Testimony of Deputy Commissioner Lockhart Before the
House Committee on Government Reform, Subcommittee on Government
Efficiency, Financial Management and Intergovernmental Relations on
"Computer Security: How the Agencies Rate"
November 19, 2002Mr.
Chairman and Members of the Subcommittee:
Thank you for inviting me here today in my first appearance before this
subcommittee to discuss computer security at the Social Security
Administration (SSA). Commissioner Barnhart and I appreciate your interest
in systems security, which is a critical issue. She has made service and
stewardship key elements of our strategy to effectively administer our
programs; systems security is a key stewardship element and it requires
continuous improvement, a "24 x 7" mentality.
SSA has always recognized the importance of protecting the privacy of
the people we serve and ensuring the integrity and accuracy of the records
we keep and the payments we make. The Social Security Board's first
regulation, published in 1937, dealt with the confidentiality of SSA
records. For more than 65 years, SSA has honored its commitment to the
American people to maintain the confidentiality of our records. A natural
outgrowth of our emphasis on privacy is a strong commitment to computer
security.
We at SSA clearly recognize that the information technology environment
is one of constant change due to rapid progress in systems technology and
systems security issues that are generated as a result. We continue to be
proactive and forward looking in meeting the challenges of this
ever-changing environment. We routinely interface with other government
agencies and with private and public information technology specialists,
to ensure that we stay ahead of developments in this rapidly expanding
field.
Building on this strong foundation, I believe we have made significant
strides this year in putting in place additional safeguards that will
strengthen the security of the information SSA processes and maintains.
Today I would like to discuss those safeguards.
Security is a Management Function, Not a Technical Issue
We recognize that creating an effective security program is a
management function, and not simply an issue of technical implementation.
It demands the attention of our top management. During the course of the
last year, Commissioner Barnhart has taken steps to ensure that
information security is receiving this level of attention in order to
emphasize the importance of making this a priority for every Agency
employee. Information security has been made a routine agenda item for the
executive staff and has been incorporated into other processes that
routinely receive executive-level attention.
Most importantly, information security responsibilities have been
realigned to bring the Chief Security Officer under the auspices of SSA's
Chief Information Officer (CIO). The Chief Security Officer is responsible
for setting Agency policy for information security and for leading and
coordinating information technology (IT) physical security policy. The IT
budget has also been moved directly under the CIO.
Earlier this month, Commissioner Barnhart announced the appointment of
Thomas Hughes as the new CIO for the Agency. Mr. Hughes has an extensive
background as a business technology executive and has worked in both the
public and private sector including Pricewaterhouse Coopers, and General
Dynamics. I am sure he will be a valuable addition to our security team
and an excellent CIO.
The Deputy Commissioner of Systems, who also directly reports to us,
has 3,000 employees with a total budget of $280 million as well as outside
contractor support funded by SSA's IT budget. Another important group, the
Office of the Deputy Commissioner for Finance, Assessment and Management,
oversees physical and operational systems security.
Systems Challenges
Information technology is intrinsic to our business. The systems
challenges at Social Security are large, as we represent a quarter of the
federal budget and pay benefits to over 50 million Americans. In a typical
workday we interact with almost 500,000 people through our field offices,
telephone network and Internet service.
The computing environment at SSA is considerable. SSA relies primarily
on seven mainframe processors located in our headquarters' based National
Computer Center and a combination of 100,000 plus Microsoft windows NT
desktops and UNIX computers for its core information processing. These
computers process over 35 million transactions per day and have access to
over eleven terabytes of electronic storage. The Agency maintains a global
network of communications services that electronically exchanges client
information between more than 1500 remote locations and the SSA central
processing site.
Externally, the telecommunications environment interfaces with other
Government agencies, United States embassies, and State agencies. In
addition, SSA has a connection to the Internet to service both internal
and external clients.
Improved Security is an Ongoing Process
Systems security is not a new issue to Social Security. We have been
safeguarding our records since we began, long before the advent of
computers and the technology age. The Agency's policies and procedures
have had security integrated into the systems development lifecycle for
more than 15 years. However, in the last year SSA has begun implementation
of a number of improvements and performance measures in this area to
ensure that the security program remains responsive to evolving
technologies, conditions, and vulnerabilities.
