|
FISCAL ADMINISTRATORS MEETING
March 26, 2008
Please note: Meetings are scheduled from 10:00AM - Noon. Please plan to attend the entire meeting.
Opening Comments – Steve Kimata
- Internal Controls Questionnaires are due by April 18th. Any questions, contact Del Kolberg or Rick Seaman.
- 211 were sent out and so far 49 have come back to us. Thank you for responding so quickly!
- People want to know how to print off a copy of the completed questionnaire – once you submit it you will receive an email that has a link to the completed questionnaire you can print off.
Office of the Vice President/CIO
Brian Davis
Link to SSN Initiative Short Overview (slides Brian used as talking points)
Social Security Number Initiative – Part of a larger strategy for sensitive data handling
Goal is to phase out the use of Social Security Numbers wherever possible around the University. A few departments will still need to use them (Human Resources, Student Financial Services, etc.) to comply with Federal requirements. Access to any remaining SSN data will be highly restricted, and the data must be highly secured.
A few changes have already taken place:
- New University ID Numbers were issued to all Faculty, Staff and Students – Although University ID numbers are not, strictly speaking, confidential, they should not be handled casually, and, particularly when used or stored in large quantities, should be well-protected.
- New University ID cards (beginning Aug. 07) no longer contain SSNs (either on the front or embedded in the magnetic strip on the back).
- University ID numbers may be used for ISIS Online log-ins and for searching by green screen users.
- Integrated System has University ID numbers.
- The new SSP will have University ID numbers.
Implementation
The Administrative Data Access Policy is being broken into 3 parts – SSN Policy is one part
- Puts restrictions on how SSNs are collected, used and reported.
- SSNs have been classified as highly sensitive data, and are now treated in the same manner as FERPA and protected health information.
- SSNs should only be requested when essential, and will only be provided when essential.
- Requires secure storage for all SSN data, whether electronic or paper.
SSN Policy
- Issued late December – departments will now need to get approval before using SSNs in any new way.
- By July 1, 2008 every unit will need to have identified all records and records systems in their area that use SSNs and have developed a remediation plan.
- By July 1, 2009 every unit will be expected to have implemented their plan.
- Legislation was passed that states by October 1, 2008 our plans must be reported to Richmond and they must be implemented by July 1, 2009.
* Every unit has to do this!
More information is available at http://www.virginia.edu/ssninitiative/.
If you have any questions or concerns, please contact Brian Davis, or write to SSN-INITIATIVE.
Questions
Q. ITC still wants an SSN and Date of Birth for new user accounts and new digital certificates. Can’t they just use University ID numbers instead?
A. The current system is not set up to use the new ID numbers. The Pass-Phrase card that was issued with the new University ID cards was part of a process to set up “secret questions” that will eventually be used in place of SSNs and Date of Birth for validating online identity. We are working on it.
Q. I have heard about free Spider software that can scan your computer for SSNs. Should we use it?
A. The free software has advantages and disadvantages. We have purchased some commercial software called Identity Finder that scans for SSNs and Credit Card numbers. It will be available via our website next week. Everyone should scan their computer.
Q. Are we going to have to go through all of our paper documents and mark out SSNs?
A. We need to work on reducing the usage of SSNs, but we are realistic. Large electronic data stores are the highest priorities. For paper, we need to focus on securing what must be kept. There is a records retention policy in place we have to follow, so mainly focus on making sure the paper records are indentified/inventoried and secured until they can destroyed.
Q. What about scanned documents?
A. Need to make sure anything scanned that contains sensitive data is behind a firewall and access is restricted. We are trying to reduce the unnecessary collection of sensitive information, so there should be less SSN data in scans in the future.
Q. What about scanning and then emailing a PDF document with sensitive information?
A. It is not really much safer than a plain text email. Don’t send SSNs or any other sensitive information over email unless encrypted!
Steve Kimata – If you have not scanned your computer, it is important that you do. People lose their laptops or have them stolen. You want to have as little sensitive information on it as possible.
Shirley Payne
Record Retention
- The Process Simplification Team looked at record management and the ways technology could help simplify the process.
- Found the University needs improved efficiency of the record management, policy, processes and solutions.
- Not all storage solutions were secure
- Concerns of compliance issues and lack of awareness about the policy. – it covers retention, retrieval, and destruction of records
- The study team recommended that an enhanced University records management program supported by dedicated staff is needed. Archival of records takes place in the Library, but the study pointed out that retention and destruction of the records conflicts with the Library’s mission Executive management, therefore, considered several alternative reporting options and has made a recent decision to place this function in the IT Security and Policy Office within the Office of the Vice President and CIO. The change makes sense given the continuing transition of paper records to electronic form. The function of preserving archival (presidential, historical) University records will continue to be managed by the University Library.
- Between now and July 1st go to the Library for guidance – Mark McDonald in the Library will be taking questions. See the Library’s Records Management website for contact information.
- The IT Security and Policy Office is currently working to recruit for and select an experienced Records Management Officer by July 1st . Once that person is in place, planning for a new comprehensive records management program can begin, which will include development of a records management education initiative for the university community and a new website.
- Although concrete plans have not yet been made, we anticipate the need to hire a medical records specialist in Fiscal Year 2008-09, and possibly also an electronic records specialist later in the fiscal year.
- The study identified several potential solutions for future records storage, retrieval, and destruction, including use of outsourcing contracts to replace current individual department solutions. A centralized solution would significantly improved the University’s ability to track of location, age and security of records. All potential solutions will be considered once the Records Management Officer is hired and the program planning is subsequently developed.
Mike Glasgow – Document Retention
OSP just finished having the biggest audit for as long as I have been here.
