Department of Management Services People First
State of Florida People First Security Guidelines Manual
Department of Management Services Secretary, Linda H. South State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
Section Topic Page 1 Overview 3
2 Key Definitions 4
3 Department of Management Services and Agency 5 Responsibilities
4 People First User Role Code Assignment 7
Exhibit 1 People First User Roles 10
5 Employee Responsibilities to Access and Protect People 16 First Employee Data
6 Employee Background Checks 19
7 Audit of People First User Role Assignments 23
8 Audit of People First Employee Background Checks 24
9 Audit of People First Employee Security Disclosure 25 Statements
10 Audit of SOF Employees Access to People First Data 26
11 Audit of Employee Access to Key State of Florida 27 Employees
12 Audit of Convergys Employees Access to People First 28 Data
13 Responsibility to Maintain a Comprehensive People First 29 Security Plan
Page 2 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
This document provides the guidelines that state agencies should employ to Section 1 maintain the security and confidentiality of data within the People First system, including but not limited to data security procedures, background reviews and Overview privacy disclosure statements. Agencies should use this manual in conjunction with the standards established in Rule Chapter 60DD-2, F.A.C. the Florida Information Resource Security Policies and Standards.
Employee data is a valuable asset and must be protected from unauthorized access, modification, destruction, or disclosure, whether accidental or intentional. All prudent business measures, with respect to the creation and maintenance of information, will be taken to ensure against the unauthorized access modification, destruction, or disclosure of information.
Consistent with industry security standards, information access shall be limited to People First users as prescribed by the user role assignment guideline. When necessary, data security awareness and training will be used to emphasize and enforce security at all levels of management, as required by Rule 60 DD-2.002(2)(a) F.A.C.
Violations of these guidelines may result in disciplinary action up to and including dismissal and / or possible legal action, as appropriately defined.
Page 3 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
Listed below are key terms and definitions used throughout this manual. The Section 2 definitions are in accordance with Rule Chapter 60DD-2.001 F.A.C. the Florida Information Resource Security Policies and Standards. Key Definitions
Custodian of an Information Resource: – Guardian or caretaker; the holder of data; the agent charged with the resource owner’s requirements for processing, communications, protection controls, access controls, and output distribution for the resource; a person responsible for implementing owner- defined controls and access to an information source. The custodian is normally a provider of services. Data: A representation of facts or concepts in an organized manner that may be stored, communicated, interpreted, or processed by people or automated means.
Guideline: A recommended process that is intended to provide uniformity to the implementation of policies, procedures, and standards.
Security Standard: A set of practices and rules that specify or regulate how a system or organization provides security services to protect critical system resources.
User Role Code: A defined code established by the People First team that is used to determine the type of access a user has to the People First system.
Page 4 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
The DMS will assist all agencies in managing and overseeing the necessary Section 3 controls to maintain the security of the data within the People First system. In addition to the DMS responsibilities, it is also the responsibility of SOF agencies Department of to protect and safeguard the data within the People First system. To this end, Managemen this manual has been created to document the minimum controls necessary to effectively manage the security of data within the People First system. Stated t Services below are the responsibilities of the DMS and the SOF agencies: and SOF DMS People First Project Team Agency Define a guideline that provides direction on how People First user role Responsibili codes will be assigned. Define a guideline that provides direction on employee responsibilities ties to access and protect People First employee data. Define a guideline that provides direction on when an employee background check is necessary. Define a guideline that describes the DMS’ responsibility to maintain a comprehensive People First Security Plan. Review how SOF agencies administer the assignment of People First user role codes guideline. Review how SOF agencies administer the People First employee background check guideline. Review how SOF agencies administer the People First employee security disclosure statement guideline. Assist the agencies in performing an audit of SOF employees who have accessed People First data on randomly selected SOF employees. Assist the agencies in performing an audit of SOF employees assigned an A, G, H and S user roles. Assist the agencies in performing an audit of SOF employees who have accessed key SOF employees. Assist the agencies in performing an audit of Convergys employees who have accessed People First data.
SOF Agency Personnel Offices Implement and administer the guideline on how People First user role codes are assigned. Implement and administer the guideline on employee security disclosure statements. Implement and administer the guideline on employee background checks. Assist the DMS with the audit of People First user role code assignments. Assist the DMS with the audit of SOF employees who have accessed SOF employee data.
