Testimony given by John R. Dyer, Executive Director to the Deputy
Commissioner and Chief Information Officer, on the "Status of Computer
Security at Federal Departments and Agencies"
September 11, 2000
Hearing held before the Government Reform Committee, Subcommittee on
Government, Management, Information, and TechnologyMr.
Chairman and Members of the Subcommittee:
Thank you for inviting me here today to discuss computer security at
the Social Security Administration (SSA). We appreciate this
subcommittee's interest in systems security and agree that system security
is critical in today's environment.
At the outset, let me emphasize that SSA has always taken its
responsibility to protect the privacy of personal information in Agency
files very seriously. The Social Security Board's first regulation,
published in 1937, dealt with the confidentiality of SSA records. For 65
years, SSA has honored its commitment to the American people to maintain
the confidentiality of the records in our possession. We understand in
order to address privacy concerns we need a strong computer security
program in place.
Modern computer security requires the implementation of sophisticated
software and control of access to the system. SSA uses state of the art
software that carefully restricts any user access to data except for its
intended use. Using this software, only persons with a "need to know" to
perform a particular job function are approved and granted access. Our
systems controls not only register and record access, but also determine
what functions a person can do once access is authorized. SSA security
personnel assign a computer-generated personal identification number and
an initial password to persons who are approved for access (the person
must change the password every 30 days). This allows SSA to audit and
monitor the actions individual employees take when using the system. These
same systems provide a means to investigate allegations of misuse and have
been crucial in prosecuting employees who misuse their authority.
Today, I would like to discuss where we are with computer security and
what improvements we are making. SSA approaches computer security on an
entity wide basis. By doing so, we address all aspects of the SSA
enterprise.
Enterprise-wide Security
Overall, the Chief Information Officer (CIO) who reports directly to
the Commissioner and the Deputy Commissioner is responsible for
information system security. In my role as CIO, I assure that our
initiatives are enterprise wide in scope. At the Deputy Commissioner
level, SSA's Chief Financial Officer, assures that all new systems have
the required financial controls to maintain sound stewardship over the
monies entrusted to our care. We also have placed our systems security
policy function with this Deputy Commissioner.
In order to meet the challenges of data security in today's highly
technological environment, the Agency has adopted an enterprise-wide
approach to systems security, financial information, data integrity, and
prevention of fraud, waste, and abuse. We have full-time staff devoted to
systems security stationed throughout the Agency, in all regions and in
central office. We have established centers for security and integrity in
each SSA region. They provide day to day oversight and control over our
computer software. In addition, we have a Deputy Commissioner-level Office
of Systems which supports the operating system, develops new software and
the related controls and, in general, assures that SSA is taking advantage
of the latest in effective systems technology.
SSA has been certifying its sensitive systems since the original OMB
requirement was published in 1991. Our process requires Deputy
Commissioners responsible for those systems to accredit them. SSA's
planning and certification activity is now in full compliance with NIST
800-18 guidance.
SSA's sensitive systems include all programmatic system needed to
support programs administered by the Agency as well as critical personnel
functions. They also include the network and the system used to monitor
SSA's data center operations.
As an independent agency, we have our own Inspector General (IG) who
can focus his efforts on the agency's needs and concerns. The IG is also
very active in working with other Federal, State and local law enforcement
agencies to assure all avenues for investigation and prosecution are being
pursued--especially for systems security-related issues.
In summary, we have in place the right authorities, the right
personnel, and the right software controls to prevent penetration of our
systems and to address systems security issues as they surface.
Information Systems Security Plan
As I mentioned, SSA has maintained an information system security
program for many years. Its key components, such as deploying new security
technology, integrating security into the business process, and performing
self assessments of our security infrastructure, to name a few, describe
goals and objectives that will touch every SSA employee.
Of particular importance this year are the activities related to the
Presidential Decision Directives (PDD-63) on infrastructure protection and
continuity of operations. We have recently completed an evaluation of all
critical SSA assets. I'm pleased to note that SSA was one of the first
Agencies to do so.
Originally, SSA was not one of the Tier I agencies. But given the
importance of ongoing monthly payments we have been elevated to that level
by the critical infrastructure assurance office.
As part of this effort we have completed an inventory of all critical
assets and implemented an incidence response process for computer
incidents. We have also revised our physical security plans to assure our
facilities are properly secured. Recently, we were one of the key agencies
that evaluated the CIO Council's "maturity" model. This will help us
compare where we are with industry standards overall.
Ongoing Monitoring and Assessment
Our independent auditor, Pricewaterhouse Coopers, has evaluated our
security program each of the last 4 years. They have given us many
recommendations to strengthen our security program and we have implemented
77 percent of their recommendations. We are addressing the remainder at
this time. The remaining recommendations involve longer timeframes to
implement. They will be completed on a flow basis-we anticipate all will
be completed by the end of the next fiscal year.
