150 likes | 319 Views
Security Management Principles Beyond the Fundamentals. Brad Flick, Associate Commissioner Office of Information Security. All statements of fact, opinion, or analysis expressed are those of the author and do not reflect the official
E N D
Security Management PrinciplesBeyond the Fundamentals Brad Flick, Associate CommissionerOffice of Information Security All statements of fact, opinion, or analysis expressed are those of the author and do not reflect the official positions or views of the Social Security Administration (SSA) or any other U.S. Government Agency. Nothing in the contents should be construed as asserting or implying U.S. government authentication of information or SSA's endorsement of the author’s views.
Basic Fundamentals • Confidentiality • Integrity • Availability • Threats • Vulnerabilities • Defense • Policy • Patch Management • Auditing
Social Security Administration • FY 2011 • $770 Billion in Benefits- Over 60 Million People • 152 Million Transactions (avg. daily volume) • $1.5 Billion in Annual IT Investment
Social Security Administration • Annual Workloads • 17.2 Million Social Security Cards • 1 Billion SS Number Verifications • 147 Million Social Security Statements • 270 Million Earnings Items Posted • 3.9 Million Retirement, Survivor, and Medicare applications • 2.5 Million Disability Applications
Social Security Administration • Network Overview • Approx. 100,000 system users • Over 1,300 offices worldwide • Over 200,000 network devices • Over 21 Petabytes of Data
Beyond the Fundamentals 10 principles
Your Reputation Precedes You • Security needs to be part of the culture • Privacy of SSA records – the 1st regulation adopted, 1937 • Regulation No. 1It being found by the Social Security Board (hereinafter referred to as the Board) that the public interest and the efficient administration of the functions with which the Board is charged under the Social Security Act require that the confidential nature of all wage records and other records or information in possession of the Board, pertaining to any person, be preserved.
Policy and Standards • Should be like a good rental agreement • Must be enforced • Communication • If you can’t communicate, you will struggle to be successful • Everyone must understand the message
Training and Awareness • Vital! Do not underestimate. • Big Issues in 2011-Phishing Attack • RSA • Sr. Govt. Official’s Gmail compromise • Federally Funded Research facilities
Security Has to be Usable • If it is too difficult, it will be bypassed
Build It In, Don’t Retro Fit • Obvious - but no magic solution • Security is often ‘last minute’ • Developers and Sponsors resistant to changes • Can be Cultural • Must build awareness of the value of ‘building in’
Build Alert Mechanisms • Most folks focus on access control and audit trail. • Dashboards – are they being watched? • Audit trails – are they being reviewed? • Build tolerances to alert on suspicious activities.
Take Time to Plan • Firefighting vs. fire prevention planning…
Regular Reality Checks are Necessary Is there governance and compliance? Are the rules relevant to the business process, understandable, reflective of reality, and current? Are they enforceable or at least not ignored? • Don’t assume the business owner will do the right thing. They will Roll the Dice every time.