107.4 - Statewide Accounting Policy - NCAS and CMCS Security

Policy Area: Accounting and Financial Reporting
Policy Sub Area: Uniform NC Accounting System and Cash Management Control System
Authority:  GS 143B-426.39 and GS 132
Effective Date: 7/1/1995
Last Revision Date: 2/20/2018
Policy Owner/Division: Statewide Accounting

Policy

General Policy for Access to NCAS and CMCS

The provisions set forth in this “General” section apply to all means of access to any information or application designated as a functionality or component of the North Carolina Accounting System (NCAS) or Cash Management Control System (CMCS), under the management and operation of the Office of the State Controller (OSC) or any State agency assigned these responsibilities.

While OSC, as systems administrator, has the responsibility for maintaining the NCAS and CMCS systems and securely retaining the data entered therein, it is the responsibility of the using agency to specify employee access to NCAS and CMCS functionality and the corresponding data. While OSC may provide some suggested user profiles for the various user roles within an agency, the agency determines the actual security access for each of its users.

Each agency will formally designate their security administrator(s) to OSC using the Agency Security Administrator Authorization form. OSC will accept agency NCAS and CMCS security assignments only from the agency’s designated security administrator(s).
Help Desk services, including data entry of the agency user access requests, will be provided by OSC Support Services.

The OSC reserves the right, in its discretion, to limit or terminate access to NCAS and CMCS due to security violations, performance issues and/or scheduled maintenance.

Information Protection Policy for NCAS

1. User IDs

Each individual accessing the NCAS application and information must first gain access to CICS via a unique user ID (RACF ID). Once successfully entered into CICS, the user must be identified with a unique NCAS user ID. Only the individual with whom a user ID is uniquely associated will use the user ID. Shared or generic user IDs are prohibited. Shared or generic user IDs will be subject to termination of the user’s access to NCAS.

A user’s RACF ID and the NCAS user ID remain on file until removed by a system administrator. However, the NCAS Id will be rendered inactive if not used for more than 90 days, and the RACF will become inactive if not used for 60 or 90 days, depending on the agency policy.

2. Passwords

In addition to the user ID, the NCAS system is protected by passwords, both for CICS (RACF password) and for NCAS. Passwords shall not be revealed by users to anyone, including co-workers, supervisors or OSC Support Services personnel.

A user’s RACF ID password must be changed at least every 60 or 90 days, depending on the limit set by the agency. If the password is not changed in a timely manner, the ID will become inactive, and the user will have to contact the agency RACF administrator for a password reset.

A user’s NCAS password must be changed at least every 90 days. If the password is not changed in a timely manner, the NCAS will reject it and ask the user to establish a new password.

3. Confidential Data

As specified in the NC Public Records Act (N.C.G.S.Chapter 132), most financial data is considered public information. However, there may be some information in NCAS, such as social security numbers, patient data, tax data, legal data, etc. that is legally considered confidential.

It is the policy of the OSC to disclose public records, as defined in G.S. 132, but to redact any confidential information. It is the responsibility of the agencies that use the NCAS system to notify the OSC if that agency has entered any confidential data into NCAS, and to indicate how that sensitive data may be redacted from public information requests.

Before sending out any data from NCAS to fulfill a public information request, the OSC will first send the data to the agency for review. It is the agency’s responsibility to redact any confidential data from that data.

Information Protection Policy for CMCS

1. User IDs

Each individual accessing the CMCS application and information must gain access to IMS via a unique user ID (RACF ID). Only the individual with whom a user ID is uniquely associated will use the user ID. Shared or generic user IDs are prohibited. Shared or generic user IDs will be subject to termination of the user’s access to CMCS.

A user’s RACF ID remains on file until removed by a system administrator. However, the RACF ID will become inactive if not used for 60 or 90 days, depending on the agency policy.

2. Passwords A user’s RACF ID password must be changed at least every 60 or 90 days, depending on the limit set by the agency. If the password is not changed in a timely manner, the ID will become inactive, and the user will have to contact the agency RACF administrator for a password reset.

Procedures

N/A

Accounting Guidance

N/A

Related Documents (Memos/Forms)

Agency Security Administrator Authorization Form and Instructions

Revision History

  • 2/1/2014 - Added section 3. “Confidential Data” to clarify responsibility for redacting confidential NCAS data prior to dissemination.
  • 5/31/2017 - Updated links; minor edits
  • 2/20/2018 - Added policy for CMCS Security.  Updated links.