| Text of Recommendation | Review and consider updating IT-930-02, Security Control Manual, to:
a. Require control, AC-5 Segregation of Duties, for all moderate systems. Further, Smithsonian management should expand their current implementation of AC-5 to address both administrative and non-administrative accounts.
b. Require control, AC-6 Least Privilege, for all moderate and high systems. Further, Smithsonian management should expand their current implementation of AC-6 to address both administrative and non-administrative accounts.
c. Include control, AU-2 Auditable Events, for all low, moderate, and high systems. |
|---|---|
| Recommendation Number | OIG-A-22-05-01 |
| Recommendation Status | Closed |
| Significant Recommendation | Yes |
| Recommendation Questioned Costs | $0 |
| Recommendation Funds for Better Use | $0 |
| Submitting OIG | |
|---|---|
| Linked Report |