- DHHS was here for 2 weeks and wanted documentation for everything for one award that lasted from December 2000 to 2005.
- Oracle was a big help – we were able to pull up information we no longer had in our files.
- They not only wanted to look at invoices, but also the policies and procedures that were in place at the time.
- Had to prove we followed policies and procedures that were in place for anything over $5,000.
- We did not have all of the documents we needed. Some we were able to get from other departments.
- Sponsored Program policy on record retention for Grants:
- Must keep files 5 years from the final expenditure report – usually filed 90 days after the close of the Grant
- Federal Regulations:
- Non-Federal:
- 3-5 years after close; looked at on a case to case basis; I would say 5 years, just to be on the safe
- Multiple Awards:
- 5 years after the close of all awards
- Competitive Grants:
- that competitive cycle, plus 5 years
- If there is litigation or an audit, it must be kept until everything is completely resolved.
- Bonds must be kept the length of the bond plus 3 years. If the bond is reissued, it must be kept that plus the amount of time is has been reissued for.
- 5 years after the end of a Grant is the best practice for now! Keep in mind that contracts have their own wording, so make sure you read and are aware!
- We will try to help make it easier for you by letting you know when files can be destroyed.
- Communicate with other departments about what you are retaining – it is good to have a back-up in case something happens to your records, but 5 different departments don’t all need to retain the same records, especially with the storage issues.
- If you receive a document electronically, you can keep it that way. If you scan a document though, make sure you disclose that you have done this, and you still need to retain the original document.
Audit Department & ITC – Barbara Deily & Shirley Payne – Use of Computers
There has been a spike in the amount of inappropriate use, so I just wanted to remind everyone.
- Pornography is the number 1 most common misuse. Do not view or send it! If pornography is found on your computer, you can be FIRED! It cannot be on a State computer.
- Running personal businesses is also inappropriate. Do not use University resources to make money for yourself.
- Downloading and sharing of copyrighted music and movies has also been on the rise. If the RIA catches you, the University cannot help you.
We don’t monitor computers unless there has been an allegation. Be cautious as to what you write on email though because even if we aren’t viewing your emails specifically, we might be viewing the emails of someone you correspond with.
Office of Sponsored Programs
Sharon Boyd
Want to update everyone on opportunities to increase awareness and education on compliance issues.
OSP Education Outreach Opportunities – Costing Compliance for Lab Personnel
- Have held 2 successful sessions so far for lab personnel – these are the purchasers for the labs.
- We come out and train them on using proper PTAO’s and charging to the correct expenditure types.
- We also come out if too many cross transfers have to be done, or if you would like for us to come out we would be more than happy.
NEW OSP Brown Bag Lunch Series – held every month in Newcomb Hall – there will be a topic and we will gather around and discuss issues and ideas
- First one will be held April 8th to discuss Monthly Expenditure Reviews
- May 13th will discuss new forms???
- June we will discuss Travel
- July we will discuss Charging Computer Peripherals and Software
New Research Administrator Sessions
- For new employees that will be working with sponsored projects to familiarize them with what they are going to be doing, and what they should expect to see.
- Right now we are getting names from the Intro to University Business Administration class rosters.
Contact Sharon Boyd or Gina Corell, if interested.
Mike Glasgow
We are working to expand our outreach. We are here to help, and want to make sure you are able to defend yourself against an audit.
Graduate Health Insurance should see our website. F&A should be burdened. Should use the expenditure type svcs, insurance health grad F&A. See Procedure 8-41.
Accounting Services – Tommye Arnold
Year End Dates
With restructuring, we will not have to shut Oracle down at year end, so just keep in mind the following dates:
- Cost Transfer Cut Off - Must be correct - Wednesday, June 25th at 5:00. They will be reviewed the 26th, and posted on the 27th.
- Cashier Deposits - Thursday, June 26th at 5:00. They will go to the bank on Friday, June 27th.
- GL Journals - Friday, June 27th at 5:00.
- Deposits made on Friday June 27th or Monday June 30th will show in your clearing projects in the ADJ1 period.
Handouts will be available at upcoming meetings.
Procurement Services
John McHugh
New contracts – posted on our website:
- 17 new catering contracts have been established:
- no separate should be signed, no prepayments
- up to $50,000 no approval necessary
- Make sure catering contract vendors send the invoices to Accounts Payable. They should not be giving it to you.
- Landmark Aviation (used to be Piedmont) is now a contract vendor if you need to charter a plane.
- safety and insurance certifications are excellent.
- Rental Vehicles - local and non-local contracts – one is signed, and we are working on another. Will send out an email when they are ready.
- Copiers – Frank Fountain has found it is cheaper to buy a copier and pay for maintenance than to rent one, but there are new contracts for renting if you choose to do this.
- $50,000 PO approval limit with contract vendors – order is going straight to vendor, so make sure the description is good.
Becky Simms introduced – Contract Administrator
Terry Butler
Dell electronic invoices should go live this week
Rose Chisholm wanted to let everyone know the report PO Invoice Distribution Detail will be ready the first week of April – will send out a message
Because of restructuring, there will not be a specific cutoff date for invoices. Invoices received in Accounts Payable by 12:00 noon on June 19 will be entered this fiscal year. AP will continue to enter as many invoices as possible that were received after that date.
Eric Denby
Introduced Jessie McGann from Facilities.
At the ACC Procurement Directors meeting last week, persuaded other schools to agree to add a cooperative clause to contracts so we can use them. This will give us access to many more contracts. We won’t have to do RFP’s for these.
The next Fiscal Administrators Meeting will be on THURSDAY, April 17, 2008 at 10:00 in the South Meeting Room, Newcomb Hall.
|
