Each year, all organizations that use the SWIFT and SEMA4 systems must evaluate the security roles assigned to each of their staff and certify those role assignments to be appropriate, pursuant to MMB Statewide Operating Policy 1101-07, Security and Access. This exercise provides each organization with an excellent opportunity to re-evaluate and improve internal controls.

Management must achieve two critical objectives when assigning security roles. First, employees must be granted the access to systems, programs, and data needed to perform their specific job functions. Failure to provide sufficient access could result in business disruption or inability to deliver critical services. Second, management must maintain adequate separation between incompatible duties. Providing incompatible access to employees increases financial risk, since these employees have the ability to create and conceal fraud, misstatements, or errors in the course of their normal job duties.

Ideal segregation of duties exists when agency management separates the following functional responsibilities between business units, or at least between different individuals within a unit:

1. Authorization or approval to execute transactions
2. Recording transactions in accounting records
3. Custody of assets involved in the transactions
4. Periodic reconciliation of existing assets to recorded amounts

The following links provide guidance and assistance for system managers to make appropriate security role decisions.

• MMB Statewide Operating Policy 1107, Security and Access (PDF) (Word)
  
• MMB Statewide Procedure 1101-07.01, Agency Security Administrators (PDF) (Word)
  
• MMB Statewide Procedure 1101-07.02, Compensating Controls (PDF) (Word)
  
• Department of Administration Information Policy Analysis Division - Not Public Data
• Office of Enterprise Technology Security Policies
  
• SWIFT Security
• SEMA4 Security