Testimony of Deputy Commissioner Lockhart Before the House Committee on Government Reform, Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations on
"Computer Security: How the Agencies Rate"
November 19, 2002
Mr. Chairman and Members of the Subcommittee:
Thank you for inviting me here today in my first appearance before this subcommittee to discuss computer security at the Social Security Administration (SSA). Commissioner Barnhart and I appreciate your interest in systems security, which is a critical issue. She has made service and stewardship key elements of our strategy to effectively administer our programs; systems security is a key stewardship element and it requires continuous improvement, a "24 x 7" mentality.
SSA has always recognized the importance of protecting the privacy of the people we serve and ensuring the integrity and accuracy of the records we keep and the payments we make. The Social Security Board's first regulation, published in 1937, dealt with the confidentiality of SSA records. For more than 65 years, SSA has honored its commitment to the American people to maintain the confidentiality of our records. A natural outgrowth of our emphasis on privacy is a strong commitment to computer security.
We at SSA clearly recognize that the information technology environment is one of constant change due to rapid progress in systems technology and systems security issues that are generated as a result. We continue to be proactive and forward looking in meeting the challenges of this ever-changing environment. We routinely interface with other government agencies and with private and public information technology specialists, to ensure that we stay ahead of developments in this rapidly expanding field.
Building on this strong foundation, I believe we have made significant strides this year in putting in place additional safeguards that will strengthen the security of the information SSA processes and maintains. Today I would like to discuss those safeguards.
Security is a Management Function, Not a Technical Issue
We recognize that creating an effective security program is a management function, and not simply an issue of technical implementation. It demands the attention of our top management. During the course of the last year, Commissioner Barnhart has taken steps to ensure that information security is receiving this level of attention in order to emphasize the importance of making this a priority for every Agency employee. Information security has been made a routine agenda item for the executive staff and has been incorporated into other processes that routinely receive executive-level attention.
Most importantly, information security responsibilities have been realigned to bring the Chief Security Officer under the auspices of SSA's Chief Information Officer (CIO). The Chief Security Officer is responsible for setting Agency policy for information security and for leading and coordinating information technology (IT) physical security policy. The IT budget has also been moved directly under the CIO.
Earlier this month, Commissioner Barnhart announced the appointment of Thomas Hughes as the new CIO for the Agency. Mr. Hughes has an extensive background as a business technology executive and has worked in both the public and private sector including Pricewaterhouse Coopers, and General Dynamics. I am sure he will be a valuable addition to our security team and an excellent CIO.
The Deputy Commissioner of Systems, who also directly reports to us, has 3,000 employees with a total budget of $280 million as well as outside contractor support funded by SSA's IT budget. Another important group, the Office of the Deputy Commissioner for Finance, Assessment and Management, oversees physical and operational systems security.
Information technology is intrinsic to our business. The systems challenges at Social Security are large, as we represent a quarter of the federal budget and pay benefits to over 50 million Americans. In a typical workday we interact with almost 500,000 people through our field offices, telephone network and Internet service.
The computing environment at SSA is considerable. SSA relies primarily on seven mainframe processors located in our headquarters' based National Computer Center and a combination of 100,000 plus Microsoft windows NT desktops and UNIX computers for its core information processing. These computers process over 35 million transactions per day and have access to over eleven terabytes of electronic storage. The Agency maintains a global network of communications services that electronically exchanges client information between more than 1500 remote locations and the SSA central processing site.
Externally, the telecommunications environment interfaces with other Government agencies, United States embassies, and State agencies. In addition, SSA has a connection to the Internet to service both internal and external clients.
Improved Security is an Ongoing Process
Systems security is not a new issue to Social Security. We have been safeguarding our records since we began, long before the advent of computers and the technology age. The Agency's policies and procedures have had security integrated into the systems development lifecycle for more than 15 years. However, in the last year SSA has begun implementation of a number of improvements and performance measures in this area to ensure that the security program remains responsive to evolving technologies, conditions, and vulnerabilities.
