Overview
Finance Security Compliance is a process to verify that individuals with access to administrative data are authorized to have such data. Initial authorization is proven by a defined business need, completion of appropriate security forms, and completion of required training (defined below). Annual review is conducted thereafter by the Assistant Controller for Compliance and associated Data Custodians/Stewards. Annual reviews satisfy ARMICS requirements and support IT policies and initiatives regarding the safeguard and stewardship of data. Systems included in review are Banner Finance, eVA and Works.
The Associate Vice President for Finance and Controller and the Finance Data Custodians have the obligation to protect the University administrative data from unauthorized access or usage in accordance with the following state and University policies:
- Commonwealth of Virginia IT Security Policies and Standards
- UMW IT Data Access Policy
- UMW Policy on Finance Fund/Organization Security
Defined Legitimate Business Need
The institution expressly forbids the disclosure of administrative data or the distribution of such data, except as required by an employee’s job responsibilities and approved in advance by the Data Custodian(s). For ease of clarification, job responsibilities are captured for UMW employees in two categories: Employee Work Profile (EWP) and Non-EWP.
EWP
An Employee Work Profile (EWP) is a state form required for all classified employees, and may be required for temporary and wage employees. The form lists job duties and performance measures, is signed by the employee, supervisor and reviewer and requires annual review. Employees responsible for procurement, budgetary functions, cash collections, payroll and the like; have a legitimate need for finance data.
EWP Requirements for Finance
Access to finance systems and data will require finance functions on the EWP or will require an additional*** Finance Security Addendum Form.
- The EWP must include appropriate finance job responsibilities and objectives as required by the supervisor or;
- Must include the following statement in the Core Responsibility section: “Will be handling the financial responsibilities as indicated on the attached Finance Security Addendum Form.
The Finance Security Addendum Form accompanies the EWP with listed finance systems to support job duties. Supervisor and employee signature on the EWP is acknowledgement of finance systems, duties, and measures listed on the form. The form is completed by the finance trainer or data custodian as security and training is provided. The form is maintained within the employee’s official personnel file in Human Resources.
Non-EWP Requirements for Finance
- Wage and Temporary Employees
The Finance Security Addendum Form is used as the document to prove business need for Wage or Temporary employees who do not have an EWP on file. The form will be completed by the Data Custodian prior to training. The form is maintained within the employee’s official personnel file in Human Resources. - Administration and Faculty Personnel
Those serving in administration, teaching, administrative faculty and department chair roles have pre-authorization to data and systems based on the function and nature of their respective responsibilities. System access will be granted upon completion of security forms and associated training.
Security Forms
Security forms are required for all finance secured systems. Access to each system will be granted based on the rule of least privilege.
All Banner users must complete the Administrative User Account Form. User and supervisor signature acknowledges University policies on security, privacy, and confidentiality of data. The completed form is sent to the appropriate Custodian(s) for class assignment.
Users requesting access to the state eVA procurement system are provided a User Acknowledgement form during training. The requestor’s signature signifies that job responsibilities are consistent with the purpose of eVA.
Users and supervisors requesting access to a credit card will be required to use the Bank of America’s Works system. This system is an electronic card transaction approval and reporting tool for cardholders and approving supervisors. Forms will require cardholder and supervisor signature supporting state procurement polices,, training, and internal guidelines.
Training Requirements
Training is required prior to the granting of system access. The type of training and requirement need is based upon University requirements, the needs of the individual as listed within the EWP and/or the Finance Security Addendum Form, or the pre-authorization for faculty and administration. Departments may be asked to supply their finance procedures when performing finance and student finance related tasks.
Encryption Requirements
Based on security requirements, encryption may be required on computers accessing university data. The Help Desk will load the software on selected computers when required to do so.
Finance Security Removal
Finance securities will be removed when:
Supervisor or employee notifies custodian that access is no longer required
Employee terminates job position
Security review confirms system was not being utilized or concept of Least Privilege is not followed
Misalignment with State or University policies or procedures