Open Recommendations
Recommendation Number | Significant Recommendation | Recommended Questioned Costs | Recommended Funds for Better Use | Additional Details | |
---|---|---|---|---|---|
1-1 | Yes | $0 | $0 | ||
The IPA recommended that Departmental Offices (DO) management review DO-910 and FARS SSP password setting requirements to determine if they apply to all layers of system technologies (e.g., application, database, and operating system). If necessary, consider specifying distinct password setting requirements for the different layer. | |||||
1-2 | Yes | $0 | $0 | ||
The IPA recommended that DO management implement password authentication controls at the FARS database in accordance with the minimum requirements set by DO-910 and the FARS SSP, to include the number of failed login attempts allowed. | |||||
2-1 | Yes | $0 | $0 | ||
The IPA recommended that DO management: Develop policies and procedures for performing the quarterly review and reauthorization of privileged OS access, which specify: How to document the review of user access for continued appropriateness and the resulting determinations. Assignment of individual(s) responsible for performing the review(s) across the various privileged OS domains/groups/accounts, who are independent of the access they review and are of the appropriate authority. Identification/Inventory of the privileged OS domains/groups/accounts that are subject to review, to include any privileged OS service groups/accounts. | |||||
2-2 | Yes | $0 | $0 | ||
The IPA recommended that DO management disseminate said policies and procedures to control performers and re-perform a review and reauthorization of privileged OS access that enforces independence from an individual reviewing their own access, includes OS service groups/accounts, and is documented/retained, in accordance with the established policies and procedures. |