Review Security Access ReportsInsurance Security Officers must view security access reports at least quarterly to ensure that users’ access is commensurate with their job responsibilities. Insurance Security Officers must also ensure at least quarterly that users’ accounts are assigned the least privileged access required to complete their job functions, and that users’ accesses enforce separation of duties. If separation of duties cannot be enforced, for example, due to limited staffing, Insurance Security Officers should ensure that compensating controls, such as reports to monitor user activity, are in place.
If Insurance Security Officers determine that access changes are required as a result of reviewing these reports, it is the Insurance Security Officers’ responsibility to take the necessary action to request modification of the security access and keep accurate records of those changes (report distribution e-mails, security access request e-mails, etc.) as proof that as a result of the report review, the necessary access changes were made.
If there are problems with a Security Access report after it has been delivered, the Agency Security Officer should contact the Security Systems Administration branch (SSAB) at SSAB@nfc.usda.gov.
Request Security Access Reports
Insurance Security Officers (ASO) may have a need to request security access reports outside of the normal distribution schedule. ASOs may also require reports on user activity, such as the dates that a user logged in, a user’s after hours log in times, etc.
Requests for Security Access Reports are submitted by Insurance Security Officers via ServiceNow Employee Self Service (ESS). Requests will be acknowledged upon receipt and a follow up response will be provided within five days by the ITS, Security Systems Administration Branch (SSAB). If SSAB cannot process a request, the requester will be informed that the request is being transferred to the appropriate department or staff. The individual to whom the request is being transferred and their contact information will also be provided.