain the Compensating Control section of the form for HRMS Incompatible Access users. DRAFT - 5

6 C. Incompatible Access Basic Follow-up and Review Security Coordinators monitor users with Incompatible Access by making sure that IA operators and reviewers are logged, either in the Finance System (for FIN IA operators) or in manually maintained spreadsheets (for HRMS IA operators). Security Coordinators for both FIN and HRMS should reconcile their records of IA operators against the monthly Operators with Incompatible Access reports distributed by AMPS. Any variances between the AMPS reports and Security Coordinator records should be investigated and information should be updated as needed. Additionally, campus Security Coordinators should review their IA operator and reviewer population for any changes in employment status (e.g., termination, transfer, position changes), using reports provided by AMPS or the Office of University Controller (OUC). The Transferred Employee Report,* from AMPS, identifies operators with HRMS or FIN system access who have changed positions or transferred to another department or campus. If those operators have Incompatible Access, Campus Security Coordinators must make contact with those employees and/or their supervisors to determine if Incompatible Access is still required. If an Incompatible Access reviewer has changed positions or transferred to another location, Campus Security Coordinators must confirm that any IA operators who were reviewed by this individual have been assigned to a new reviewer. All changes must be documented; if a new Incompatible Access Reviewer is being named or if a new Compensating Control method is being selected, the Campus Security Access Coordinator must obtain and review all required documentation, pass that on to AMPS, and update the IA reviewer information in FIN or in any manually maintained Incompatible Access records. The Campus Security Coordinator is responsible for notifying AMPS when a user s Finance System access profile is changed to remove Incompatible Access roles so that the Incompatible Access table in the Finance System can be updated accordingly. The Terminated Operators on the Finance System Incompatible Access Table and Invalid Reviewers on the Finance System Incompatible Access Table reports are distributed monthly to FIN System Security Coordinators, and are generated and maintained by the OUC based on IA operator and reviewer information stored in the Finance System. Security coordinators should notify AMPS when a FIN Incompatible Access operator has retired or terminated so that the incompatible access Operator ID can be deactivated.* *Note: The checkbox for Incompatible Access in FIN must remain checked, even after an Operator ID has been deactivated. If an Incompatible Access reviewer has retired or terminated, Campus Security Coordinators must confirm that any IA operators who were reviewed by this individual have been assigned to a new reviewer. All changes must be documented; if a new Incompatible Access Reviewer is being named, the Campus Security Coordinator must obtain and review all required documentation, pass that on to AMPS, and update the IA reviewer information in FIN or in any manually maintained Incompatible Access records. D. FIN System Incompatible Access Reviewer Responsibilities Employees who have been designated as reviewers of users with Finance System Incompatible Access must conduct regular reviews of the IA activity of their IA operators. To accommodate this review, reports of FIN Incompatible Access activity are available to designated reviewers in the Cognos reporting system. Review activity should be documented and maintained so as to be readily available for any audit requests. It is DRAFT - 6