Page 5 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
Assist the agencies in performing an audit of SOF employees assigned an A, G, H and S user roles. Assist the DMS with the audit of Convergys employees who have accessed SOF employee data.
Page 6 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
The following procedures and guidelines should be used when assigning Section 4 People First user role codes. It is the intent of this manual that this guideline be followed by all SOF Agencies. Agencies considering alternative People First arrangements should make a formal request from their Secretary to the DMS User Role Secretary. When making the request, agencies should discuss the number of employees within their agency, the decentralized nature of the Human Code Resource office, the organizational unit of the employee(s) for the exception, Assignment and any other issue that may be germane to the request.
Design of User Role Codes There are 19 State User Roles within the People First system. These User Roles are designed to limit access to data within the People First system based on the employee’s work responsibilities. Section 2.3 of the Convergys contract states that Convergys agrees to “[p]rovide a restricted access authentication process by user profile to employee records. The user profile should define the levels of access by employee, agency, department or organizational unit and the User’s ability to have query or transactional update capabilities.” A list of the current SOF user roles are listed in Exhibit 1.
Policy for the Assignment of User Role Codes The assignment of People First user role codes is critical to maintain proper data security and segregation of duties. When assigning user roles, agencies should review the employee’s position description and assign the user roles based on the stated job responsibilities. Concurrently with this process, the agency should record on the employee’s position description the assigned user role.
In addition to the employee’s job responsibilities, the following guidelines should be used to assign People First user role codes.
“A” role code – This code is assigned only to professional personnel staff. Employees requesting an “A” user role should make a formal request from their Personnel Officer to the DMS People First Administrator. When making the request, agencies should discuss the job functions of the employee(s), the decentralized nature of the Human Resource office, the organizational unit of the employee(s) for the exception and any other issue that may be germane to the request. “B” role code – This code is assigned to a “personnel liaison.” Generally speaking, a “personnel liaison” assists with
Page 7 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
filing job requisitions and approving timesheets. There is no limit on the number of “B” user role codes that can be assigned; however, the employee receiving this code must have a defined business requirement that requires the assignment of this code.
“C” role code – This code is assigned to staff in the Compliance and Inspector General offices. There is no limit on the number of “C” user role codes that can be assigned; however, the employee receiving this code must have a defined business requirement that requires the assignment of this code.
“D” role code – This code is assigned to staff in the agency budget or accounting office. There is no limit on the number of “D” user role codes that can be assigned; however, the employee receiving this code must have a defined business requirement that requires the assignment of this code.
“E” role code – This code is the default employee user role. It provides access to all Employee Self Service functions.
“F” role code – This code can only be assigned to staff in the Bureau of State Payrolls or DMS People First team.
“G” role code – This code is assigned to staff in the Inspector General and General Counsel offices. There is no limit on the number of “G” user role codes that can be assigned; however, the employee receiving this code must have a defined business requirement that requires the assignment of this code.
“H” role code – This code is assigned to personnel and payroll staff. The employee receiving this code must have a defined business requirement that requires the assignment of this code.
“L” role code – This code is assigned to lower level managers that have direct reports; however, they do not have a need to create Personnel Action Requests. There is no limit on the number of “L” user role codes; however, all positions receiving this code must have a defined business requirement that requires the assignment of this code and must be classified supervisory.
Page 8 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
“M” role code – This code is assigned to managers that have direct reports and are responsible for processing Personnel Action Requests. There is no limit on the number of “M” user role codes that can be assigned; however, the employee receiving this code must have a defined business requirement that requires the assignment of this code and must be classified supervisory.
“R” role code – This code is assigned to employees who are responsible for the management of the advertised positions. There is no limit on the number of “R” user role codes that can be assigned; however, the employee receiving this code must have a defined business requirement that requires the assignment of this code.
“S” role code – This code can only be assigned by the Department of Management Services Division of Human Resource Management.
“T” role code – This code is assigned to employees who assist other employees with their timesheets. It is generally used by business units who have large numbers of employees with limited access to a computer. There is no limit on the number of “T” user role codes that can be assigned; however, the employee receiving this code must have a defined business requirement that requires the assignment of this code.
“V” role code – This code is assigned to contractors responsible to assist with processing miscellaneous deductions. There is no limit on the number of “V” user role codes that can be assigned; however, the person receiving this code must have a defined business requirement as established by the assigning agency.
