NIST Administrative Manual, Subchapter 8.14
Transmittal Date - 9/26/01

SECURITY REVIEW AND AUTHORIZATION OF MAJOR
ACCOUNTING APPLICATIONS

Sections

8.14.01  Purpose

8.14.02  Scope

8.14.03  Policy

8.14.04  Definitions

8.14.05  Requirements

8.14.06  Responsibilities

8.14.07  References
 

8.14.01
PURPOSE
This subchapter discusses the periodic reviews of the security controls and the authorization for use of NIST’s major accounting applications.
 

8.14.02
SCOPE
This subchapter applies to NIST-Gaithersburg and NIST-Boulder.
 

8.14.03
POLICY
A security review of NIST’s major accounting applications will be performed and the major accounting applications will be authorized for use based on the results of the security review.
 

8.14.04
DEFINITIONS
a. Major Accounting Application – A financial application that requires special attention to security due to the risk and magnitude of the harm resulting from the loss, misuse, or unauthorized access to or modification of the information in the application.

b. General Support System - An interconnected set of information resources under the same direct management control, which shares common functionality.  A system normally includes hardware, software, information, data, applications, communications, and people.
 

8.14.05
REQUIREMENTS
a. Review of the Security Controls – After any significant change or on an annual basis, a review of the security controls for each major accounting application must be performed.  Because of the risk involved, the review should be conducted independent of the manager responsible for the application.  The review should verify that responsibility for the security of the application has been assigned, that a viable security plan for the application is in place, and that the appropriate management official has authorized the processing of the application based on the results of the most recent review of the security controls.

b. Authorization for processing – At the conclusion of the review of the security controls, the major accounting application should be authorized, in writing, for processing by the management official responsible for the function supported by the application.  The authorization should confirm, based on the results of the most recent review of the security controls for the application, that the security plan for an application adequately secures the application.  It should also take into account the risks associated with the general support systems used by the application.  The authorization of the application implies management’s understanding and acceptance of the risk involved in operating the application.
 

8.14.06
RESPONSIBILITIES
a. Deputy Chief Financial Officer - The Deputy Chief Financial Officer will authorize the major accounting application(s) for processing based on the results of the review of the security controls performed by the NIST Computer Security Officer and the recommendation of the Financial Policy Division.

b. NIST Information Technology Security Officer – The NIST Information Technology Security Officer will perform an independent review of the security controls for the major accounting application(s) operated by the divisions within the NIST Director for Administration and Chief Financial Officer (DA/CFO).

c.  Financial Management Systems Division - The  Financial Management Systems Division will:

(1) Appoint a DA/CFO Computer Security Officer;

(2) Develop and maintain the documentation necessary to perform the required reviews of the security controls and the authorization; and

(3) Perform a computer security self-assessment and document the results.

c. Financial Policy Division – The Financial Policy Division will:

(1) Assist the DA/CFO Computer Security Officer with their responsibilities;

(2) Recommend to the Deputy Chief Financial Officer to authorize the accounting application for processing based on the most recent independent review of the security controls in accordance with Appendix III to OMB Circular No. A-130, Security of Federal Automated Information Resources, Section B.b.4; and

(3) Develop and implement corrective action plans to address any deficiencies detected in the review of the security controls.
 

8.14.07
REFERENCES
a. OMB Circular A-130, Security of Federal Automated Information Resources, Appendix III, Part A, Section 3, Paragraph b, Subparagraphs 3 and 4.

b. GAO Federal Information System Controls Audit Manual (FISCAM, GAO/AIMD-12.19.6), Chapter 3.1, SP-5.

c. NIST Special Publication 800-12, An Introduction to Computer Security:  The NIST Handbook.

d. NIST Special Publication 800-14, Generally Accepted Principles and Practices for Securing Information Technology Systems.

e. NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems, Chapter 4.5.

f.   NIST Special Publication 800-26, Security Self-Assessment Guide for IT Systems.

g.   NIST Special Publication 800-30, Risk Management Guide.

h.   Public Law 106-398, Government Information Security Reform Act (GISRA) Title X, subtitle G of the 2001 Defense Authorization Act.

NIST Home PageSearch
National Institute of Standards and Technology,
Office of the Director - Management and Organization Division
Questions concerning context, contact darla.yonder@nist.gov
Problems/Suggestions, contact gwenda.roberson@nist.gov
5/2008