 |
Certificates > ACES > ACES - Safeguarding
|
Plan for Safeguarding against Waste, Fraud, and Abuse for ACES Task Orders
OVERVIEW
Digital Signature Trust Co. ("DST") shall vigorously endeavor to avoid waste, fraud and abuse in the implementation of Task Order awards issued under the ACES contract. DST's plan includes controls to reasonably ensure that:
|
| |
 |
Laws and regulations are followed |
| |
|
Time and expenses are accurately reported and accounted for in accordance with applicable standards |
| |
|
Employees and agents use company and government assets and equipment with the utmost care and only for authorized purposes |
| |
|
Resources are used consistent with Task Order and agency mission |
| |
|
The Waste Fraud and Abuse Plan is implemented in accordance with OMB-123 |
| |
|
Any detection of unauthorized intrusions or evidence of waste fraud or abuse is immediately reported to the PCO and GSA ACO |
| |
|
Employees, agents and subcontractors adhere to all rules policies and procedures outlined in the DST Employee Handbook, the DST SSP, the DST Privacy Policy, the DST Incident Response Guide, and other corporate policies and procedures |
|
DEFINITIONS
The term:
|
| |
1. |
"adequate security" means security
commensurate with the risk and magnitude of the harm resulting from
the loss, misuse, or unauthorized access to or modification of
information. This includes assuring that systems and applications
used operate effectively and provide appropriate confidentiality,
integrity, and availability, through the use of cost-effective
management, personnel, operational, and technical controls. |
| |
2. |
means the use of
information resources (information and information technology) to
satisfy a specific set of user requirements. |
| |
3. |
"general support system" or "system"
means an interconnected set of information resources under the same
direct management control which shares common functionality. A
system normally includes hardware, software, information, data,
applications, communications, and people. A system can be, for
example, a local area network (LAN) including smart terminals that
supports a branch office, an agency-wide backbone, a communications
network, a departmental data processing center including its
operating system and utilities, a tactical radio network, or a
shared information processing service organization (IPSO). |
| |
4. |
"major application" means an
application that requires special attention to security due to the
risk and magnitude of the harm resulting from the loss, misuse, or
unauthorized access to or modification of the information in the
application. Note: All Federal applications require some level of
protection. Certain applications, because of the information in
them, however, require special management oversight and should be
treated as major. Adequate security for other applications should be
provided by security of the systems in which they operate. |
|
SPECIFIC CONTROLS
1. Management Controls
As a subsidiary of Zions Bank ("Zions"), DST has implemented and complies with all of the bank's and bank holding company's corporate directives. This overarching set of policies combines to meet DST's obligation to detect and prevent waste, fraud and abuse. DST's policies pertaining to security and prevention of waste, fraud and abuse are integrated into all aspects of the company's operations and are reflected in various DST and Zions Bank documents including it's employee handbooks, its SSP, its Privacy Policy, its Response Guide, the ACES contract, and the DST CPS. Upon award of a Task Order to DST, a Task Order specific organization meeting shall occur wherein a Task Manager will be appointed. The Task Manager shall establish an appropriate organizational structure to effectively carry out program responsibilities in accordance with applicable laws, regulations, and policies. The Task Manager of each Task Order shall:
|
| |
a. |
Have primary responsibility for managing TO information resources |
| |
b. |
Ensure that the information policies, principles, standards, guidelines, rules, and regulations prescribed by this Plan are implemented appropriately |
| |
c. |
Develop internal TO information policies and procedures and oversee, evaluate, and otherwise periodically review TO information resources management activities for conformity with the policies set forth in this Plan |
| |
d. |
Develop TO policies and procedures that provide for timely acquisition of required information technology |
| |
e. |
Implement and enforce applicable records management policies and procedures, including requirements for archiving information maintained in electronic format, particularly in the planning, design and operation of information systems |
| |
f. |
Identify statutory, regulatory, and other impediments to efficient management of TO information resources and recommend legislation, policies, procedures, and other guidance to improve such management |
|
2. Automated Information Security Programs
Task Managers shall implement and maintain a program to assure that adequate security is provided for all agency information collected, processed, transmitted, stored, or disseminated in general support systems and major applications.