“W” role code – This code is assigned to staff in the Division of Risk Management and can only be assigned by the Department of Management Services Division of Human Resource Management.
“Z” role code – This code is assigned to staff in the Division of Retirement and can only be assigned by the department of Management Services Division of Human Resource Management.
Page 9 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
Exhibit 1 Security Role Description
A – Agency HR w/ Will have maintenance access to all employees in their agency Profiler Access Will have access to the Training module. Will have view access to the Performance Management module. Can perform all employee actions for the agency. Can maintain organizational and position structures for agency. Will have access to staffing for agency requisitions. Does not have access to employee EFT data. Will have view only access to all other agency’s employees, to limited data. Will not see exempt data (FS119) for other agencies Can perform the same maintenance functions as a Manager (“M” role code), but for the entire agency. Will perform all security roles for the agency. Can create and act upon PARs for anyone in their agency. Can view limited employee data such as pay and benefits for any agency.
B – Both Time See Descriptions of Roles "R” and "T" Administrator and Can only create and act upon PARs for their direct reports Requisition Manager (only if Manager has “M” Role)
C – Agency Compliance Can view all employees in their agencies. Access & Applicant Does not have access to employee EFT data. Profiler Does not have access to employee exempt data (F.S.119). Will have view access to the Training module. Will have view access to the Performance Management module. Will have view access to the Organizational Management module. Will have view access to the Staffing module. Will have Manager access (as described above) only for employees who report to them. Will have view access to all other agency employees for only Applicant profiler fields. Can view all employee data for the agency except SSN, home address and telephone, and dependent data. Can review training requests and attendance. Can view Performance Management reviews. Can view Organizational Units, Classes, Broadbands, and Position data. Can monitor staffing functions.
Page 10 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
Will be able to perform Manager functions for just their direct reports. This security profile can be used for employees that have statewide access but no direct reports. Can create and act upon PARs for their direct reports
D - Accounting/Payroll Can create and act upon PARs for their direct reports Will have access to Organizational Management
E – Employee Self Can perform ESS functions. Service Only Can maintain home address, EEO,W4, EFT type personal data. Can view pay and work details (e.g. work schedule, deductions, etc.). Can request leave, view leave balances. Can enter working times, and request schedule changes. Can request training classes, & sign-up for online classes (9/1). Can participate in Performance Appraisals. Can maintain some voluntary deductions. Can search for and apply for jobs. Can maintain Dependent info, and enroll in benefits (later 2003).
F – BOSP Will have Statewide view access to employees. Can see employee’s EFT data Can view employee pay and time data. Will have access to all pay related data for all state employees, to include Salary, hourly rate, additives, deductions, etc. Can view all employees EFT and W4/W5 information. Can view all position information for payroll purposes , e.g. Overtime indicators, funding, etc. Can create and act upon PARs for their direct reports
G – Inspector General Can view all employees in all Agencies (Compliance + Does not have access to employee EFT data Applicant Profiler + Has access to employee exempt data (FS119) Chapter 119 Will have view only access to the Training module. Information) Will have view only access to the Performance Management module. Will have view only access to the Organizational Management module. Will have view only access to the Staffing module. Will have Manager access for only the employees who report to them.
Page 11 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
Will have view access to all other agencies’ employees for only applicant profiler fields (does not include SSN). Can view all employee data for the agency including SSN, home address and telephone, and dependent data. Can review training requests, and attendance. Can view performance management reviews. Can view Organizational Units, Classes, Broadbands, and Position data. Will be able to perform Manager functions for their direct reports. Can create and act upon PARs for their direct reports.
H – Agency HR w/o Will have maintenance access to all employees in their agency. Profile Access Does not have access to employee EFT data. Will have access to the Training module. Will have access to the Performance Management module. Can perform all employee actions for agency. Can maintain organizational structure for agency. Will have access to the staffing module for agency requisitions. Can maintain Position Security information Will not see exempt data (FS119) for other agencies. Can do all the same maintenance functions as a Manager, but for the entire agency. Can perform all maintenance functions for Organizational Units, Classes, and Broadbands that affect their agency. Can also maintain Position data including user role maintenance. Can create and act upon PARs for anyone in their agency. Can not view employee’s data from other agencies.
Note: DOH can only view/maintain information for employees within their subagency.
