Begin Main Content Area

L&I, Office of Information Technology Procedure

(PDF)

Name: Contractor PROD Access & Tracking Procedure
Effective Date: September 2018
Category: Security
Version: 1.2

1. Scope:

This procedure applies to all Employment Banking and Revenue (EBR) employees and business partners (hereinafter referred to collectively as “EBR Users”). These procedures must be followed for all access to production data, whether in the production environment, or when production data is housed in non-production environments.

2. Procedure:

The procedure is implemented by OIT-ESC Audit

  1. Procedure review contractor access to PROD systems or data.

    Step Responsibility Action
    1. ESC Audit During the last week of the month, and open & sort P:\ESC\_Security Plan Management Team\Audit\Internal Audit\Contractor Server Access.xlsx by expiration date
    2. ESC Audit Assemble a listing of all expirations in the next month from
    3. ESC Audit Send to the documented division chief a notification that they will be expiring
    4. ESC Audit Change text to red, continue to follow up if no response is received the next month, initiate revoke procedures


  2. Procedure to Request PROD data or system access

    Step Responsibility Action
    1. Requestor Submits CR and attaches the “Contractor Production Access - ESC Revision 072017.doc”
    2. Requestor Sends PATCH data to LI-OIT-Contractor Requests/LI-OIT-Security

    Evidence that the contractor has signed the OIT-6 & OIT-8, either scanned copy or electronic agreement.
    3. ESC Audit Reviews CR, and attachments. Verifies OIT-6/8 signatures, PATCH validity, updates CR

    Note: If the PATCH cannot be validated the CR will not be approved or processed.
    4. Requestor Submits ECAB attaching the “Contractor Production Access - ESC Revision 072017.doc”. The CR will reflect the approval of Security for PATCH, OIT-6/8 review. CR must include:

    Implementation Date: xx/xx/20xx
    (for xx days)
    Expiration Date: xx/xx/20xx
    Date Last OIT-6 Signed: xx/xx/20xx
    Date Last OIT-8: Signed xx/xx/20xx
    Date PATCH Renewal: xx/xx/20xx
    Control #: Rxxxxxxxx
    Full Name Used  
    5. User Account Management Processes CR after ECAB approval.

    Note: User-Account management will not proceed without approval information.


  3. Procedure to Renew PROD data or system access

    Step Responsibility Action
    1. Requestor Submits CR attaching “Contractor Production Access - ESC Revision 072017.doc”, and PATCH information (full name used in PATCH, date of PATCH, control number)
    2. ESC Audit Reviews CR, and attachments. Verifies OIT-6/8 signatures, PATCH validity, updates CR

    Note: If the PATCH cannot be validated the CR will not be approved or processed.

    Note: If the OIT-6 & OIT-8 signatures cannot be found the CR will not be approved or processed.
    3. Requestor Submits ECAB attaching the “Contractor Production Access - ESC Revision 072017.doc”. The CR will reflect the approval of Security for PATCH, OIT-6/8 review. CR must include:

    Implementation Date: xx/xx/20xx
    (for xx days)
    Expiration Date: xx/xx/20xx
    Date Last OIT-6 Signed: xx/xx/20xx
    Date Last OIT-8: Signed xx/xx/20xx
    Date PATCH Renewal: xx/xx/20xx
    Control #: Rxxxxxxxx
    Full Name Used  

    Note: If the PATCH expiration is less than the 6-month window, the requestor has a few options:
    • Let access expire waiting until a new PATCH is obtained
    • Limit the access through the PATCH expiration
    • Submit a new PATCH
    4. User Account Management Processes CR after ECAB approval

    Note: User-Account management will not proceed without approval information.


  4. Procedure to Revoke PROD data or system access

    Step Responsibility Action
    1. Requestor Submits CR referencing the access CR/ECAB
    OR
    2. ESC Audit Follows procedure review contractor access to PROD systems or data
    3. ESC Audit After 10 days with no reply, submits CR referencing the access CR/ECAB assigns to User Account Management
    4. User Account Management Processes CR


3. References

L&I Policy Definitions Document
SEC-000 - Security Planning Policy
SEC-007 - Contractor Account Administration
SEC-010 - Access Control for Non-Commonwealth Users Policy
ITP-SEC009 - Minimum Contractor Background Checks Policy
MD205.34 - Commonwealth of Pennsylvania IT Acceptable Use Policy

4. Version Control

Version Date Purpose
1.0 01/2006 Base Document
1.1 11/2016 Merged documents, formatted, revised content
1.2 09/2018 Updates to procedures