7 primarily the IA reviewer s responsibility to take appropriate corrective actions when there is evidence that incompatible access is being used improperly. *Note - As of March 1, 2011, reports are available only for Incompatible Access journal entry transactions. Reports for Procurement transactions are still under development. In the meantime, review processes for Procurement transactions are detailed in the Compensating Controls section of the FIN System Specialized Access Request Forms. E. HRMS System Incompatible Access Review Responsibilities HRMS Security Coordinators are responsible for providing reporting on the Incompatible Access activity of IA operators to the appropriate reviewers. Coordinators use two PeopleSoft Auditing reports - Personnel Actions Audit and Time Entry Audit - to monitor IA activity in HRMS. When IA operator activity is noted in a reporting period, the HRMS Security Coordinator must deliver ( ) the reports of this activity to the IA operator s reviewer of record if that reviewer does not have access to HRMS to run those reports. This review process is conducted on a monthly basis. Campus Specific Guidelines (UCB): The UCB HRMS security coordinator will run the monthly incompatible access reports for all reviewers of HRMS Incompatible Access. F. Annual Incompatible Access Recertification Process On an annual basis, the Campus Security Coordinators will administer a process to ensure (1) that those who have Incompatible Access still need it and (2) that the Incompatible Access Reviewer information maintained in the Finance System (or manually, in the case of HRMS Security Coordinators) is accurate. The Incompatible Access Certification process for FIN is scheduled by campus and is recorded in the Finance System under Setup Financials/Supply Chain Security Campus Schedule. Campus Security Coordinators should set an annual calendar reminder of the Incompatible Access recertification dates so that timely follow-up can be maintained. HRMS Security Coordinators manually maintain records on Operators with Incompatible Access, and schedule annual reviews for recertification. In FIN, the process involves the following: Coordinators generate notices to operators with Incompatible Access. For FIN IA operators, this notice is automatic and is based on the campus schedule established in the Finance System. HR IA operators receive a manually generated notice, based on an established annual review process. Incompatible Access operators receiving these s must then forward the to their designated reviewers. Reviewers of these IA operators must certify, in an to the appropriate Campus Security Coordinator, that the Incompatible Access roles for the operator in question are still necessary, and that the previously identified Compensating Control is in place and is being used for review purposes. Security Coordinators must follow up for receipt of confirmations from the appropriate reviewers, using information from the most recent Operators with Incompatible Access reports supplied by AMPS (this report is generated on a monthly basis). Security Coordinators must review responses and communicate any necessary changes in Incompatible Access roles, reviewers or review processes to AMPS. DRAFT - 7

8 If reviewer information has changed, the Security Coordinator should update the reviewer information in FIN (for FIN users) or in the manual records maintained by the HR Security Coordinators (for HR users). If there is no confirmation after thirty days, campus security coordinators will: Actively investigate any situations where Incompatible Access has not been confirmed. Incompatible Access may be continued for those operators during the course of the investigation. Take actions appropriate to the results of these investigations. If, after 10 more days, there is still no confirmation, campus security coordinators will: Send notification to the IA Operator and his/her reviewer that access will be terminated in three business days unless reviewer confirmation is received. Follow through by requesting that AMPS terminate any incompatible roles for the Operators in question at the end of the three-day waiting period. Security coordinators must maintain a record of follow-up performed for the annual Incompatible Access certification process, including documentation supporting any changes made to IA roles, reviewers or compensating controls. III. PERSON OF INTEREST (POI) A. Definition - POIs are typically individuals who are not directly employed by the University, but are employed by a University affiliate.* These individuals may be performing University-related research or conducting other University business, and may require access to University systems (FIN, HRMS, CIW) in order to fulfill their job duties. POIs may be granted access to University systems under the following conditions: A designated University employee must act as a sponsor for the POI. A copy of the Add a Person** worksheet is properly completed and all required signatures are obtained. The POI must be set up in HRMS as having Type 15 Security Access. (See Exhibit VI for instructions on checking POI access coding, sponsor information, system end dates, etc.). The appropriate access request forms are completed and submitted with all required approvals to the Campus Security Coordinators and AMPS. All required training is completed. * Note: In rare cases, active University employees may be set up as POIs in order to be granted access to systems on another campus (e.g., internal audit personnel). ** Note: An updated Add a Person worksheet is under development as of March 1, Social Security Numbers will no longer be required for POIs, but any other personalidentifying information requested must be completed in full. DRAFT - 8