L – Supervisor Will have access to all employees that report to them. Will not have access to employee EFT data. Will not have access to employee’s pay and deductions & additives. Can view the Organizational Maintenance module. Will have access to the Training module. Will have access to the Performance Management module. Will have access to the Staffing module. Can approve time and leave requests. Can approve training requests. Can perform all performance management functions.
Page 12 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
Can maintain employee data if an employee is unable to. Cannot maintain DROP and retirement information. Cannot initiate PARs.
M – Manager Will have access to all employees that report to them based on the organizational structure. Will not have access to employee EFT data. Will have access to the Training module. Will have access to the Performance Management module. Can perform employee Actions (Appointment, Separation, etc.) for direct reports. Will have access to Staffing for their specific requisitions. Can not maintain Position Security information. Can maintain employee data if an employee is unable to. Can approve time and leave requests. Can approve training requests. Can perform all performance management functions. Can open & close requisitions, and perform all staffing functions. Can perform employee actions like appointment, promotion, demotion, separation, leave of absence, etc. Cannot maintain DROP and retirement information. Can create and act upon PARs for their direct reports.
O - Bureau of We are recommending that this code be eliminated. Accounting
P – Profiler Access We are recommending that this code be eliminated.
R – Requisition Can view to the Organization Management module. Manager Does not have access to employee EFT data. Does not have access to the Training Module. Does not have access to the Performance Management module. Can maintain vacancy information on Positions. Requisition Managers will be assigned to look after all positions in a set of organizational units. Can open and close requisitions. Can perform all staffing functions, search for applicants, etc. Can create and act upon PARs for their direct reports (only if Manager has M Role).
S – Statewide Access Can view all employees regardless of the agency. Does not have access to employee EFT data.
Page 13 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
Does have access to employee exempt data (F.S.119). Will have view access to the Training module. Will have view access to the Performance Management module. Will have view access to the Organizational Management module. Will have view access to the Staffing module. Will have Manager access (as described above) for only employees that report to them. Can view all employee data for all agencies including SSN, home address and telephone, and dependent data. Can review training requests and attendance. Can view Performance Management reviews. Can view and maintain Organizational Units, Classes, Broadbands, and Position data. Can monitor staffing functions. Will be able to perform Manager functions for only their direct reports. This security profile can be used for employees that have statewide access but no direct reports. Can create and act upon PARs for their direct reports.
T – Time Administrator Will have access to all employees in a defined set of organizational units. Will have access to all time entry and time approval functions. Does not have access to employee EFT data. Does not have access to most employee pay and personal information. Does not have access to the Training module. Does not have access to the Performance Management module. Cannot perform employee actions (Appointment, etc.). Will not have access to the Organizational Maintenance module. Will not have access to the Staffing module. Time Administrator will be assigned to all employees in the assigned set of organizational units. Can enter and approve work times. Can enter and approve leave requests. Can maintain employee work schedules. Can create and act upon PARs for their direct reports (only if Manager has “M” Role)
V – 3rd Party Vendor Will have access to employee deduction data (one-time and (Provider) reoccurring deductions)
Page 14 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
W – Risk Will have access to all employees for purposes of managing Management/Worker’s Worker’s Compensation and Risk Management. Compensation Can create and act upon PARs for their direct reports
Z – Retirement Will have access to all employees for purposes of managing Division of Retirement functions. Can create and act upon PARs for their direct reports
Page 15 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
The following guideline should be used to ensure employees are aware of their Section 5 responsibility to protect data within the People First system. It is recommended that employees who can view other employees’ data within the Employee People First system sign this acknowledgement form (or similar form). In Responsibili many cases, an agency may have an existing data security policy and acknowledgement form and in those cases, the agency should ensure their ties to policy references the People First system. In addition, agencies should Access and develop applicable policies and procedures to ensure this acknowledgement form is maintained in the employee’s personnel file. Protect People First Employee Data
Page 16 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
Example Policy Letter to Applicable Employees
Employee Responsibilities when Accessing and Protecting People First Employee Data
The People First system enables you to record time, attendance, leave and other historical information for most employees, in all disciplines, at all levels of government. Agency personnel who have access to this information, in the course of their daily duties, are responsible for ensuring that they only access employee data for a legitimate business purpose, and that they maintain the integrity of any confidential information accessed. For purposes of this policy, "confidential information, records or data" means that information specifically exempted from disclosure as a public record as provided in Chapter 119, Florida Statutes. Accordingly, confidential records will include, but not necessarily be limited to: employee or former employee personal information (including certain addresses, all bank account information and telephone numbers for certain individuals), financial, legal and any medical information. Confidential records may also consist of “physical” papers, software data, email, or facsimile. Disclosures or unauthorized access, whether intentional or inadvertent, may work to harm your agency’s reputation as well as that of the State.
