This report is intended for use by the management of the Variable Annuity Life Insurance Company ("VALIC") and its subsidiaries.

VALIC Retirement Services Company ("VRSCO") and VALIC Financial Advisors, Inc. ("VFA"), its user entities, and the independent

auditors of its user entities, and is not intended and should not be used by anyone other than these specified parties.

Back to TOC

Click

VALIC

.com 44

Operating System passwords are required, must meet current policy and standards which include a minimum of

eight characters in length and must be changed every 90 days

(13.5)

.

Access is granted to appropriate personnel, based on job responsibilities, and is approved by a manager

(13.11)

Privileged Access to RS domains is approved in a Privileged Access Request (PAR) form and submitted via Service-

Now to the Security team or submitted via a Service-Now request to CTO for Rl-Core servers. SailPoint is an

automated third-party recertification tool used to recertify Unix andWindows server users. Users with privileged

access to the operating system are reviewed on an annual basis for appropriateness. Exceptions are researched

and resolved

(13.16)

. Upon termination, access to the network domain is revoked timely

(13.12)

. Network domain

accounts that have been inactive for more than 90 days are flagged and disabled on a monthly basis

(13.6)

.

Unix ID terminations are performed through a two-step process. The first step is an automated process where the

names of the users and the servers they have access to are extracted and a set of scripts is run against HR data to

delete access automatically. Users with privileged access to the operating system and database level are reviewed

on an annual basis for appropriateness. Recertification items (including modification or deletion of access) that

require further review are addressed by management in a timely manner

(13.16)

.

User Access Administration – SAP

SAP application access is controlled through internal SAP Security and administered by the SAP Solutions

Center. Each user has a unique user ID and password that must be entered to access SAP. Passwords must

be a minimum of eight characters in length, user IDs will be locked if an incorrect password is entered five

times, and must be changed every 90 days. Requests to add or change access to SAP must be documented

and approved by an appropriate authority

(13.10)

. User access rights in security roles within SAP are disabled

when notified that a user has been terminated

(13.14)

. User access to SAP is reviewed annually and recertified

by an appropriate authority to confirm that the access is aligned with the user's current job functions. Changes

to user access discovered during the recertification are acted upon by an appropriate authority

(13.18)

.

SAP resides on Unix operating system. Unix passwords are required, must include a minimum of eight characters

in length and expire within 90 days.

Upon termination, access to the network domain is revoked timely.

(13.12)

.

Program Execution Controls

Job Scheduling for V-System

VALIC uses CTO for control of production processing and job scheduling. Production processing is routine

and is under the control of Computer Associates’ CA-7 automated submission scheduling system and restart

management system. CA-7 is utilized to run and monitor production batch processing for mainframe jobs.

Nightly processing begins for V-System as soon as the unit value uploads are complete. The majority of production

batch jobs run overnight, with limited production batch processing during the day.

III. Description of the VALIC Defined Contribution Plan Administration System