SSA's systems access policy is built on the principles of least privilege and need-to-know. Controlling and limiting systems access to the Agency's information systems and resources is the first line of defense in assuring the confidentiality, integrity, and availability of the Agency's information technology resources.
In this report, we sought to determine whether:
- Security profiles assigned to disability determination services (DDS) employees provide access to SSA data they do not need;
- terminated DDS employees continue to have access to SSA systems;
- and DDSs have an appropriate process for requiring and approving access to SSA systems.