Employees should only view information or data that they are authorized, and have a legitimate business reason in the course of the performance of their duties. The “casual viewing” of employee data, even employee data that is not confidential or otherwise exempt from disclosure as a public record, constitutes misuse of access, is not acceptable, and will not be tolerated. Database queries are performed on a regular basis to identify misuse of the People First system. Any violations of this policy will be subject to disciplinary action, up to and including termination and possible further legal action.
Any documents or records no longer needed must be properly destroyed by shredding, or by placing the document in a locked proprietary bin for destruction. The State of Florida retention guidelines, as published in Department of State Schedule GSI-S and Rule Chapter 60-DD-2, should be consulted before disposing of any document, hardware, or electronic media or device.
To assist you in ensuring that all employees and OPS personnel will be familiar with this policy, we are attaching a suggested acknowledgement form, to be signed and returned to your manager. Each manager is responsible for ensuring a copy of this signed form is included in the employees personnel file.
Please consult your manager if there are any questions about what constitutes the unauthorized use of employee information or data. Your agency is responsible for employee compliance. Questions should be directed to (insert Agency Representative).
Page 17 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
Acknowledgement of Policy Concerning Employee Responsibilities when Accessing and Protecting People First Employee Data
I have received, read and understand the letter that addresses “Employee Responsibilities when Accessing and Protecting People First Employee Data”
Signature of Employee or OPS:______
Date: ______
Supervisor’s Signature:______
Date:______
Note: A completed and signed copy of this form must be included in the employee’s personnel file.
Page 18 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
The following guideline describes the agency’s responsibilities to conduct Section 6 employee background checks, with regard to employees who access the state’s personnel system (People First system). It is the intent of this manual Employee that this guideline be followed by all SOF agencies. Agencies considering Background alternative arrangements should make a formal request to the DMS Secretary. Checks
Page 19 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
PURPOSE The purpose of this procedure is to provide a guideline of when an employee background investigation is required for employee’s who are assigned specific People First user role codes. It is not meant to supersede the provisions established in 110.1127 F.S, 282.318 F.S., and 435.04(1) F.S., and rule 60DD-2.008, F.A.C. (Personnel Security and Security Awareness).
SCOPE Certain positions in the Career Service, Other Personal Services, Selected Exempt Service and Senior Management Service are designated as positions of special trust, due to their access capability to the state’s personnel system. As a result of this special trust, these employees are subject to a security background check, including fingerprinting, as a condition of employment. Additionally, designated contract employees, volunteers and interns in positions or job functions designated as positions of special trust are subject to security background checks in accordance with law.
At a minimum, all employees (state and OPS) who are assigned an “A”, “C”, “D”, “G”, “H’, “S”, “V”, “W”, and “Z” user role code in People First and who have access to the People First data warehouse should have a level one Florida Crime Information Center (FCIC) background check.
AUTHORITY 1. Section 110.1127, F.S., Employee Security Checks. 2. Section 282.318, F.S., Security of Data and Information Technology Resources. 3. Section 435.04(1), F.S., Employment Screening.
DEFINITIONS 1. Employee. Any person who has been hired, works for the state, and receives a warrant from the state for services rendered. 2. Contractor Employee. An individual or entity that contracts directly or indirectly through another contracting entity, with the state to perform a service for a fee. 3. Intern. A student or a graduate of an educational institution with a cooperative agreement with the Department that allows students or graduates to perform duties and receive training. 4. Volunteer. Any person who, of his or her own free will, provides goods or services, or conveys an interest in or otherwise consents to the use of real property to the department with no monetary or material compensation. 5. Vendor. A person or organization that provides a service or a product to the state including a person or organization that provides software or firmware or documentation to a user for a fee or in exchange for services. 6. Special Trust or Position of Trust. A position in which an individual can view or alter confidential information, or is depended upon for continuity of information resource imperative to the operations of the agency and its mission. 7. Florida Criminal History Check (FCIC). An inquiry to identify violation(s) of law resulting
Page 20 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
from arrests and charges by law enforcement officers in the State of Florida. 8. National Criminal History Records Check (NCIC). An inquiry using fingerprints to check national criminal records of the Federal Bureau of Investigation to identify violation(s) of law resulting from arrests and charges made by law enforcement officials in the United States. 9. Convicted/Conviction. An adjudication of guilt by a court of competent jurisdiction; a plea of guilty or nolo contendere; a verdict of guilty when adjudication is withheld; or entering into a pretrial intervention program. 10. Provider. Third party such as contractor, vendor, or private organization providing products, services or support.