Our development of systems security is a process geared towards
continuous improvements in each facet of the program. We begin by planning
for the security needed for each new system and determining how to
implement the process. We test the new program thoroughly to determine if
it is functioning effectively and providing the required security. We
analyze these test results and, if adjustments are needed, make
refinements until the system functions as planned. We repeat these steps
as our systems are changed and refined.
To make sure that our safeguards are adequate, SSA uses a variety of
proactive measures plus independent testing and evaluation of security
controls to detect attempted intrusions and prevent them from being
successful. We conduct a number of continuous monitoring activities-and I
am confident you will understand my reluctance to discuss our specific
processes in a public forum. However, we do undergo rigorous evaluation of
these processes.
SSA contracts annually to have independent security evaluations
completed. In FY 2002, the telecommunications and network infrastructure,
all sensitive systems applications, and SSA's web systems received testing
in addition to the annual network and systems testing and evaluation
performed by SSA's Inspector General with the support from outside
experts.
Modern computer security requires the implementation of sophisticated
software and control of access to the system. SSA uses state-of-the-art
software that carefully restricts any user access to data. Using this
software, only persons with a "need to know" to perform a particular job
function are approved and granted access to specific kinds of data. Our
systems controls not only register and record access, but also determine
what functions a person can do once access is authorized. SSA security
personnel assign a computer-generated personal identification number and
an initial password to persons who are approved for access (the person
must change the password every 30 days). This allows SSA to audit and
monitor the actions individual employees take when using the system. These
same systems provide a means to investigate allegations of misuse and have
been crucial in prosecuting employees who misuse their authority.
Additionally, we have implemented processes to scan, at least once a
month, every SSA workstation (over 100,000), every telephone, and every
systems platform for compliance with Agency standards. I believe that the
scope of this program cannot be matched, and our track record in
preventing intrusions demonstrates our success in implementing an
Enterprise-wide security program that is second to none.
SSA's approach to system security must be forward-looking even as we
focus on day-to-day continuous improvement. As an example, four years ago,
our auditor listed 4 reportable conditions. Last year we were down to one.
In our just completed FY 2002 audit and the auditor indicated that SSA had
made notable progress in strengthening its security controls by
implementing an effective entity-wide security framework supported by
policies and procedures. As recommended, we will continue to implement
standard security configurations on our automated platforms and monitor
those settings for compliance, using automated techniques where possible.
We plan to emphasize our monitoring and reporting program in the coming
year. The auditor also noted that contingency planning could be better
coordinated among various SSA components; we will improve the level of
coordination in the coming year. Over the past several years, SSA has made
significant progress in strengthening its security program and will
continue to do so. The Agency's Executive Internal Control Committee will
monitor progress until all elements of the reportable condition have been
addressed and will ensure that resources are made available to support the
improvement efforts.
Nurturing a Security Conscious Culture
Of course, SSA's commitment to information security does not stop with
top management. While we nurture a security-conscious culture through
executive-level attention, we have networks of full-time staff devoted to
systems security stationed throughout the Agency. These front-line
employees provide day to day oversight and control over our computer
software in headquarters and centers for security and integrity in each
SSA region.
SSA provides information and reminders to all employees to contact the
agency-wide help desk hot line immediately when a virus or intrusion is
suspected. This help desk has procedures for quickly contacting the "First
Response Group." This group has senior management members on call in
addition to specially trained technical members of the Systems Response
team. The Chief Security Officer and a representative of the Office of the
Deputy Commissioner for Communications are members of the First Response
Group and provide the ability to rapidly mobilize the appropriate
resources.
We have tried to put in place the authorities, the personnel, and the
software controls to prevent penetration of our systems and to address
systems security issues as they surface.
