The Information Assurance staff is responsible for User Account Management (UAM) services for external clients and internal users of the Oracle Federal Financials (OFF) and the internet Quarters Management Information System (iQMIS).
The Security Point of Contact (SPOC) team manages user access and responsibility/role changes.
They collaborate across IBC organizational boundaries to include the Department of the Interior’s Office of the Chief Information Officer (OCIO). Close collaboration and communication is essential to ensure pertinent system security documentation is reviewed, updated and maintained in DOI’s security documentation repository. The Information Assurance staff and the Information System Security Officers (ISSOs) annually participate in OCIO-led working sessions for annual security assessments and the resultant Security Assessment Report (SAR).
The Information Assurance staff responds to and prepares artifacts for Provided By Client (PBC) list items identified in the annual Statement on Standards for Attestation Engagements No. 18 (SSAE-18) audit engagements as pertains to OFF internal controls over application security. As needed, they also support OCIO-led Federal Information Security Modernization Act of 2014 (FISMA) audit engagements. All other external audit engagements and Internal Control Reviews (ICRs), led by the IBC Audit Liaison team, are supported as needed where requests pertain to application security.
The Information Assurance staff conducts and performs various continuous monitoring reviews, including quarterly user access reviews in collaboration with external client data custodians and internal Financial Management Directorate managers. This validates users in the system are current and responsibilities assigned are accurate and commensurate with their job duties. When the User Management support team receives a request to add new or additional user responsibilities the UM support person reviews the Segregation of Duties (SOD) matrix to determine that granting the requested roles will not result in and SOD violation. On a weekly basis, the The Information Assurance staff generates a report using ConfigSnapShot software to validate (a detective internal control) that no SOD violations that have occurred. The IAO also collaborates with functional staff to stay informed of any changes to responsibilities in the system. The SOD Matrix is shared with other FMD managers for internal use and business support upon request.
In summary, the The Information Assurance staff, in close collaboration with key stakeholders, is dedicated to ensure system user access controls are configured and in compliance with Federal Information Security Modernization Act of 2014 (FISMA) and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 standards. Lastly, The Information Assurance staff stays informed of current DOI organization-defined security standards, in particular those pertinent to access controls, via participation in monthly DOI-wide IT Security policy working group meetings.