DPAS SCR: 01818

• SCR Number
  01818
• Title
  Retroactive User Activity
• DPAS Module
  Enterprise
• Reporting Organization
  Leidos
• State
  Done
• History
  Submitted 09/22/2022
• Description
  Description:

  Control activity 2.7 states “DLA Information Operations conducts an annual review of individuals with privileged operating system and database access and DPAS application security and admin user type access. The results of these annual reviews are documented, retained, and inappropriate access is removed. User Account Activity Logs are reviewed for accounts found to have inappropriate access, which is addressed in CA 2.10.”
  

  • DPAS management does not retain evidence that demonstrates that the data used in the performance of the annual review of security and admin users is complete and accurate (i.e., screenshots of parameters/query used to produce the listing its entirety prior to execution within the query tool itself, screenshots of the row count within the query tool prior to extraction to demonstrate data wasn't lost or modified in transfer, etc.). Therefore, EY was unable to determine whether the data that was used in the performance of the annual access review of security and admin user types was complete and accurate. DPAS management is also not properly monitoring that all security and admin type users are properly reviewed. For users identified as requiring access to be removed during the annual review of privileged operating system and database access, as well as DPAS application security and admin user type access, DPAS management has not established a process to:

  • Identify the length of time users had access but did not require it commensurate with their job responsibilities; and

  • Analyze the activity for these users for that length of time, depending on the nature and risk of the roles held by the users (privileged, elevated-risk roles as identified by management.

   

  Control activity 2.8 states: “DPAS PMO requires all IO/AIOs to submit an annual user review report. DPAS PMO performs user account maintenance based on this report. If no report is received by DPAS PMO by the designated due date, all accounts associated with the IO/AIO are deactivated.”

  • DPAS management is not properly monitoring the user entity-performed access reviews. Specifically, Management is not verifying the completeness and accuracy of the user listings that are used in the performance of the reviews. Also, DPAS management does not perform a comprehensive retroactive review of activity for users identified with inappropriate access during each application user access review performed by Management or the user entity. Further, in their access reviews, Management has not established a process to:

  • Identify the length of time users had access but did not require it commensurate with their job responsibilities; and

  • Analyze the activity for these users for that length of time, depending on the nature and risk of the roles held by the users (privileged, elevated-risk roles as identified by management)

  • DPAS management also does not have a process in place to properly monitor that the user entities are ensuring that all users that have access are properly reviewed.

  
  

  Recommended:

  Develop a stored procedure that can be used by DBAs to support retroactive user activity requests from IO/AIOs.

   

  Mission Critical:

  Mandated - This SCR is required to resolve a NFR in the FY22 SSAE audit.  

   

  Benefits:

  Passing the next SSAE audit.  

   

  Users:

  This process will be used mainly by the DBAs to support IO/AIOs requests.  

   

   

  Completed – Release 2022.2.2 – 23 September 2022