Open Recommendations
Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
---|---|---|---|---|---|
1-1 | Yes | $0 | $0 | ||
The IPA recommended that Fiscal Service management reinforce policy requirements (through training or other means) for removing logical access of terminated and transferred Fiscal Service employees and contractors within 2 business days of their separation date. | |||||
1-2 | Yes | $0 | $0 | ||
The IPA recommended that Fiscal Service management perform ongoing monitoring to hold responsible control performers accountable for timely completion of such control activities. | |||||
2-1 | Yes | $0 | $0 | ||
The IPA recommended that Fiscal Service implement policies and controls for performing a user access review and recertification of AS Splunk Administrators supporting CAIA on a quarterly basis. | |||||
3-1 | Yes | $0 | $0 | ||
Fiscal Service management implement proper segregation of duties to ensure that an independent review of all user's access is performed as part of the semi-annual PAM Mainframe privileged user access review. | |||||
3-2 | Yes | $0 | $0 | ||
Fiscal Service management enforce accountability of individuals performing user access review control responsibilities in accordance with policies and procedures. | |||||
4-1 | Yes | $0 | $0 | ||
Fiscal Service finalize policies and procedures to review audit logs of production IBM Database 2 (DB2) servers. | |||||
4-2 | Yes | $0 | $0 | ||
Fiscal Service implement an oversight process to ensure that designated Fiscal Service management: (1) reviews the security logs for the UNIX and DB2 servers hosting the PIR, JFICS, and SPS applications on a pre-defined frequency, as indicated in the BLSR; (2) formally documents completion of their reviews and any escalations to the Information System Security Officer (ISS); and (3) retains the audit logs and documentation of its reviews for 18 months, as required by the BLSR. | |||||
4-3 | Yes | $0 | $0 | ||
Fiscal Service periodically review Fiscal Service management's implementation and operation of the review the security audit logs for the UNIX and DB2 servers hosting the PIR, JFICS, and SPS applications to determine that Fiscal Service management completes the reviews on a pre-defined basis, documents completion of the reviews and escalations, and maintains such documentation. | |||||
4-4 | Yes | $0 | $0 | ||
Fiscal Service establish an effective enforcement process or mechanism to ensure that (1) UNIX and DB2 events and monitoring controls are followed, and (2) Fiscal Service management has confidence it consistently reviews for potential unauthorized or inappropriate activity. | |||||
5-1 | Yes | $0 | $0 | ||
Fiscal Service develop and implement documentation to assign responsibility for ensuring adequacy of UNIX and database security and baseline settings. | |||||
5-2 | Yes | $0 | $0 | ||
Fiscal Service update existing UNIX and database configuration security baseline documents to ensure that these documents fully incorporate and enforce the components of the DISA STIGs. Management should document any deviations from the STIGs and note compensating controls that mitigate the security risk to an acceptable level. | |||||
5-3 | Yes | $0 | $0 | ||
Fiscal Service develop, document, and implement policies, procedures, and controls to conduct periodic reviews of actual UNIX and database settings against the security configuration baselines. | |||||
5-4 | Yes | $0 | $0 | ||
Fiscal Service provide logging and monitoring of security related events to include the retention of evidence of reviews performed. | |||||
5-5 | Yes | $0 | $0 | ||
Fiscal Service develop a baseline of essential security settings and specify that baseline as the standard to be observed. | |||||
5-6 | Yes | $0 | $0 | ||
Fiscal Service implement corrective actions to address all vulnerabilities associated with the baseline enforcement to include removing the three default user accounts on UNIX servers. |