Our development of systems security is a process geared towards continuous improvements in each facet of the program. We begin by planning for the security needed for each new system and determining how to implement the process. We test the new program thoroughly to determine if it is functioning effectively and providing the required security. We analyze these test results and, if adjustments are needed, make refinements until the system functions as planned. We repeat these steps as our systems are changed and refined.
To make sure that our safeguards are adequate, SSA uses a variety of proactive measures plus independent testing and evaluation of security controls to detect attempted intrusions and prevent them from being successful. We conduct a number of continuous monitoring activities-and I am confident you will understand my reluctance to discuss our specific processes in a public forum. However, we do undergo rigorous evaluation of these processes.
SSA contracts annually to have independent security evaluations completed. In FY 2002, the telecommunications and network infrastructure, all sensitive systems applications, and SSA's web systems received testing in addition to the annual network and systems testing and evaluation performed by SSA's Inspector General with the support from outside experts.
Modern computer security requires the implementation of sophisticated software and control of access to the system. SSA uses state-of-the-art software that carefully restricts any user access to data. Using this software, only persons with a "need to know" to perform a particular job function are approved and granted access to specific kinds of data. Our systems controls not only register and record access, but also determine what functions a person can do once access is authorized. SSA security personnel assign a computer-generated personal identification number and an initial password to persons who are approved for access (the person must change the password every 30 days). This allows SSA to audit and monitor the actions individual employees take when using the system. These same systems provide a means to investigate allegations of misuse and have been crucial in prosecuting employees who misuse their authority.
Additionally, we have implemented processes to scan, at least once a month, every SSA workstation (over 100,000), every telephone, and every systems platform for compliance with Agency standards. I believe that the scope of this program cannot be matched, and our track record in preventing intrusions demonstrates our success in implementing an Enterprise-wide security program that is second to none.
SSA's approach to system security must be forward-looking even as we focus on day-to-day continuous improvement. As an example, four years ago, our auditor listed 4 reportable conditions. Last year we were down to one. In our just completed FY 2002 audit and the auditor indicated that SSA had made notable progress in strengthening its security controls by implementing an effective entity-wide security framework supported by policies and procedures. As recommended, we will continue to implement standard security configurations on our automated platforms and monitor those settings for compliance, using automated techniques where possible. We plan to emphasize our monitoring and reporting program in the coming year. The auditor also noted that contingency planning could be better coordinated among various SSA components; we will improve the level of coordination in the coming year. Over the past several years, SSA has made significant progress in strengthening its security program and will continue to do so. The Agency's Executive Internal Control Committee will monitor progress until all elements of the reportable condition have been addressed and will ensure that resources are made available to support the improvement efforts.
Nurturing a Security Conscious Culture
Of course, SSA's commitment to information security does not stop with top management. While we nurture a security-conscious culture through executive-level attention, we have networks of full-time staff devoted to systems security stationed throughout the Agency. These front-line employees provide day to day oversight and control over our computer software in headquarters and centers for security and integrity in each SSA region.
SSA provides information and reminders to all employees to contact the agency-wide help desk hot line immediately when a virus or intrusion is suspected. This help desk has procedures for quickly contacting the "First Response Group." This group has senior management members on call in addition to specially trained technical members of the Systems Response team. The Chief Security Officer and a representative of the Office of the Deputy Commissioner for Communications are members of the First Response Group and provide the ability to rapidly mobilize the appropriate resources.
We have tried to put in place the authorities, the personnel, and the software controls to prevent penetration of our systems and to address systems security issues as they surface.
