Review of Personal Property Management System and Practices for Calendar Year 2017
Develop and implement controls to ensure that the data entered into PMS and IFS is accurate and consistent with CPSC policies and procedures.
Develop procedures to review applicable regulations and laws on an annual basis in order to ensure the property management policies and procedures remain accurate and complete.
Perform and document a formal analysis on the PMS operating environment and system mission to determine the appropriate system categorization for PMS.
Upon a justifiable determination of the PMS system categorization, design, implement, and assess the PMS security controls and formally authorize PMS to operate in accordance with CPSC organizational security policies and procedures as well as other applicable government standards.
Establish and implement POA&M management procedures to ensure that all identified security weaknesses, including PMS application-specific and inherited control weaknesses, are fully documented and tracked.
Establish and implement POA&M management procedures to ensure that changes to estimated completion dates should be documented and reflected in the POA&M tracker.
Estimated completion dates should be documented and reflected in the POA&M tracker.
Perform and document a formal analysis of PMS’s operating environment and system mission to determine the appropriate risk level categorization for PMS.
Upon a justifiable determination of PMS’s system categorization, design and implement standard procedures for requesting and approving user access to roles and resources in PMS.
Develop, approve, and implement procedures to ensure that standard users and administrators are included in the periodic review of PMS user access and that the custodian user access is validated appropriately when performing the review.
Update the PMS Internal Control Document, or equivalent documentation, to reflect PMS’s updated process.
Complete and document the periodic review for all PMS users in accordance with PMS’s updated procedures.
Perform and document a risk analysis to identify SoD conflicts that may exist between PMS and other CPSC systems.
Upon completion of the risk analysis, develop and implement procedures to ensure that CPSC users do not have unmonitored conflicting access across multiple systems.
Perform and document a risk analysis to identify potential SoD conflicts within PMS.
Upon the completion of the risk analysis noted above, management should develop and implement procedures that ensure PMS users do not have sufficient access to allow the unmonitored execution of incompatible transactions.
Update and implement configuration change management procedures which include requirements to perform and document quality control reviews.
Develop and implement procedures to log, track, and maintain a list of changes made to the PMS application.