The Information Assurance Office (IAO) is primarily responsible for User Account Management (UAM) services for external clients, internal users of the Oracle Federal Financials (OFF) major application, and also the internet Quarters Management Information System (iQMIS). The Security Point of Contact (SPOC) team manages user access and responsibility/role changes.
The IAO collaborates across IBC organizational boundaries to include the Department of the Interior’s Office of the Chief Information Officer (OCIO). Close collaboration and communication is essential to ensure pertinent system security documentation is reviewed, updated and maintained in DOI’s security documentation repository. IAO and the Information System Security Officers (ISSOs) annually participate in OCIO-led working sessions for annual security assessments and the resultant Security Assessment Report (SAR).
IAO responds to and prepares artifacts for Provided By Client (PBC) list items identified in the annual Statement on Standards for Attestation Engagements No. 18 (SSAE-18) audit engagements as pertains to OFF internal controls over application security. As needed, IAO also supports OCIO-led Federal Information Security Modernization Act of 2014 (FISMA) audit engagements. All other external audit engagements and Internal Control Reviews (ICRs), led by the IBC Audit Liaison Office (ALO), are supported as needed where requests pertain to application security.
IAO conducts and performs various continuous monitoring reviews, including quarterly user access reviews in collaboration with external client data custodians and internal FMD managers. This validates users in the system are current and responsibilities assigned are accurate and commensurate with their job duties. When the IAO User Management support staff receives a request to add new or additional user responsibilities the UM support person reviews the Segregation of Duties (SOD) matrix to determine that granting the requested roles will not result in and SOD violation. On a weekly basis, the IAO generates a report using ConfigSnapShot software to validate (a detective internal control) that no SOD violations that have occurred. The IAO also collaborates with functional staff to stay informed of any changes to responsibilities in the system. The SOD Matrix is shared with other Financial Management Directorate managers for internal use and business support upon request.
In summary, the IAO, in close collaboration with key stakeholders, is dedicated to ensure system user access controls are configured and in compliance with Federal Information Security Modernization Act of 2014 (FISMA) and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 standards. Lastly, IAO stays informed of current DOI organization-defined security standards, in particular those pertinent to access controls, via participation in monthly DOI-wide IT Security policy working group meetings.