IVO Date Completed: 10/2021
11
Department of State IVO users, system administrators, database administrators and the
security administrator have access to data in the system based on their prescribed roles
and duties approved by the supervisor.
IVO users: Department of State IVO users consist of DoS post users and IVO
headquarters management. These users facilitate, adjudicate, and process visa requests
for immigrants applying for visas to come to the United States.
Security administrators: The Security Administrators are responsible for implementing
management of security features of IVO, including proper activation, maintenance, and
use of security features on the system.
System administrators: System Administrators are responsible for all daily
maintenance.
Database administrators: Database Administrators (DBAs) are responsible for
updating reference tables within the application. Responsibilities include daily
maintenance, upgrades, patch/hotfix, and database configuration.
(c) Describe the procedures established to limit system and data access to only those
individuals who have an “official” need to access the information in their work
capacity.
Separation of duties and least privilege access are employed; users have access to only
the data that the supervisor and local Information System Security Officers (ISSOs)
approve to perform official duties. Access is role-based, and the user is granted only the
role(s) required to perform officially-assigned duties.
Least privileges are restrictive rights/privileges or access users need for the performance
of specified tasks. The Department of State ensures through least privileges principles
that users who must access records containing PII only have access to the minimum
amount of PII, along with only those privileges (e.g., read, write, execute) necessary to
perform their job duties. Users are uniquely identified and authenticated before accessing
PII.
(d) How is access to data in the system determined for each role identified above?
Access to data of user roles listed in 8(b) is based on the position, role, and need to
perform officially assigned duties as described. Supervisors and the local ISSO must
approve access to IVO based on the specific role and level of security of information and
personnel. Once personnel leave the project, their access to IVO is terminated.
(e) What monitoring, recording, auditing safeguards, and other controls are in place to
prevent the misuse of the information?
The CA System Manager and CA ISSO, in conjunction with CA Security team, periodically
scan and monitor information systems for compliance with Department of State Security