Skip Maine state header navigation

Agencies | Online Services | Help

State of Maine Seal

Maine State Government

Dept. of Administrative & Financial Services

Office of Information Technology

 

 

Procedure for Secure ID Cards and Maintenance of the RSA Database

 

I. Statement

State agencies will comply with this standard when acquiring Secure ID cards.  Security Coordinators will comply with this standard for maintaining accountability for Secure ID cards.

II. Purpose

The purpose of this standard operating procedure (SOP) is to govern the accountability and procedures for Secure ID cards. 

III. Guidelines

A. Secure ID Program Administrator

1. Will maintain the overall supervision of this program and keep all procedures current and up to date.

2. Ensure that an adequate number of Secure ID cards are available to fulfill requests.

3.   Maintain Security Coordinator list and distribute to Call Center specialist. 

4. Ensure that this list is verified semi-annually with the agencies.

5. On a monthly basis provide Secure ID card holders list to each of the Security Coordinators for their perspective agencies.

6. Generate a monthly inactivity report for Contractor card holders greater than 120 days.  Provide this list to the Security Coordinators and inform them that these cards will be disabled.   Disable all 120 day or greater inactive Contractor card users.

B. Security Coordinator

1. Will The Security Coordinator will provide the Call Center with a request for the Secure ID card via an electronic form on http://inet.state.me.us/rsa/Login.asp (if you have not been set up for this web site and would like to be, call 624-7700 and one of the Call Center staff can set you up with a user name and password) or put a ticket in via the Footprints portal: https://footprints.som.w2k.state.me.us/MRcgi/MRlogin.pl

2. Review end of month report to determine if a Secure ID card is needed for cards expiring and that all users are valid.

3. Upon notification from users that have been disabled, verify their status and contact the Call Center for placement into active status.

4. Notify Secure ID Program Administrator of any changes to Security Coordinator assignments.

5. If a contractor leaves the State, ensure that the agency completes a Delete User form, which is under the User Request project within Footprints.

C. Call Center Specialist

1. When the Call Center receives a Secure ID request, the request is to be completed according to the instructions located on the P: drive at oit-desktop on oit-teaqfsemc01/oit/sop/secureidsection.doc.

2. For users calling in that are unable to login and have verified that they have been disabled for inactivity due to multiple logon attempts, re-enable their login.  If they have not logged into the system within 120 days or more, then have those users contact their Security Coordinator for re-activation of their card.

3. Disable accounts for those contractors that are no longer working for the State, as directed by the Agency.

IV. Applicability

This is intended to manage the process of acquiring and accountability of Secure ID cards for:  Employees and Contractors of Agencies within the Executive Branch and semi-autonomous State Agencies.

V. Responsibilities

A. Agency Supervisor(s) or their designees will be responsible for approving the request for a Secure ID card and the cost of that card.

B. Security Coordinators, working with the Agency Supervisors will request online Secure ID cards for Contractors and all State Employees.

C. The Secure ID Program Administrator will ensure that all aspects of the Secure ID card program are followed in accordance with this policy.

VI. Definitions

A. Secure ID card: To access resources protected by the RSA SecurID system, users simply combine their secret Personal Identification Number (PIN) (something they alone know) with the token codes generated by their authenticators (something they have). The result is a unique, one-time-use passcode that is used to positively identify, or authenticate, the user, with “two-factor” authentication.  If the code is validated by the RSA SecurID system, the user is granted access to the protected resource.  If it is not recognized, the user is denied access.  NOTE:  The acronym RSA stands for Rivest, Shamir, Adelman, the inventors of this encryption technique.

B. RSA Database: RSA Access Manager software is designed to enable organizations to manage large numbers of users while enforcing a centralized security policy that ensures compliance, protects enterprise resources from unauthorized access, and makes it easier for legitimate users to do their jobs.

C. Agency Supervisor(s): A Supervisor or Manager within the Agency who can grant authorization for the purchase of a Secure ID card and can grant an Employee use of a Secure ID card.

D. Semi-autonomous State Agency: An Agency created by an act of the Legislative Branch that is not a part of the Executive Branch. This term does not include the Legislative and Judicial Branches, Offices of the Attorney General, Secretary of State, State Treasurer, and Audit Department.

E. Security Coordinator: The person designated by the Agency to manage the ordering of new and expired Secure ID cards through a report sent to them each month from the Secure ID Program Administrator.

F. Call Center Specialist: The person at the Call Center who fulfills the requests submitted by the Security Coordinator or designated person.

G. Secure ID Program Administrator: The person at the Call Center who administers the RSA database, and assures that all policies and procedures are followed according to the Secure ID Card SOP and processes.

VII. Document Information

A. Document Reference Number: 39

B. Category:  Internet, Network and Transport

C. Adoption Date: 05/01/2009

D. Effective Date: 05/01/2009

E. Review Date: 05/01/2010

F. Point of Contact: Customer Support Center – 624-7700

G. Approved By: Greg McNeal, Chief Technology Officer

H. Position Title(s) or Agency Responsible for Enforcement: Greg McNeal, Chief Technology Officer

I. Legal Citation: 5 M.R.S.A. Chapter 163 § 1973.   Responsibilities of the Chief Information Officer, paragraph 1B Set policies and standards for the implementation and use of information and telecommunications technologies, including privacy and security standards…”