Developing and Implementing Performance Measures
The CIO is required to report to the Commissioner and executive level
staff annually on the state of security in SSA, but in reality it is a
regular agenda item at executive staff meetings and the Executive Internal
Control Committee, which I chair. And the way we measure the effectiveness
of our security is through performance measures that provide quantitative
feedback. These measures allow us to identify and focus on areas that most
need attention. For example, the CIO performance measure for FY 03 is that
no more than 200 workstations, out of over 100,000 workstations would be
adversely affected by any security incident, such as a virus. In FY 04,
the measure is for no more than 100 workstations affected.
In addition, we have made President Bush's Management Agenda
initiatives, including e-government, performance measures in the
Performance Plan for all members of the Senior Executive Service. We also
have a specific measure to: "Safeguard[s] the workforce, infrastructure,
and workplace to prepare for and mitigate negative consequences."
SSA has established specific measures of performance to ensure that
program officials have assessed the risk to operations and assets,
assigned the appropriate level of security to protect such operations, and
maintain up-to-date security plans. To ensure this happens, all sensitive
systems are reviewed and recertified on an annual basis by the System
Managers and an inter-component Sensitive System Review Board. We have
established other performance measures to ensure that security controls
and techniques are tested and evaluated, and monitor whether the
performance measures have been met.
Deputy Commissioners are responsible for ensuring that each sensitive
system has an up- to-date security certification. A risk analysis and
recertification that each sensitive system has adequate safeguards is
required annually.
Critical Infrastructure Protection Process
Mr. Chairman, the tragic events of last September 11 stand as an
unforgettable reminder that we need to be prepared for catastrophic events
that may threaten not only our systems security but our physical security
and our ability to conduct our business with the public.
SSA has in place a strong management control program to assure Agency
business processes function as intended. The Critical Infrastructure
Protection Process (CIP) creates a comprehensive Agency-wide approach
addressing physical security, continuity of operations, and information
systems security. The CIP process systematically identifies critical
functions and the assets that support those functions.
The program includes recurring reviews, audits, risk assessments,
remediation plans, related training and awareness, and other checks and
balances designed to protect SSA's normal business processes in even the
most extraordinary circumstances. Using Project Matrix, 7 of 8 critical
assets Step 1 reviews have been completed. By the end of this year we
expect to complete the remaining Step 1 review and half of the Step 2
reviews.
Congress Has Helped
Congress has helped to raise the level of awareness of the importance
of information security with the enactment of the Computer Security Act of
1987, which directed all Federal agencies to establish a designated
Agency-level security official and laid the framework for development of
formal security programs.
The Government Information Security Reform Act of 2000 (GISRA)
furthered the agenda of systems security by providing for an assessment
and reporting mechanism that ensures that security programs continue to
improve.
SSA completed its annual security self-assessment for FY 2002, as
required by GISRA, this September. We also engaged a major technology
consulting firm to conduct interviews and documentation reviews and
independently determine the validity of our assessment. I am pleased to
report that they concurred with the self-rating of SSA staff and were
impressed with the administrative quality, organizational integration, and
technical strength of SSA's security program. Also, SSA's Inspector
General reviews the annual security self-assessment using our external
auditing firm. Their report stated that we met the GISRA requirements, and
made improvements since last year. However, as they stated, and as
external consultants have said, there are always areas for
improvement.
Finally, I would like to thank you, Mr. Chairman for your work over the
years in improving awareness of the importance of not only systems
security but also a wide range of program stewardship issues such as
financial accounting and reporting, debt collection, and Y2K. Your work
and the work of all the members of the subcommittee helps assure the
American people that they can continue to rely on SSA's stewardship of our
programs and that our systems maintain the privacy of the information we
hold.
Conclusion
In conclusion, Mr. Chairman, Commissioner Barnhart and I, and all other
employees of the Social Security Administration, recognize that systems
security is not a one-time task to be accomplished, but an ongoing
mission. It is a critical component of providing service and stewardship
to the American people. We know we cannot rest on past practice, but must
be vigilant in every way we can to assure that these personal records
remain secure, taxpayer dollars are protected, and public confidence in
Social Security is maintained.
I can assure you that we will continue to work with the Subcommittee to
assure the American people that we are doing all we can to maintain the
security of our computer operations. I will be happy to answer any
questions you may have.
Top of Page
|