Finance Security Compliance is a process to verify that individuals with access to administrative data are authorized to have such data. Initial authorization is proven by a defined business need, completion of appropriate security forms, and completion of required training (defined below). Biannual review is conducted thereafter by the Assistant Controller for Compliance. Biannual reviews satisfy ARMICS requirements and support IT policies and initiatives regarding the safeguard and stewardship of data. Systems included in review are Banner Finance, eVA and Works.
The Associate Vice President for Finance and Controller and the Finance Data Custodians have the obligation to protect the University administrative data from unauthorized access or usage in accordance with the following state and University policies:
- Commonwealth of Virginia IT Security Policies and Standards
- UMW IT Data Access Policy
- UMW Policy on Finance Fund/Organization Security
Defined Legitimate Business Need
The institution expressly forbids the disclosure of administrative data or the distribution of such data, except as required by an employee’s job responsibilities and approved in advance by the Data Custodian(s). For ease of clarification, job responsibilities are captured for UMW employees in two categories: Employee Work Profile (EWP) and Non-EWP.
An Employee Work Profile (EWP) is a state form required for all classified employees, and may be required for temporary and wage employees. The form lists job duties and performance measures, is signed by the employee, supervisor and reviewer and requires annual review. Employees responsible for procurement, budgetary functions, cash collections, payroll and the like; have a legitimate need for finance data.
EWP Requirements for Finance
Access to finance systems and data will require finance functions on the EWP or will require an additional*** Finance Security Addendum Form.
- The EWP must include appropriate finance job responsibilities and objectives as required by the supervisor or;
- Must include the following statement in the Core Responsibility section: “Will be handling the financial responsibilities as indicated on the attached Finance Security Addendum Form.
- The Finance Security Addendum Form accompanies the EWP with listed finance systems to support job duties. Supervisor and employee signature on the EWP is acknowledgement of finance systems, duties, and measures listed on the form. The form is completed by the finance trainer or data custodian as security and training is provided. The form is maintained within the employee’s official personnel file in Human Resources.
Non-EWP Requirements for Finance
- Wage and Temporary Employees
The Finance Security Addendum Form is used as the document to prove business need for Wage or Temporary employees who do not have an EWP on file. The form will be completed by the trainer or data custodian at the completion of training. The form is maintained within the employee’s official personnel file in Human Resources.
- Administration and Faculty Personnel
Those serving in administration, teaching, administrative faculty and department chair roles have pre-authorization to data and systems based on the function and nature of their respective responsibilities. System access will be granted upon completion of security forms, review of finance related job responsibilities and training. Please note-buyer tasks should be directed to the appropriate department or VP office manager.
Security forms are required for all finance secured systems. Access to each system will be granted based on the rule of least privilege.
All Banner users must complete the Administrative User Account Form. User and supervisor signature acknowledges University policies on security, privacy, and confidentiality of data. The completed form is sent to the appropriate custodian(s) for class assignment.
Users requesting access to the state eVA procurement system are provided a User Acknowledgement form during training. The requestor’s signature signifies that job responsibilities are consistent with the purpose of eVA.
Users and supervisors requesting access to the small purchase charge card (SPCC) will be required to use the Bank of America’s Works system. This system is an electronic card transaction approval and reporting tool for cardholders and approving supervisors. Forms will require cardholder and supervisor signature supporting state procurement polices and internal guidelines.
Training is required prior to the granting of system access. The type of training and requirement need is based upon the needs of the individual as listed within the EWP, the Finance Security Addendum Form, or the pre-authorization for faculty and administration.
Finance Security Removal
Finance securities will be removed when:
Supervisor or employees notify custodian that access is no longer required
Employee terminates job position
Security review confirms system was not being utilized
State or University policies are not being followed