9 Campus Security Coordinators will verify that: Type 15 Security Access has been requested (based on the information on the POI worksheet and the setup screens in HRMS). The process for verifying POI access is outlined in Exhibit VI. A valid sponsor is listed for the POI on the access request form (must be an active University employee). If the POI is requesting Incompatible Access, he/she must be from an affiliate that has a signed agreement with the University or from an affiliate that has a signed Federal & State Work/Study Agreement in place. These individuals must be coded as a VIP-POI in HRMS. One person on each campus has access to code POIs as VIP-POIs. VIP-POI is indicated by a check in the box Fiscal Relationship. A valid reviewer (must be an active University Employee) is listed. A valid Compensating Control is identified. B. POI Recertification Process Initial Review POIs with access to Finance, HRMS and CIW systems must recertify on a regular basis. An initial process will be conducted in March April 2012 to capture POIs past their end dates in the system. This initial process will be conducted as follows: AMPS will run a report identifying all POIs with FIN, HR or CIW access who have passed or will have their system end dates in April AMPS will send a report listing these POIs and their sponsors (for reference purposes) to the Campus Security Coordinators. AMPS will then issue s to the affected POIs and their sponsors. POIs/sponsors will have 30 days to complete the certification process. The certification process requires both an acknowledgement to UIS from the sponsor, indicating that the POI is still active and system access is still valid, and an acknowledgement that the POI maintenance screen has been updated with a current scheduled end date for the POI. At 20 days past the initial contact, AMPS will send reminder s to all POIs and sponsors who haven t completed the certification. AMPS will send the security coordinators a list of all POIs who received this reminder . At 30 days, AMPS will terminate access for those POIs who have not been certified. AMPS will provide the security coordinators a list of those POIs whose access has been terminated. Unless a security coordinator intervenes (intervention is a temporary stay, not an alternate process), access for POIs who have not certified will be terminated at 35 days. AMPS will supply security coordinators with a final list of all POIs whose access has been terminated. All certifications must be documented and retained by AMPS in accordance with University record retention requirements. DRAFT - 9

10 C. POI Recertification Ongoing Certification Process After the initial POI clean-up is concluded, the ongoing POI certification process will be as follows: AMPS will run a periodic (at least monthly) process identifying POIs with access to FIN, HRMS and/or the CIW whose end dates are days out. AMPS will also identify any POIs whose end dates have passed (to ensure that POI maintenance screens from past certifications have been properly updated). A report listing these POIs will be provided to the security coordinators. s requesting recertification of those POIs will be issued to the POI and sponsor by AMPS. Sponsors will be asked to confirm that the POI in question is still active and still requires access to the FIN, HRMS and/or CIW systems. Sponsors will also be asked to ensure that the POI maintenance screens are updated to reflect an accurate end date. At 20 days past the initial contact, a list of POIs who have not yet been certified will be distributed to the security coordinators. POI access will be terminated as of their scheduled end dates, unless proper certification is made to UIS. IV. TERMINATED/RETIRED OPERATORS On a weekly basis, AMPS will send a list of terminated employees to the Campus Security Coordinators (see contact information in Exhibit I). If the Campus Security Coordinators do not advise otherwise, AMPS will automatically inactivate the system access of the terminated employees after one week. Under no circumstances will an employee ID remain active or be reactivated until the employee s HR status reflects that the employee is active. V. TRANSFERRED EMPLOYEES This process is designed to identify employees who may have new positions within the University and to determine whether their existing system access roles continue to be relevant and appropriate to their new job duties. On a monthly basis, AMPS will run a query searching for active employees with changes in position numbers and/or departments, or HR action codes indicating a recent transfer or position change. AMPS will build a spreadsheet showing the results of this query and forward that spreadsheet to the security coordinators. Security coordinators should contact the employee s current supervisor to request an updated access request form, signed by the new supervisor (Reinstate Access). Security coordinators will be responsible for tracking responses to these s. Security coordinators should request termination of access for all those transferred employees for whom no new documentation has been received. DRAFT - 10

