ML18320A073
| ML18320A073 | |
| Person / Time | |
|---|---|
| Issue date: | 11/16/2018 |
| From: | Baker B NRC/OIG/AIGA |
| To: | Margaret Doane NRC/EDO |
| References | |
| OIG-13-A-16 | |
| Download: ML18320A073 (4) | |
Text
UNITED STATES NUCLEAR REGULATORY COMMISSION WASHINGTON, D.C. 20555-0001 OFFICE OF THE INSPECTOR GENERAL November 16, 2018 MEMORANDUM TO: Margaret M. Doane Executive Director for Operations FROM: Dr. Brett M. Baker /RA/
Assistant Inspector General for Audits
SUBJECT:
STATUS OF RECOMMENDATIONS: AUDIT OF NRCS SAFEGUARDS INFORMATION LOCAL AREA NETWORK AND ELECTRONIC SAFE (OIG-13-A-16)
REFERENCE:
CHIEF INFORMATION OFFICER MEMORANDUM DATED OCTOBER 24, 2018 Attached is the Office of the Inspector Generals (OIG) analysis and status of recommendations 3 and 7 as discussed in the agencys response dated October 24, 2018.
Based on this response, recommendations 3 and 7 remain in resolved status.
Recommendations 1, 2, 4, 5 and 6 were closed previously. Please provide an updated status of the resolved recommendations by October 31, 2019.
If you have any questions or concerns, please call me at (301) 415-5915 or Eric Rivera, Team Leader, at (301) 415-7032.
Attachment:
As stated cc: R. Lewis OEDO H. Rasouli, OEDO J. Jolicoeur, OEDO J. Bowen, OEDO EDO_ACS Distribution
Audit Report AUDIT OF NRCS SAFEGUARDS INFORMATION LOCAL AREA NETWORK AND ELECTRONIC SAFE OIG-13-A-16 Status of Recommendations Recommendation 3: Evaluate and update the current folder structure to meet user needs.
Agency Response Dated October 24, 2018: The Safeguards Information Local Area Network and Electronic Safe (SLES) team has recently completed the modernization of the SLES system which has been well received. This included an upgrade of the virtual desktop interface and all applications used by SLES staff, as well as upgrading to new and more robust thin clients. OCIO has reached out to the Office of Nuclear Security and Incident Response (NSIR) to transfer the lead for Recommendations 3 and 7 to NSIR as the primary Subject Matter Experts (SMEs). As the SMEs, NSIR will lead the folder structure evaluation, with OCIO providing technical support; and advice on how this will impact Documentum and folder security.
Due to the complexity of Documentum and the underlying database for SLES, changes to the folder structure will have to take place in a careful and methodical manner since the folder structure is used to provide document access and Safeguards Information (SGI) to users. Once NSIR has outlined a new folder structure in accordance with Documentum best practices, OCIO will implement this in the test environment. OCIO will ensure that the folder security has not been impacted and that users are still granted least privilege to SGI. Once the structure is validated in the test environment, the new folder structure and database will need to be deployed to the production and failover environments. The development and deployment of this solution thus will occur in three environments.
Target Completion Date: September 30, 2019 OIG Analysis: The proposed action meets the intent of the recommendation.
This recommendation will be closed when OIG is provided with documentation verifying that the current folder structure has been evaluated and updated to meet user needs.
Status: Resolved.
2
Audit Report AUDIT OF NRCS SAFEGUARDS INFORMATION LOCAL AREA NETWORK AND ELECTRONIC SAFE OIG-13-A-16 Status of Recommendations Recommendation 7: Develop a structured access process that is consistent with the SGI need-to-know requirement and least privilege principle.
This should include:
Establishing folder owners within SLES and providing the owners the authority to approve the need-to-know authorization (as opposed to branch chiefs).
Conducting periodic reviews of user access to folders.
Developing a standard process to grant user access.
Agency Response Dated October 24, 2018: The OCIO and the Office of Nuclear Security and Incident Response are currently developing a process for structured access to the SGI documents in SLES that is consistent with the SGI need-to-know requirement and least privilege principle.
The OCIO is also evaluating a proposition for managing document security at a document level in addition to a folder level security.
Completion of Recommendation 7 is dependent upon implementation of the new folder structure. Both NSIR and OCIO propose the completion of Recommendation 7 be deferred until the new folder structure is completely implemented. This will enable NSIR and OCIO to determine the new folder structure most suitable to the user-community and ensure that the folder structure provides least privilege access to SGI. In the interim, the NSIR SGI Program Manager has assumed ownership of the existing folders and makes a need-to-know determination on a case-by-case basis for expanded access to folders. Upon implementation of the new folder structure, and possibly identification of new folder owners, NSIR and OCIO will address the three sub-bullets, in a more detailed manner that is consistent with the intent of the recommendation.
Target Completion Date: September 30, 2020 3
Audit Report AUDIT OF NRCS SAFEGUARDS INFORMATION LOCAL AREA NETWORK AND ELECTRONIC SAFE OIG-13-A-16 Status of Recommendations Recommendation 7 (cont.):
OIG Analysis: The proposed action meets the intent of the recommendation.
This recommendation will be closed when OIG evaluates the structured access process and determines (1) it is consistent with the SGI need-to-know requirement and least privilege principle, and (2) it addresses the three sub-bullets noted in the recommendation.
Status: Resolved.
4