Access Requirements for Comptroller Systems

Overview

Applicable to

State agencies and institutions of higher education (agencies) accessing Comptroller systems or databases.

Policy

Agencies must have an appointed agency security coordinator (ASC). See How To Appoint an ASC and ASC Responsibilities in this document.

Before accessing Comptroller systems, agencies must ensure employees and contractors have either signed the paper form or have electronically acknowledged the Confidential Treatment of Information Acknowledgment (CTIA) terms and conditions, and have reviewed the Comptroller’s Public Information Summary Disclosure Manual for Employees and Contractors.

How To Appoint an ASC

The chief fiscal officer for your agency or that person’s designee must email the Comptroller’s Statewide Fiscal Systems SSA security team at ssa.security@cpa.texas.gov to appoint or replace an ASC. Each agency is authorized to appoint two or more ASCs.

Requirements

The appointed ASCs must:

• Be directly employed by your agency as a full-time employee (FTE) — NOT as a contractor.
• Attend the Security Coordinator Administration webinar within the first 60 days of being appointed.

The following information must be included for the appointee(s):

• Employee’s name
• Employee’s job title
• Physical location of position (city, state)
• Comptroller-assigned user ID (or submit a request to create a new user ID)
• Telephone number
• Email address
• Name of the ASC being replaced, if applicable
• A complete list of all active ASCs for your agency, updated to include the changes you are submitting

NOTE: A security request must also be submitted via the Security Request System to identify additional access that may be required. Access Management uses this security request to establish the user’s RACF account.

ASC Responsibilities

ASCs must:

• Become familiar with the data privacy and safeguard rules and security rules contained in the Texas Administrative Code.
• Ensure internal agency policy mandates users acknowledge the Confidential Treatment of Information Acknowledgment (CTIA) before accessing any Comptroller systems or databases.
• Ensure the agency maintains access to valid methods and evidence of acknowledgment for the length of the users’ employment or contract, plus five years, which includes:
  • Paper or electronic copy of CTIA form
    –OR–
  • CTIA system (online)
• Obtain management approval prior to submitting an access request.
• Provide agency-level security support according to the Security Coordinator Reference Guide (login required), including but not limited to:
  • Submit requests to authorize or change access.
  • Reactivate User ID and passwords for appropriate users.
  • Reset passwords as necessary.
  • Ensure that no user has payment release/approval capabilities in USAS, USPS or SPRS unless:
    • The individual is properly authorized.
    • The individual is listed on a voucher signature card.
      –AND–
    • The Comptroller’s office has been properly notified about the authorization.
  • Certify that agency records and access are up to date through a semiannual security verification.
  • Immediately report any actual or suspected breach of security to the Comptroller’s Information Technology Help Desk at (512) 463-4357.
  • Serve as the point of contact when a security incident occurs.
  • Keep the ASC’s own user ID active.
  • Submit request for removal/deactivation of access no later than the user’s last day of performing their duties, when a user terminates employment or no longer requires access.

Note: The CAPPS termination process allows employees (not contractors) the ability to access the CAPPS system for basic inquiry of individual profile attributes for two years after termination. An agency may elect to disable this feature agency-wide.

Confidential Treatment of Information Acknowledgment

Methods and Evidence of Acknowledgment

There are two acceptable methods for acknowledgment. Either of two methods for acknowledgment is acceptable. Agencies must ensure acknowledgment occurs before accessing any Comptroller systems or databases.

• Confidential Treatment of Information Acknowledgment (CTIA) (Form 70-223) – Paper or electronic copy of signed CTIA form to record user acknowledgment.
• Comptroller’s CTIA System – Online acknowledgment may be registered using the CTIA system. By providing their state email address, the user receives a link to review CTIA language and enter their acknowledgment electronically.

Note: The CTIA function on the CAPPS login screen will no longer be available; however, existing records will be retained. Acknowledgments previously recorded through CAPPS remain valid.

ONLY the CTIA system provides an online acknowledgment feature. There is no mechanism for forcing a sequence if the user is given access to multiple systems.

For example: if an agency chooses online acknowledgment as their primary method, and a new Comptroller system user logs in to USAS prior to acknowledging in the CTIA system, then the agency is noncompliant and subject to an audit finding.

Agency Security Coordinators may generate reports for all online acknowledgments made through the CTIA system.

Both acknowledgment methods apply to all Comptroller systems and databases and serve as valid methods to record user acknowledgment, effective as of the date of signature or date of online acknowledgment via the CTIA system.

Acknowledgment does not grant role-based user access.

Note: At least one valid acknowledgment method must occur prior to first accessing any Comptroller systems or databases.

Agencies with CAPPS Central Access

The CAPPS hiring process in HR/Payroll grants basic Employee Self Service (ESS) access to all newly hired employees and contractors, and basic Manager Self Service (MSS) access to individuals identified as managers.

Users must acknowledge the Comptroller’s CTIA before accessing these functions.

If additional CAPPS role-based access is required, the ASC may submit a security request.

Agency Internal Acknowledgments

Acknowledgments and advisories made through an agency’s internal network do not apply to the Comptroller systems or databases. Only the CTIA form or the CTIA system electronic acknowledgment suffice.

CTIA Acknowledgment Retention

The following retention policies apply:

• CTIA form – Agencies must maintain signed CTIA forms (paper or electronic) for the length of the users’ employment or contract, plus five years.
• CTIA system electronic acknowledgment – The Comptroller will maintain acknowledgment records for the length of the users’ employment or contract, plus five years.