Each Task Manager's program shall implement the policies, standards and procedures which are consistent with DST rules and policies and this Plan as well as the government-wide policies, standards, and procedures issued by the Office of Management and Budget, the Department of Commerce, the General Services Administration and the Office of Personnel Management (OPM) and the specific agency involved At a minimum, Task Managers' programs shall include the following controls in their general support systems and major applications:
Controls for general support systems.
|
| |
1. |
Assign Responsibility for Security. Assign responsibility for security in each system to an individual knowledgeable in the information technology used in the system and in providing security for such technology. |
| |
2. |
Comply with the System Security Plan. Plan for adequate security of each general support system as part of the organization's information resources management (IRM) planning process. |
| |
3. |
Review of Security Controls. Review the security controls in each system when significant modifications are made to the system, but at least every six months. The scope and frequency of the review should be commensurate with the acceptable level of risk for the system. |
| |
4. |
Authorize Processing. Ensure that a management official authorizes in writing the use of each general support system based on implementation of its security plan before beginning or significantly changing processing in the system. Use of the system shall be re-authorized at least every year. |
|
Controls for Major Applications.
|
| |
1. |
Assign Responsibility for Security. Assign responsibility for security of each major application to a management official knowledgeable in the nature of the information and process supported by the application and in the management, personnel, operational, and technical controls used to protect it. This official shall assure that effective security products and techniques are appropriately used in the application and shall be contacted when a security incident occurs concerning the application. |
| |
2. |
Comply with the Security Plan. Plan for the adequate security of each major application, taking into account the security of all systems in which the application will operate. The plan shall be consistent with guidance issued by this Plan and NIST. Advice and comment on the plan shall be solicited from the official responsible for security in the primary system in which the application will operate prior to the plan's implementation. |
| |
3. |
Review of Application Controls. Perform an independent review or audit of the security controls in each application at least every six months. |
| |
4. |
Authorize Processing. Ensure that a management official authorizes in writing use of the application by confirming that its security plan as implemented adequately secures the application. Results of the most recent review or audit of controls shall be a factor in management authorizations. The application must be authorized prior to operating and re-authorized at least every year thereafter. Management authorization implies accepting the risk of each system used by the application. |
|
3. Segregation of Duties
Key duties and responsibilities in authorizing, processing, recording, and reviewing transactions shall be divided among separated individuals to provide a system of checks and balances. Management shall exercise oversight to ensure individuals do not exceed or abuse their assigned authorities.
|
4. Access to Resources
Access to resources, records, and equipment shall be limited to authorized individuals for authorized purposes. A system of accountability, recording and custody shall be assigned and maintained. Management shall exercise oversight to ensure proper accounting and maintenance.
|
5. Record Keeping
Transactions, expenses, and time shall be promptly recorded, properly classified and accounted for by all individuals. Such records shall be forwarded to management who shall prepare timely accounts and maintain reliable financial and other reports. Supporting documentation for all transactions, management controls, and significant events shall be clear and readily available for examination.
|
6. Resolution of Deficiencies
All individuals are encouraged to report any indications of waste, fraud, abuse, or mismanagement to a member of the management team. The management team shall promptly investigate and evaluate all claims and shall create a report of all findings. Management shall determine proper actions in response to deficiencies discovered through investigation of claims or through regular oversight and audit reports. Management shall complete all actions that correct or otherwise resolve the matters brought to its attention in a timely fashion. Management's responsive action may include suspension or termination of employees or agents, suspension or termination of subcontracts, or other disciplinary action.
|
|
|
|
|
SALES CONTACT
FEDERAL AGENCY PROGRAMS
STATE AGENCY PROGRAMS
RELATED CONTENT
|
|
