This report is intended for use by the management of the Variable Annuity Life Insurance Company ("VALIC") and its subsidiaries.
VALIC Retirement Services Company ("VRSCO") and VALIC Financial Advisors, Inc. ("VFA"), its user entities, and the independent
auditors of its user entities, and is not intended and should not be used by anyone other than these specified parties.
Back to TOCClick
VALIC
.com 44
Operating System passwords are required, must meet current policy and standards which include a minimum of
eight characters in length and must be changed every 90 days
(13.5)
.
Access is granted to appropriate personnel, based on job responsibilities, and is approved by a manager
(13.11)
Privileged Access to RS domains is approved in a Privileged Access Request (PAR) form and submitted via Service-
Now to the Security team or submitted via a Service-Now request to CTO for Rl-Core servers. SailPoint is an
automated third-party recertification tool used to recertify Unix andWindows server users. Users with privileged
access to the operating system are reviewed on an annual basis for appropriateness. Exceptions are researched
and resolved
(13.16)
. Upon termination, access to the network domain is revoked timely
(13.12)
. Network domain
accounts that have been inactive for more than 90 days are flagged and disabled on a monthly basis
(13.6)
.
Unix ID terminations are performed through a two-step process. The first step is an automated process where the
names of the users and the servers they have access to are extracted and a set of scripts is run against HR data to
delete access automatically. Users with privileged access to the operating system and database level are reviewed
on an annual basis for appropriateness. Recertification items (including modification or deletion of access) that
require further review are addressed by management in a timely manner
(13.16)
.
User Access Administration – SAP
SAP application access is controlled through internal SAP Security and administered by the SAP Solutions
Center. Each user has a unique user ID and password that must be entered to access SAP. Passwords must
be a minimum of eight characters in length, user IDs will be locked if an incorrect password is entered five
times, and must be changed every 90 days. Requests to add or change access to SAP must be documented
and approved by an appropriate authority
(13.10)
. User access rights in security roles within SAP are disabled
when notified that a user has been terminated
(13.14)
. User access to SAP is reviewed annually and recertified
by an appropriate authority to confirm that the access is aligned with the user's current job functions. Changes
to user access discovered during the recertification are acted upon by an appropriate authority
(13.18)
.
SAP resides on Unix operating system. Unix passwords are required, must include a minimum of eight characters
in length and expire within 90 days.
Upon termination, access to the network domain is revoked timely.
(13.12)
.
Program Execution Controls
Job Scheduling for V-System
VALIC uses CTO for control of production processing and job scheduling. Production processing is routine
and is under the control of Computer Associates’ CA-7 automated submission scheduling system and restart
management system. CA-7 is utilized to run and monitor production batch processing for mainframe jobs.
Nightly processing begins for V-System as soon as the unit value uploads are complete. The majority of production
batch jobs run overnight, with limited production batch processing during the day.
III. Description of the VALIC Defined Contribution Plan Administration System