11 VI. INACTIVE OPERATOR IDS PeopleSoft passwords expire every 90 days and must be reset using a University computer or through authorized VPN access. It is felt that this practice, in conjunction with the monthly review of terminated operators, is sufficient to mitigate any risk associated with inactive ID s. VII. PROCESS FOR CHANGING PERMISSIONS AND ROLES Permission and role changes should always be done using an AMPS Access Request form. As with any access request, Campus Security Coordinators should review the permission and role change requests to determine 1) that they are appropriate, 2) that all required training has been completed, and 3) whether they create an Incompatible Access situation. All requests for Incompatible Access should be handled in accordance with Section II above. VIII. ACCESS DISCONTINUATION Access can be terminated or revoked by submitting the Discontinue Access Request Form, by submitting a SupportWorks ticket, or by sending an authorization. The first two methods are preferable to notifications, but all are accepted by AMPS. AMPS has the responsibility for maintaining a record of these requests. IX. RECORD RETENTION University record retention policy revised as of December 2007 called for a retention period of three years for access authorizations. AMPS currently maintains those records. In situations where temporary access pending completion of required training is being requested, Campus Security coordinators should maintain these requests and follow until training is completed and permanent access has been granted. DRAFT - 11

12 EXHIBIT I Link to all Campus Security Coordinator contact info: HRMS Coordinator Group s: hrmsaccess@ucdenver.edu (UCD); hraccess@colorado.edu (UCB); hrms@uccs.edu (UCCS); systemshrms@cusys.edu (System). FIN Coordinator Group s: finance.access@ucdenver.edu (UCD); finance.access@colorado.edu (UCB); controller@cusys.edu (System); UCCS uses a personal address (see Security Coordinator link above). DRAFT - 12

13 Exhibit II Search for existing Operator IDs and roles in FIN and/or HRMS using the following navigation: NAVIGATION: People Tools > Security > User Profiles Do a basic search by OPID (PeopleSoft User ID) or an advanced search by description (user s last name, first name - case sensitive). Each OPID begins with a descriptive letter (Alpha Code) followed by a 5-digit ID. The following is an explanation of those alphabetical codes: OPID Alpha Codes* B- Boulder C- Colorado Springs D- Denver H- Denver L- UIS (Migrators) M- Development users R- System U- Denver Q- UIS(Security or production services users) Campus Security Coordinators may also use the reports generated by AMPS (Operator Access FIN Systems and Operator Access HR Systems) to check for existing Operator IDs in FIN, HRMS or ISIS. Click the Roles tab to view existing roles in FIN and HRMS DRAFT - 13

14 EXHIBIT III HRMS System Security and Related Training Requirements Below is a summary of the types of HR System access and the corresponding required training courses. These courses must be completed with passing grades in order to obtain permanent security to the HRMS system. If requesting HRMS Inquiry only: Course Title Course Number Type of Course HRMS-Fundamentals A00029 SkillSoft HRMS-Inquire/Reporting A00030 SkillSoft Fiscal Code of Ethics Training F SkillSoft Information Security and Privacy U00063 SkillSoft If requesting HRMS Time Collection Entry: Course Title Course Number Type of Course HRMS-Fundamentals A00029 SkillSoft HRMS-Inquire/Reporting A00030 SkillSoft HRMS-Time Collection A00031 SkillSoft Fiscal Code of Ethics Training F SkillSoft Information Security and Privacy U00063 SkillSoft If requesting HRMS PET Entry only: Course Title Course Number Type of Course HRMS-Fundamentals A00029 SkillSoft HRMS-Inquire/Reporting A00030 SkillSoft Fiscal Code of Ethics Training F SkillSoft Information Security and Privacy U00063 SkillSoft If requesting HRMS Payroll Personnel Liaison: Course Title Course Number Type of Course HRMS-Fundamentals A00029 SkillSoft HRMS-Inquire/Reporting A00030 SkillSoft HRMS-Time Collection A00031 SkillSoft HRMS Functional Training Instructor Led Fiscal Code of Ethics Training F SkillSoft Information Security and Privacy U00063 SkillSoft DRAFT - 14

15 If requesting HRMS Approval: Course Title Course Number Type of Course HRMS-Fundamentals A00029 SkillSoft HRMS-Inquire/Reporting A00030 SkillSoft HRMS-Time Collection A00031 SkillSoft HRMS Functional Training Instructor Led Fiscal Code of Ethics Training F SkillSoft Information Security and Privacy U00063 SkillSoft DRAFT - 15

