SYSTEMS AND SERVICE PROVIDERS
A vendor that provides IT solutions and/or services to end users and organizations.
What is a service provider?
Provides guidance to Federal Managers on improving the accountability and effectiveness of Federal programs and operations by identifying and managing risks, establishing requirements to assess, correct, and report on the effectiveness of internal controls.
What is the A-123 Assessment?
A control objective where activities and monitoring of third-party providers and customers are developed.
What is security monitoring?
The act or process of remedying deficiencies.
What is remediation?
The program office responsible for partnering with OCIO to establish data analysis and system solutions, to effectively administer HR data, information, programs, and services.
Who is Systems, Analytics and Information Division (SAID)?
The Office of Personnel Management (OPM)-certified Human Resources (HR) Shared Service Center (SSC) provider for WebTA, EmpowHR, and NFC, PPS.
What is USDA, National Finance Center?
Systems that require additional management accountability to ensure effective internal controls exist over financial reporting.
What are CFO Designated Systems?
A control objective where system identifications are unique to each user and in compliance with DHS 4300A (Sensitive Systems Handbook, Section 5.1).
What is access control?
A plan that describes remedial activities for ITGC deficiencies.
What is a remediation work plan?
The vendor/ service provider that FEMA OCCHCO contracts with directly for the FedHR Navigator system.
What is Econsys?
A formal document in which Components state their commitment to improving the state of their IT controls environments
What is an IT Commitment Letter?
A control objective where accounts are deactivated or removed for terminated individuals when notification is received that the individual has been reassigned or terminated.
What is account management?
A document in the security authorization package used for continuous monitoring of control activities that is often confused with a remediation plan.
What is a PO&AM?
A report on controls at a service organization relevant to User Entities' internal control over financial reporting (ICFR).
What is a SOC1 report?
Information systems that are outside of the authorization boundary for which organizations typically have no direct supervision and authority over the application of required security controls or the assessment of control effectiveness.
What are external information systems?
Control objectives where account approval and authorization considers level of access (i.e. roles, permissions being assigned), principle of least privilege, and segregation of duties.
What is access control and account management?
January- March.
What is the timeframe for remediation before the next audit cycle begins?
The process for reviewing the SOC 1 report in order to monitor the external service organization and/or applicable systems.
What is service provider monitoring?
WebTA, NFC, PPS, and EmpowHR.
What are the third party external information systems at FEMA OCCHCO?
A control objective where incompatible roles, permissions, activities and transactions are identified for the system.
What is segregation of duties?
A finding that was identified in the previous independent audit for which a corrective action has not been completed as planned.
What is a repeat finding?