Begin Main Content Area

L&I, Office of Information Technology Policy SEC-002


Name: Annuitant Account Security
Effective Date: July 2017
Category: Security
Version: 1.2

1. Purpose

This policy establishes standards by which all Department of Labor & Industry (L&I) Commonwealth of Pennsylvania (CWOPA) user credentials issued to annuitants will be secured by the Office of Information Technology (OIT). In order to minimize the costs of security breaches, this policy defines the necessary protection against temporarily unused CWOPA credentials, adds support for password reset, and ensures a streamlined process for reactivation of a user’s account upon an annuitant’s return. This policy will help protect information, including Federal Tax Information (FTI), from unauthorized access and improper disclosure in compliance with safeguards and requirements defined by the Internal Revenue Service (IRS) and the Social Security Administration (SSA).  This policy documents the implementation of the National Institute of Standards and Technology (NIST) Security Controls:  AC-1, 2, 3, AU-1, 2, & PL-4 Per SP 800-53 R4.

2. Background

This policy is published under the general authority of the ITPs published by the Office of Administration / Office of Information Technology (OA/OIT), in that it identifies key roles and responsibilities in support of ITPs. This policy is in addition to the Office of Administration (OA) policy ITP-SEC007.

L&I employs annuitants to augment staff and assist with work. Since annuitants are limited to a defined number of work days in a calendar year and their schedules are significantly more flexible than the traditional workforce, annuitant credentials can be inactive for substantial periods of time. This presents both security vulnerability and process issues. Annuitants who reach the full number of days they may work during a calendar year are not removed from the complement; however, their accounts will be locked by OIT. If the annuitant is approved to return the following calendar year, their account will be unlocked following the Annuitant Account Procedure. If the annuitant does not return the following calendar year, L&I Bureau of Human Resources (BHR) will separate the annuitant as appropriate.

3. Scope

This policy applies to all employees within all bureaus, divisions, boards, commissions, and councils within L&I. This includes any contracted employees in the service of L&I (hereinafter referred to collectively as “L&I Users”). 

4. Policy

BHR shall report, on a bi-weekly basis, to OIT the number of days annuitants have worked during that period and the total number of days worked during the current calendar year.

OIT shall flag annuitant accounts that have no (0) days worked in the period.

OIT shall lock the annuitant account after two consecutive pay periods (four weeks) without days worked.

OIT shall lock annuitant accounts that have reached the full number of days they may work during a calendar year.

Annuitants with locked accounts shall call the help desk to submit an account unlock request.

The L&I Help Desk shall process the account unlock request by creating an incident and routing it to OIT, who will unlock the annuitant account.

5. Responsibilities

  1. L&I User responsibilities:
    • Comply with all L&I policies, management directives, and laws; and
    • Report any violations of policies promptly to the L&I information security officer at LI, OIT-DLICISO.

  2. L&I management responsibilities:
    • Comply with all L&I policies and ensure L&I Users comply with the policies; and
    • Adhere to this policy and any published procedures regarding annuitant account security.

6. References

L&I Policy and Procedure Definitions

Annuitant Account Procedure

ITP-SEC007 - Minimum Standards for User IDs and Passwords

MD 210.5 - The Commonwealth of Pennsylvania State Records Management Program

7. Version Control

Version: Date: Purpose:
1.0 11/2014 Base document
1.1 07/2016 Format and content revision
1.2 07/2017 Annual review & content revision