16 EXHIBIT IV Finance System Security and Related Training Requirements Below is a summary of the types of Finance System access and the corresponding required training courses. These courses must be completed with passing grades in order to obtain permanent security to the financial system. If requesting Financial Inquiry only: Required Course Title Course Number Type of Course Financial Inquiry * A SkillSoft Fiscal Code of Ethics Training F SkillSoft Information Security and Privacy U00063 SkillSoft Optional (encouraged but not required) In person Financial Inquiry Training * The Financial-Inquiry training requirement may be waived for employees needing access to FIN primarily for user maintenance purposes (e.g., UIS personnel). If requesting Financial Journal Entry capability: Required Course Title Course Number Type of Course Financial Inquiry A SkillSoft Fiscal Code of Ethics Training F SkillSoft Information Security and Privacy U00063 SkillSoft Financial General Ledger A SkillSoft Financial Inquiry A00101 In Person Financial General Ledger A00102 In Person Gift Management Training* F00004 PowerPoint OUC website *Required for anyone holding a fiscal role on Gift Fund SpeedTypes (Fund 34). If requesting CU Marketplace Access (e-procurement ):within the Financial system: * Required Course Title Course Number Type of Course Fiscal Code of Ethics Training F SkillSoft Information Security and Privacy U00063 SkillSoft Procurement Purchasing and Contract Management A SkillSoft DRAFT - 16

17 *Depending on the CU Marketplace role requested, users may be required to take one of the following courses: Course Title Course Number Type of Course CU Marketplace Requester A00146 In person ** CU Marketplace Approver A00147 In person ** CU Marketplace - Approver - Web U00081 SkillSoft ** CU marketplace went live on August 1, In person training will be available for a short period, after which these classes will be replaced by web-based training. DRAFT - 17

18 Exhibit V Training Verification Training can be verified in HRMS as follows: NAVIGATION: Enterprise Learning > Result Tracking > Review Training Summary 1) Enter the individual s EMPLID or name. 2) Click Search A listing of completed course codes and titles will appear, along with grades (if applicable) see below: DRAFT - 18

19 EXHIBIT VI POI Information Screens POIs are not employees of the University and do not have job records or position information recorded in HRMS. However, biographical information and job assignment information can be located under Personal Information in HRMS. To look up POI, log into HRMS and navigate as follows: 1) Workforce Administration > Personal Information > Organizational Relationship > Maintain a Person s POI Reltn. 2) Under the Maintain POI Types screen, enter your search criteria (name or POI ID #). DRAFT - 19

20 3) Upon entering the info, you will see a screen that looks like this (below); please note that an employee may be set up with more than one type: 4) Click on any of the links on the results page to see more information on this POI (sponsor info, end date, etc.). When in production mode, changes can be made on this screen to update POI information. DRAFT - 20

21 5) If you have difficulty identifying a POI by number or name, you can search using the Search for Matching Persons function, or Modify a Person. To use Search for Matching Persons, navigate as follows: Workforce Administration > Personal Information > Search for Matching Persons. Please note that this screen is case sensitive first last and middle names must be capitalized. Once search criteria is entered, click on the Search button at the top right of the screen; hitting enter will not produce any search results. Example Search for Matching Person 6) To search for a POI using Modify a Person, navigate as follows: Workforce Administration > Personal Information > Modify a Person DRAFT - 21

22 Example Modify a Person 7) Search results using either of these functions will return the ID number for the POI in question. DRAFT - 22

