Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
| Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
|---|---|---|---|---|---|
| 3 | No | $0 | $0 | ||
| Grant Thornton recommends that OPM implement processes to associate software and hardware assets to system boundaries. | |||||
| 7 | No | $0 | $0 | ||
| Grant Thornton recommends that OPM establish a means of developing a complete and accurate listing of users with Significant Information System Responsibilities that are required to complete role-based training. | |||||
| 9 | No | $0 | $0 | ||
| Grant Thornton recommends that OPM perform a comprehensive periodic review of the appropriateness of personnel with access to systems. | |||||
| 12 | No | $0 | $0 | ||
| Grant Thornton recommends that OPM document access rights to systems to include roles, role descriptions, and privileges or activities associated with each role or activity assignments that may cause a segregation of duties conflict. | |||||
| 13 | No | $0 | $0 | ||
| Grant Thornton recommends that OPM ensure policies and procedures governing the provisioning and de-provisioning of access to information systems are followed in a timely manner and documentation of completion of these processes is maintained. | |||||
| 14 | No | $0 | $0 | ||
| Grant Thornton recommends that OPM review audit logs on a pre-defined periodic basis for violations or suspicious activity and identify individuals responsible for follow up or elevation of issues to the appropriate team members for review. The review of audit logs should be documented for record retention purposes. | |||||
| 15 | No | $0 | $0 | ||
| Grant Thornton recommends that OPM establish a means of documenting all users who have access to system. | |||||
| 17 | No | $0 | $0 | ||
| Grant Thornton recommends that OPM establish a methodology to systematically track all configuration items that are migrated to production and be able to produce a complete and accurate listing of all configuration items for both internal and external audit purposes, which will in turn support closer monitoring and management of the configuration management process. | |||||
| 18 | No | $0 | $0 | ||
| Grant Thornton recommends that OPM enforce existing policy developed by OPM, vendors or federal agencies requiring mandatory security configuration settings and implement a process to periodically validate that the settings are appropriate. | |||||