PROCEDURES 1. The Secretary (or designee) of the agency may designate positions of special trust regarding access to the People First system subject to a security background check, including fingerprinting, as a condition of employment or contract award. 2. The appropriate office will assign in People First all special trust positions either a security check Level 1 (state-wide background) or Level 2 (national background including fingerprint investigation) and maintain a listing of all special trust positions in the Department. 3. As prescribed by the agency, supervisors of employees or contractor employees in positions of special trust shall coordinate, with the appropriate office in their agency the background screening process of current employees, contractor employees and all new hires. All job announcements for positions of special trust will advise job seekers that a background investigation and fingerprinting are a condition of employment. Solicitations for services that involve positions of special trust will advise vendors that a background investigation and fingerprinting will be required of contractor employees. 4. As prescribed by the agency, supervisors shall review the State of Florida employment application prior to an offer of employment to determine whether any potential criminal conviction may disqualify an applicant from employment in a position of special trust. If any criminal convictions are disclosed on the application, the supervisor shall consult with the appropriate office. 5. Upon employment or award of a contract that involves positions of special trust, the supervisor or contract manager shall ensure that, within 30 working days new employees or contractor employees are scheduled for an appointment with the appropriate office to complete necessary forms to initiate the background investigation or fingerprinting process based upon the level of screening established for the position of special trust. 6. Any person who is required to undergo a security background investigation and who refuses to cooperate in such investigation or refuses to submit fingerprints shall be disqualified from working in a position of special trust or, if employed, shall be dismissed.
Page 21 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
OFFICE OF INSPECTOR GENERAL (or APPROPRIATE OFFICE) 1. It is the responsibility of each agency to identify a custodian who will be responsible for maintaining employee background checks. 2. Background investigations or fingerprinting of employees in positions of special trust shall be in accordance with established procedures of the agency and Section 110.1127 and 435.04, Florida Statutes. 3. Background investigations or fingerprinting of state employees shall be conducted at the expense of the agency. The background investigations or fingerprinting of contractor employees shall be paid by the vendor. 4. Background screening records are confidential and not part of an employee’s personnel file. Section 110.1127 (2)(d), F.S., does not allow the release of background records for purposes other than screening for employment. 5. The appropriate agency office will conduct reviews of employees identified as having a criminal record. Information will be shared with the applicable Senior Manager, Bureau of Personnel Management Services and the Office of the General Counsel for consideration of appropriate action.
DISQUALIFYING INFORMATION AND GRANTING OF EXEMPTIONS 1. When background screening indicates criminal history, the agency designee or Contract Manager in consultation with the appropriate office shall determine whether the convictions would prohibit the employee from working in a position of special trust. 2. Exemptions may be granted by the Department in accordance with the provisions of Chapter 435, Florida Statutes. 3. Employees or contractor employees with disqualifying criminal records not granted an exemption shall be removed from a position of special trust in accordance with Statute or the personnel rules. 4. Challenges to disqualification or requests for exemption from disqualification shall be conducted in accordance with the requirements of Chapter 435, Florida Statutes.
Page 22 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
The following guideline has been developed in order to audit the assignment Section 7 of People First User Role codes to the SOF employees. When necessary, agency Personnel Offices will be contacted to assist with the audit. Audit of People First User Policy The DMS People First Project Team in conjunction with each agency Role Personnel Office will conduct a quarterly review of how the People Assignment First User Role codes are assigned to SOF employees. This review will include a sample of SOF employees who have been assigned an s “A”, “B”, “C”, “G”, “H”, “D”, “L”, “M”, “R”, “S”, “T”, “V”, “W” and “Z” user role code.
The focus of the review will be to ensure these codes were assigned according to the guidelines established in the People First Security Guidelines Manual.