23 Exhibit VII Reporting The following reports will be produced by AMPS to aid in the monitoring of Fin, HRMS, and CIW users: 1) FIN8 Access Info by Campus (lists all FIN operators by campus) Source of Data: FIN8 Tables referenced: PSOPRDEFN PS_OPR_DEF_TBL_FS PS_EMPL_DATA_CU PSROLEUSER Data Elements Displayed: Operator ID (PSOPRDEFN) Name (PS_EMPL_DATA_CU) Emplid (PSOPRDEFN) Deptid (PS_EMPL_DATA_CU) Rolename (PSROLEUSER) Source (PS_OPR_DEF_TBL_FS) Account Lock (PSOPRDEFN) 2) FIN8 Incompatible Access Source of Data: FIN8 Tables Referenced: PSOPRDEFN PSROLEUSER Data Elements Displayed: OPERATOR ID NAME EMPLOYEE ID DEPARTMENT ID JE BUDGET AND APPROVE BUDGET JOURNALS JE BUDGET INIT AND APPROVE BUDGET JOURNALS JE ENCUMBRANCE AND APPROVE ENCUMBRANCE JE ACTUAL AND APPROVE JOURNALS JE TRANSFER AND APPROVE TRANSFER APPROVE PO AND POS REQUISITIONS AND APPROVE REQUISITIONS 3) HR89 Access Info by Campus Source of Data: HR89 Tables Referenced: PSROLEUSER PS_RTE_CNTRL_RUSER PS_SCRTY_TBL_DEPT PSOPRDEFN Data Elements Displayed: OPRID (PSOPRDEFN) NAME (PS_PERSONAL_DATA) (PSOPRDEFN) EMPLID (PSOPRDEFN) DRAFT - 23

24 DEPTID (PS_SCRTY_TBL_DEPT) ROLENAME (PSROLEUSER) ROWSECCLASS (PSOPRDEFN) ACCTLOCK (PSOPRDEFN) 4) HR89 Incompatible Access Source of Data: HR89 Tables Referenced: PSROLEUSER PS_RTE_CNTRL_RUSER PS_SCRTY_TBL_DEPT PSOPRDEFN PS_PERSONAL_DATA Data Elements Displayed: OPERATOR ID NAME EMPLOYEE ID HOME DEPARTMENT TIME COLLECTION AND TIME ENTRY APPROVAL TIME ENTRY APPROVAL AND PPL PPL AND JOB DATA APPROVAL PPL AND ONE TIME PAYMENT APPROVAL JOB DATA APPROVAL AND PET CAMPUS HR 5) HR and FIN Terminated and Retired Operators Source of Data: SIRS (Suggest that we change to a similar report to the one Dorene has created for ISIS and combine them). Tables Referenced: OPERATOR PERSON GROUP MEMBERSHIP Data Elements Displayed: OPERATOR ID NAME EMPLOYEE ID TERMINATION DATE GROUP NAME POI YES OR NO 6) POI Report Source of Data: HR, FIN, CIW, DARS, CS Tables Referenced: HR: PS_PER_POI_TRANS PSOPRDEFN PS_PERSONAL_DATA PS_PER_POI_TYPE PS_ _ADDRESSES PS_ _ADDRESSES FIN: PSOPRDEFN CIW: WHSE_USER_DEMOGRAPHICS_BASE DARS: dars.adv_master@dars DARWIN: DARS.SECURE_MASTER@dars ISIS: PSOPRDEFN DRAFT - 24

25 Data Elements Displayed: System Affected (values are HR Access, FIN Access or CIW Access) Name Oprid Last Signon Date and Time Home Department Sponsor Emplid Sponsor 7) Transferred Departments HR, FIN, CIW, DARS, DARWIN, and ISIS Source of Data: HR, FIN, CIW, DARS, CS Tables Referenced: HR: FIN: CIW: DARS: DARWIN: ISIS: PSOPRDEFN PS_PERSONAL_DATA PS_JOB PSOPRDEFN WHSE_USER_DEMOGRAPHICS_BASE PS_CU_D_EXT_SYSTEM PSOPRDEFN Data Elements Displayed: CAMPUS NAME SYSTEM OPERATOR ID EMPLOYEE ID HRMS JOB NUMBER HRMS CURRENT EFFECTIVE DATE HRMS CURRENT DEPARTMENT HRMS CURRENT JOB CODE HRMS JOB DESCRIPTION HRMS PREVIOUS DEPARTMENT EFFECTIVE DATE HRMS PREVIOUS DEPARTMENT HRMS PREVIOUS JOB CODE CONTRACT BEGIN DATE CONTRACT END DATE CONTRACT TYPE DRAFT - 25