Chapter 4

ROLES AND RESPONSIBILITIES

4.1 Departmental Security Access Control Officer (SACO)

The SACO is the Department's lead, authorized by senior management to provide security signing and/or administrative authorities on behalf of their organization for user access to Public works and government services Canada (PWGSC) mainframe applications such as the Pay System.

The SACO acts as the interface between the Enterprise Security Administration(ESA) or the appropriate PWGSC regional office (see Section 39) and the staff in their organization in the provision of access to system resources and information. The SACO designation is made using the "Security Access Control Officer (SACO) Application" form (PWGSC-TPSGC 146) . The ESA or the appropriate PWGSC regional office must be advised as soon as possible should a SACO no longer require signing authority. This and/or any other changes can be made using the same form.

The (PWGSC-TPSGC 146) only appoints or removes an employee as a SACO. In order for the SACO to obtain access to the compensation system he will be required to also submit the "Common Architecture Security Request" form (PWGSC-TPSGC 8882-4) .

The SACO s are responsible for ensuring that all security request forms (PWGSC-TPSGC 8882-4) are completed properly and forwarded to ESA or to the appropriate PWGSC regional office (see section 39) for processing. They are also responsible for obtaining the user's signature establishing that the user agrees to be bound by the Computer and Information Access Control Rules found on page 2 of the (PWGSC-TPSGC 8882-4) form. The form for each user must be maintained on file. The SACO s will need to be familiar with naming conventions of user IDs, Top Secret Security (TSS) department names and profile names. This information can be obtained by contacting the ESA or the appropriate PWGSC regional office (see section 39).

The SACO s are responsible for verifying that all user IDs belong to the correct individuals and that the assigned access rights are still required. Any discrepancies that are found must be corrected immediately. The SACO designation is only valid for one year. A SACO renewal reminder is forwarded to the SACO by ESA or to the appropriate PWGSC regional office 30 days prior to the expiration of the designation. Upon the SACO's annual renewal, the individual must confirm the completion of this review by signing the front of the (PWGSC-TPSGC 146) form in field number 7.

4.2 Departmental Manager

The responsibility for segregation of duties lies with departments and agencies. The requirements related to this activity are explained below. Departments and agencies must establish policies and procedures to ensure that an adequate level of control exists related to pay transaction delegated authorities, and that persons with delegated authorities understand their responsibilities. It is the also the responsibility of departments and agencies to ensure that all designated SACO s receive the necessary training to perform their functions.

Client departments who wish to learn more about the delegation of authorities should consult the Directive on Delegation of Financial Authorities for Disbursements at the following address: Directive on Delegation of Financial Authorities for Disbursements

4.3 Enterprise Security Administration (ESA)

The Service Management and Delivery (SM&D) ESA group administers access to a variety of systems and services managed by the organization. These include access to mainframe, secure remote access for PWGSC , Electronic Authorization and Authentication (EAA) on behalf of financial applications and access to the Internet. The group also manages the administration of specialty services such as Standard Payment System (SPS) priority print and secure electronic transfer for Human Resources and Skills Development Canada (HRSDC).

These services are administered with the assistance of a large network of SACO s who identify specific client requirements and act as the interface between the clients and PWGSC in the provision of access to resources and information.

New SACO s are identified by forwarding the completed (PWGSC-TPSGC 146) form to the ESA or to the responsible PWGSC regional office (see Section 39). The SACO 's manager or director must sign and date the form.

The ESA will contact new SACO s to provide any relevant information required for communication and interaction in regards to the creation and maintenance of user IDs for access to the Pay System.

The following are topics that will be discussed:  

• user ID naming convention as well as TSS department name. The TSS department name allows PWGSC to catalogue client access and is independent from the client departmental name.
• Password rules: Passwords expire after 90 days. After five unsuccessful password attempts, the user ID is suspended. After 180 days of inactivity, user IDs are automatically suspended.
• Password format:
  1. Must begin with a letter (A-Z, no accented characters)
  2. Must contain at least one number
  3. May contain national characters (@#$)
  4. Must be at least six characters long
  5. May be up to eight characters long
  6. Case insensitive (all letters will be treated as upper case)
• Inactive Accounts: Any mainframe user ID which has remained inactive for a minimum of one year is subject to deletion without notice by the ESA .
• Determine access requirements for SACO s and ensure that forms have been submitted.
• In order for SACO s to obtain access to the Pay System they will be required to submit a ( PWGSC-TPSGC 8882-4 ) form
• The SACO designation is only valid for one year. A SACO renewal reminder is forwarded to the SACO by the ESA or the appropriate PWGSC regional office 30 days prior to expiration of the SACO designation.
• ESA , or the appropriate PWGSC regional office, must be advised as soon as possible should a SACO no longer require signing authority, or of any other changes.
• The SACO s are responsible for verifying that all user IDs under their responsibility belong to the correct individual and that the assigned access rights are still required. Any found discrepancies must be righted immediately. The ESA can assist by providing the SACO s with user reports upon request.
• Any problems with existing user IDs and/or system access should be reported to the PWGSC Operations Service Desk at 613 738 7782.
• Effective April 1, 2010, training for a security officer with PDSEC access must be taken before becoming a SACO . Training for officers who were SACO s before that date will not be mandatory. It is however recommended that all SACO S who have not completed the training to register for the course. The available course is called "On-line Departmental Security Application" (PA09). For contact information and course calendar, please refer to the following links of the Compensation Sector Web site (below) and select your appropriate region.
  
  Welcome to Compensation Training

4.4 PWGSC - Compensation Sector

The Compensation Sector assists users in departments and agencies to use the Compensation Systems and tools when encountering problems. In addition to providing various pay support related functions, PWGSC is responsible for the creation of a new department and paylists. In the context of RPS access and security management, there are two Directorates involved:

Compensation System Management and Development Directorate (CSMDD)

• Provides advice and guidance in support of the security management for the Compensation Systems. Integrates system changes into the Compensation Systems as they relate to security management, and solves system-related problems.

Pay Policies and Training Services Directorate (PPTSD)

• Administers policies, legislation and operational requests related to management of security pertaining to the pay systems, develops documentation and communicates accurate information in relation to security management.
• Develops and delivers adequate training courses for security officers.

Document SACO 4. - ROLES AND RESPONSIBILITIES Navigation

• Chapter 3
• Table of Contents
• Chapter 5