Review Security Access Reports                                 

Agency Security Officers must view security access reports at least quarterly to ensure that users’ accesses are commensurate with their job responsibilities. Agency Security Officers must also ensure at least quarterly that users’ accounts are assigned the least privileged access required to complete their job functions, and that users’ accesses enforce separation of duties. If separation of duties cannot be enforced, for example, due to limited staffing, Agency Security Officers should ensure that compensating controls, such as reports to monitor user activity, are in place.

If Agency Security Officers determine that access changes are required as a result of reviewing these reports, it is the Agency Security Officers’ responsibility to take the necessary action to request modification of the security access and keep accurate records of those changes (report distribution e-mails, security access request e-mails, etc.) as proof that as a result of the report review, the necessary access changes were made.

Several application access reports and inactive accounts reports can be found on the NFC Reporting Center. NFC is in the process of placing all Application Access Reports on the NFC Reporting Center. Application Access reports currently available include: IRIS, TINQ, PINQ, and PMSO