Page 23 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
The following guideline has been developed in order to audit how SOF Section 8 agencies administer the People First employee background check policy. When necessary, Agency Personnel Offices will be contacted to assist with the Audit of audit. Employee Background Policy Checks The DMS People First Project Team, in conjunction with each agency Personnel Office, will conduct a review of how SOF agencies administer the People First employee background check policy.
The focus of the review will be to ensure that background checks were performed on the appropriate employees.
Page 24 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
The following guideline has been developed in order to audit how SOF Section 9 agencies administer the People First employee security disclosure statement policy. When necessary, Agency Personnel Offices will be contacted to assist Audit of with the audit. Employee Security Policy Disclosure The DMS People First Project Team, in conjunction with each agency Personnel Office, will conduct a review of how SOF agencies Statements administer the People First employee security disclosure statement policy.
The focus of the review will be to ensure that security disclosure statements are on file for the appropriate employees.
Page 25 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
The following guideline has been developed in order to audit SOF employees Section 10 who have accessed other employee data within the People First data. When necessary, Agency Personnel Offices will be contacted to assist with the audit. Audit of SOF Employees Policy Access to The DMS People First Project Team in conjunction with each agency People First Personnel Office, will review on a quarterly basis, the access audit reports generated by the People First system. These audit reports Data will describe the SAP information types (info types) accessed by the SOF employees.
The reports will be generated based on three criterion:
Report 1: This report will be a sample of the total number of SOF employees, excluding those assigned an “A”, “G”, “H” or “S” user role. This report will list the SOF and Convergys employees who have accessed data on the randomly selected employees. If unusual access patterns are discovered, the People First Project Team shall consult with the appropriate agency office.
Report 2: This report will list SOF employees who have accessed data on select Senior Management. The employees on this list will be reviewed to determine if the data they viewed was consistent with the People First Security Guidelines Manual. If unusual access patterns are discovered, the People First Project Team shall consult with the appropriate agency office.
Report 3: This report will list all employees accessed by employees assigned an “A”, “G”, “H” or “S” user role. This report will be reviewed to determine if the data viewed and or updated in the People First system was consistent with the People First Security Guidelines Manual. If unusual access patterns are discovered, the People First Project Team shall consult with the appropriate agency office.
Page 26 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
The following guideline has been developed in order to audit employees who Section 11 access data on key State of Florida employees. When necessary, Agency Personnel Offices will be contacted to assist with the audit. Audit of SOF Employee Policy The DMS People First Project Team, in conjunction with the Access to applicable agency Personnel Office, will review on a quarterly basis, Key State of an access audit report generated by the People First system. This audit report will describe the SAP information types (info types) Florida accessed by Convergys and SOF employees. Employees Report 1: This report will list SOF and Convergys employees who have accessed data on key State of Florida employees such as Governor, Lieutenant Governor, Chief Financial Officer, Attorney General, and Commissioner of Agriculture, and others. The employees on this list will be reviewed to determine if the data accessed was for business use. If unusual access patterns are discovered, the People First Project Team shall consult with the appropriate agency office.
Page 27 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
The following procedure has been developed in order to audit Convergys’ Section 12 employees’ access to People First data. When necessary, Agency Personnel Offices will be contacted to assist with the audit. Audit of Convergys Policy The DMS People First Project Team, in conjunction with each Employees agency Personnel Office, will review on a quarterly basis, the access Access to audit reports generated by the People First system. These audit reports will describe the SAP information types (info types) People First accessed by Convergys employees. Data Report 1: This report will be a sample of the Convergys employees who have accessed data on SOF employees. The employees on this list will be reviewed to determine if the data accessed was for business use. If unusual access patterns are discovered, the People First Project Team shall consult with the appropriate agency office.
Page 28 of 29 Updated: March 2009 State of Florida Department of Management Services
State of Florida People First Security Guidelines Manual March 2006
The following procedure has been developed in order to ensure that a Section 13 comprehensive policy on People First data security is maintained. Responsibility to Policy Maintain a The DMS will establish a team responsible for reviewing the People First Security Guidelines Manual. Members of the team will include Comprehens at a minimum representation from the DMS People First Project ive People Team, Enterprise Information Technology Services (EITS), and Convergys. This team will meet at least quarterly to ensure the First People First Security Guidelines Manual and the Convergys Security Security Plan are up to date and to ensure the actions taken during a data security breach are consistent with the requirements in the Plan Convergys/State of Florida Security Manual.
Page 29 of 29 Updated: March 2009