Developing and Implementing Performance Measures
The CIO is required to report to the Commissioner and executive level staff annually on the state of security in SSA, but in reality it is a regular agenda item at executive staff meetings and the Executive Internal Control Committee, which I chair. And the way we measure the effectiveness of our security is through performance measures that provide quantitative feedback. These measures allow us to identify and focus on areas that most need attention. For example, the CIO performance measure for FY 03 is that no more than 200 workstations, out of over 100,000 workstations would be adversely affected by any security incident, such as a virus. In FY 04, the measure is for no more than 100 workstations affected.
In addition, we have made President Bush's Management Agenda initiatives, including e-government, performance measures in the Performance Plan for all members of the Senior Executive Service. We also have a specific measure to: "Safeguard[s] the workforce, infrastructure, and workplace to prepare for and mitigate negative consequences."
SSA has established specific measures of performance to ensure that program officials have assessed the risk to operations and assets, assigned the appropriate level of security to protect such operations, and maintain up-to-date security plans. To ensure this happens, all sensitive systems are reviewed and recertified on an annual basis by the System Managers and an inter-component Sensitive System Review Board. We have established other performance measures to ensure that security controls and techniques are tested and evaluated, and monitor whether the performance measures have been met.
Deputy Commissioners are responsible for ensuring that each sensitive system has an up- to-date security certification. A risk analysis and recertification that each sensitive system has adequate safeguards is required annually.
Critical Infrastructure Protection Process
Mr. Chairman, the tragic events of last September 11 stand as an unforgettable reminder that we need to be prepared for catastrophic events that may threaten not only our systems security but our physical security and our ability to conduct our business with the public.
SSA has in place a strong management control program to assure Agency business processes function as intended. The Critical Infrastructure Protection Process (CIP) creates a comprehensive Agency-wide approach addressing physical security, continuity of operations, and information systems security. The CIP process systematically identifies critical functions and the assets that support those functions.
The program includes recurring reviews, audits, risk assessments, remediation plans, related training and awareness, and other checks and balances designed to protect SSA's normal business processes in even the most extraordinary circumstances. Using Project Matrix, 7 of 8 critical assets Step 1 reviews have been completed. By the end of this year we expect to complete the remaining Step 1 review and half of the Step 2 reviews.
Congress Has Helped
Congress has helped to raise the level of awareness of the importance of information security with the enactment of the Computer Security Act of 1987, which directed all Federal agencies to establish a designated Agency-level security official and laid the framework for development of formal security programs.
The Government Information Security Reform Act of 2000 (GISRA) furthered the agenda of systems security by providing for an assessment and reporting mechanism that ensures that security programs continue to improve.
SSA completed its annual security self-assessment for FY 2002, as required by GISRA, this September. We also engaged a major technology consulting firm to conduct interviews and documentation reviews and independently determine the validity of our assessment. I am pleased to report that they concurred with the self-rating of SSA staff and were impressed with the administrative quality, organizational integration, and technical strength of SSA's security program. Also, SSA's Inspector General reviews the annual security self-assessment using our external auditing firm. Their report stated that we met the GISRA requirements, and made improvements since last year. However, as they stated, and as external consultants have said, there are always areas for improvement.
Finally, I would like to thank you, Mr. Chairman for your work over the years in improving awareness of the importance of not only systems security but also a wide range of program stewardship issues such as financial accounting and reporting, debt collection, and Y2K. Your work and the work of all the members of the subcommittee helps assure the American people that they can continue to rely on SSA's stewardship of our programs and that our systems maintain the privacy of the information we hold.
In conclusion, Mr. Chairman, Commissioner Barnhart and I, and all other employees of the Social Security Administration, recognize that systems security is not a one-time task to be accomplished, but an ongoing mission. It is a critical component of providing service and stewardship to the American people. We know we cannot rest on past practice, but must be vigilant in every way we can to assure that these personal records remain secure, taxpayer dollars are protected, and public confidence in Social Security is maintained.
I can assure you that we will continue to work with the Subcommittee to assure the American people that we are doing all we can to maintain the security of our computer operations. I will be happy to answer any questions you may have.