L&I, Office of Information Technology Policy SEC-007

(PDF)

1. Purpose

This policy documents the requirements and the process that will be used to secure user credentials for contracted resources, in use at the Department of Labor & Industry (L&I). This policy also fulfills the requirements of Internal Revenue Service (IRS) Publication 1075 safeguards and requirements defined by the Social Security Administration (SSA). This policy is in addition to OA ITP-SEC009. This policy documents the implementation of the National Institute of Standards and Technology (NIST) Security Controls: AC-1, 2, 3, MA-5, PS-3, 4, 7, 8, TA-1, 2, 3, & 4 Per SP 800-53 R4.

2. Background

This policy, which has been integrated with the Office of Administration’s (OA) Human Resources, defines the process that will be used to onboard contracted resources. The OA has stated that it will only process business partner/contractor assignment forms from specified agency contacts. Per agreement with the OA, only the OIT Enterprise Security and Compliance Section (ESC) “LI, Contractor Requests“(RA-LICONTRACTOR-REQS@pa.gov), can submit contractor creation requests.

Background checks are required for access to federal tax information (FTI) and help ensure the protection, security, and privacy of commonwealth employees, customers, information systems, and data.

3. Scope

This policy applies to all employees within all bureaus, divisions, boards, commissions, and councils within L&I. This includes any contracted employees in the service of L&I (hereinafter referred to collectively as “L&I Users”).

This policy also applies to all contracts issued by L&I through which employees of an IT Provider, or of its subcontractors, have on-site or remote computer access to Commonwealth facilities (hereinafter referred as “Contractors”).

4. Policy

1. Background checks:
   
   All contractors in the service of L&I shall provide a pre-employment background check at the contractor’s expense.
   
   All criminal records shall be checked for the previous five (5) years. Background checks received more than thirty (30) days from the date the check was completed shall not be accepted.
   
   All contractors retained by L&I for more than one (1) year, shall provide a criminal record check annually within thirty (30) days of their anniversary date.
   
   All contractors who have resided outside the commonwealth during the past five (5) years shall provide an equivalent background check from the states or nations of residence to L&I.
   
   Any criminal background check that indicates criminal history in the contractor’s past shall be reviewed per procedure. L&I has the discretion to hire a contractor with criminal history. At any point the hiring supervisor/division chief, L&I Chief Information Security Officer (CISO), and the DCIO/CIO may engage chief counsel.
   
   All contractors shall complete the mandatory security awareness training within 30 days of account assignment.
   
   
2. Contractor Account Creation:
   
   All requests for the creation of contractor accounts require the completion of the “Business Partner/Contractor Assignment Form,” Computer Resources User Agreement Non-Commonwealth Employees (L&I OIT-6) form, and Pennsylvania State Police (PSP) criminal background check. The PSP criminal background check shall, at a minimum, include the requestor’s full name, the PSP control number, and the date the background check was requested in an un-redacted state. Unreadable documents shall not be accepted.
   
   All contractors with elevated privileges to any device, application, system, or service shall complete the Acceptable Use Policy Agreement for System/Infrastructure/Database/Application Administrators (OIT-8). All contractors retained by L&I for more than one (1) year, shall annually sign both agreements.
   
   Contractors who will access only the L&I mainframe environment shall produce evidence of a criminal background check to L&I before Resource Access Control Facility (RACF) account creation.
   
   Requests for the creation of contractor accounts that are submitted incompletely or are missing documentation for more than 30 days will be cancelled. If contractor accounts are created outside of this document policy and process, the account will be locked until all documentation is completed in compliance with this policy.
   
   
3. Contractor Account Terminations/Separations:
   
   Contract terminations or contractor separations require the removal of contractor accounts. Hiring managers shall immediately submit the “Business Partner/Contractor Separation Form” found on the LION to the “LI, Contractor Requests” resource account (RA-LICONTRACTOR-REQS@pa.gov) for processing.

5. Responsibilities

1. L&I User responsibilities:
   
   • Comply with all L&I policies, management directives, and laws; and
   • Report any violations of policies promptly to the L&I CISO at LI, OIT-DLICISO.
2. L&I management responsibilities:
   
   • Comply with all L&I policies and ensure L&I users comply with the policies;
   • Ensure that submissions to the resource account are complete, including criminal background checks in the timeframes described in this policy and procedure; and
   • Adhere to this policy and any published procedures regarding contractor accounts.
3. Contractor responsibilities:
   
   • Comply with all L&I policies, management directives, and laws;
   • Sign the OIT-6 form annually;
   • Sign the OIT-8 annually if granted elevated privileges; and
   • Report any violations of policies promptly to the L&I CISO at LI, OIT-DLICISO.

6. References

L&I Policy Definitions Document

SEC-010 - Access Control for Non-Commonwealth Users

ITP-SEC-009 Minimum Contractor Background Checks Policy

MD 205.34 - Commonwealth of Pennsylvania IT Acceptable Use Policy

MD 210.5 Records Management

7. Version Control