In addition, SSA has its own formal program of onsite reviews and
corrective action. We also use an independent contractor, Deloitte and
Touche, to review our systems and overall management of the program. All
of this is tracked at the highest levels through an executive internal
control committee which I chair and has membership of the Inspector
General and key deputies.
Zero Tolerance for Fraud
Finally, I also want to state that we have a zero tolerance at SSA for
fraud, waste, and abuse. We believe that our zero tolerance policy has
paid off, as evidenced by the fact that almost all of the recommendations
made to the Agency by independent auditors in recent years have been of a
pre-emptive nature as opposed to a remedy for any actual abuse.
Nonetheless, when we have evidence of an abuse of system privileges,
addressing the matter is a number one priority of the Agency.
On June 22, 1998, Commissioner Apfel issued a notice to all SSA
employees about administrative sanctions to be taken against any SSA
employee who abuses his or her systems privileges. The penalties are
severe and will lead to termination of employment for any offense that
involves selling data. On March 2, 2000 this notice was revised and
updated to make it even more relevant to employees.
SSA's IG is committed to the investigation and prosecution of every
employee abuse case that is identified. Many of the SSA employee cases
turned over to the IG for investigation were first discovered by the
Social Security Administration itself. We must keep in mind that
overwhelmingly SSA employees are honest, hardworking people.
Contingency
In order to ensure that our mission critical systems are up and
running, we have a solid contingency plan in place. In August 2000, we
completed a successful test of all SSA critical systems. Also, SSA has in
place a hotsite as backup for its critical operations. These are
recommendations that Pricewaterhouse Coopers thought it was important for
us to complete.
Recent status by PwC noted substantial progress in this area. No new
issues were identified as a result of this year's review. We believe all
issues have been resolved, but are awaiting PwC's final report.
Moving Away from Mainframe Systems
I want to come back to the broader concerns. Addressing systems
security is, and always will be, first of all, a high priority for SSA. By
design, the Agency has used a system architecture that relied almost
exclusively on mainframe systems and centralized databases. With this
architecture we are able to more tightly control computer security than
those Agencies who are faced with large numbers of local and/or
distributed systems.
As SSA, in the increasingly technological environment, moves away from
the mainframe environment to more distributed systems, we carefully
consider, at every step of the process, how to build in security features.
We have taken a number of steps to ensure that these new systems are as
secure as possible.
We are on constant alert to identify both intrusion detection and
denial-of-service type attacks. SSA's firewall team uses various services
that list current hacker activity in order to identify the different types
of attacks and how to respond and avoid them. SSA uses various filters on
our routers to deny these specific attacks.
We have supported and will continue to support the independent audit of
our financial statements. We have supported the auditors' detailed testing
of SSA's systems. We work with the various oversight bodies-the General
Accounting Office and the IG, for example, to review what we are doing and
identify any issues they believe we need to address. Only in this way can
we be assured SSA is getting all the advice that is available to us, and
doing its utmost to maintain the security of our computer systems, and the
data they contain.
New Emerging Concerns
We are well aware of the daily stories about new viruses, hackers, and
security breaches and have taken both preventive and enforcement actions
to protect information in Social Security files from any wrongful use by
our own employees and from any unauthorized access by outsiders. Mr.
Chairman, SSA takes a very proactive approach to identify hacker activity
and adopt the proper defensive posture to prevent interruption to SSA's
website services. We use state-of-the-art technology to protect our
network. We are on constant alert to identify both intrusion detection and
denial-of-service types of attacks. SSA's network is monitored 24 hours a
day, not only by SSA technicians but also by contract services.
This is not to say that we are resting on our laurels. We constantly
reevaluate and, when necessary, upgrade the security features necessary to
maintain the public's confidence that our systems are secure. Computer
security is a top management priority.
When Social Security first became independent in 1995, and had its own
IG for the first time devoted only to SSA's activities, the Commissioner
asked the IG to make employee integrity the number one issue and the IG
has done so. SSA has consistently asked for additional resources for the
IG and received support from Congress for those requests.
Conclusion
In conclusion, Mr. Chairman, the Social Security Administration has a
long-standing tradition of assuring the public that their personal records
are secure. Both the Commissioner and the Deputy Commissioner give systems
security their highest priority. We all recognize that this is not a
one-time task to be accomplished, but rather is an ongoing mission we can
never lose sight of. We know we cannot rest on past practice, but must be
vigilant in every way we can to assure that these personal records remain
secure, and that public confidence in SSA is maintained.
I want to thank the Subcommittee for holding this hearing and focusing
on what we all view as a critical issue. We are glad to know that the
Congress shares our concerns, and we will work with the Subcommittee to
assure the American people that we are doing all we can to maintain the
security of our computer operations. I will be happy to answer any
questions you may have.
Top of Page
|