Testimony given by John R. Dyer, Executive Director to the Deputy Commissioner and Chief Information Officer, on the "Status of Computer Security at Federal Departments and Agencies"
September 11, 2000
Hearing held before the Government Reform Committee, Subcommittee on Government, Management, Information, and Technology
Mr. Chairman and Members of the Subcommittee:
Thank you for inviting me here today to discuss computer security at the Social Security Administration (SSA). We appreciate this subcommittee's interest in systems security and agree that system security is critical in today's environment.
At the outset, let me emphasize that SSA has always taken its responsibility to protect the privacy of personal information in Agency files very seriously. The Social Security Board's first regulation, published in 1937, dealt with the confidentiality of SSA records. For 65 years, SSA has honored its commitment to the American people to maintain the confidentiality of the records in our possession. We understand in order to address privacy concerns we need a strong computer security program in place.
Modern computer security requires the implementation of sophisticated software and control of access to the system. SSA uses state of the art software that carefully restricts any user access to data except for its intended use. Using this software, only persons with a "need to know" to perform a particular job function are approved and granted access. Our systems controls not only register and record access, but also determine what functions a person can do once access is authorized. SSA security personnel assign a computer-generated personal identification number and an initial password to persons who are approved for access (the person must change the password every 30 days). This allows SSA to audit and monitor the actions individual employees take when using the system. These same systems provide a means to investigate allegations of misuse and have been crucial in prosecuting employees who misuse their authority.
Today, I would like to discuss where we are with computer security and what improvements we are making. SSA approaches computer security on an entity wide basis. By doing so, we address all aspects of the SSA enterprise.
Overall, the Chief Information Officer (CIO) who reports directly to the Commissioner and the Deputy Commissioner is responsible for information system security. In my role as CIO, I assure that our initiatives are enterprise wide in scope. At the Deputy Commissioner level, SSA's Chief Financial Officer, assures that all new systems have the required financial controls to maintain sound stewardship over the monies entrusted to our care. We also have placed our systems security policy function with this Deputy Commissioner.
In order to meet the challenges of data security in today's highly technological environment, the Agency has adopted an enterprise-wide approach to systems security, financial information, data integrity, and prevention of fraud, waste, and abuse. We have full-time staff devoted to systems security stationed throughout the Agency, in all regions and in central office. We have established centers for security and integrity in each SSA region. They provide day to day oversight and control over our computer software. In addition, we have a Deputy Commissioner-level Office of Systems which supports the operating system, develops new software and the related controls and, in general, assures that SSA is taking advantage of the latest in effective systems technology.
SSA has been certifying its sensitive systems since the original OMB requirement was published in 1991. Our process requires Deputy Commissioners responsible for those systems to accredit them. SSA's planning and certification activity is now in full compliance with NIST 800-18 guidance.
SSA's sensitive systems include all programmatic system needed to support programs administered by the Agency as well as critical personnel functions. They also include the network and the system used to monitor SSA's data center operations.
As an independent agency, we have our own Inspector General (IG) who can focus his efforts on the agency's needs and concerns. The IG is also very active in working with other Federal, State and local law enforcement agencies to assure all avenues for investigation and prosecution are being pursued--especially for systems security-related issues.
In summary, we have in place the right authorities, the right personnel, and the right software controls to prevent penetration of our systems and to address systems security issues as they surface.
Information Systems Security Plan
As I mentioned, SSA has maintained an information system security program for many years. Its key components, such as deploying new security technology, integrating security into the business process, and performing self assessments of our security infrastructure, to name a few, describe goals and objectives that will touch every SSA employee.
Of particular importance this year are the activities related to the Presidential Decision Directives (PDD-63) on infrastructure protection and continuity of operations. We have recently completed an evaluation of all critical SSA assets. I'm pleased to note that SSA was one of the first Agencies to do so.
Originally, SSA was not one of the Tier I agencies. But given the importance of ongoing monthly payments we have been elevated to that level by the critical infrastructure assurance office.
As part of this effort we have completed an inventory of all critical assets and implemented an incidence response process for computer incidents. We have also revised our physical security plans to assure our facilities are properly secured. Recently, we were one of the key agencies that evaluated the CIO Council's "maturity" model. This will help us compare where we are with industry standards overall.
Ongoing Monitoring and Assessment
Our independent auditor, Pricewaterhouse Coopers, has evaluated our security program each of the last 4 years. They have given us many recommendations to strengthen our security program and we have implemented 77 percent of their recommendations. We are addressing the remainder at this time. The remaining recommendations involve longer timeframes to implement. They will be completed on a flow basis-we anticipate all will be completed by the end of the next fiscal year.
In addition, SSA has its own formal program of onsite reviews and corrective action. We also use an independent contractor, Deloitte and Touche, to review our systems and overall management of the program. All of this is tracked at the highest levels through an executive internal control committee which I chair and has membership of the Inspector General and key deputies.
Zero Tolerance for Fraud
Finally, I also want to state that we have a zero tolerance at SSA for fraud, waste, and abuse. We believe that our zero tolerance policy has paid off, as evidenced by the fact that almost all of the recommendations made to the Agency by independent auditors in recent years have been of a pre-emptive nature as opposed to a remedy for any actual abuse. Nonetheless, when we have evidence of an abuse of system privileges, addressing the matter is a number one priority of the Agency.
On June 22, 1998, Commissioner Apfel issued a notice to all SSA employees about administrative sanctions to be taken against any SSA employee who abuses his or her systems privileges. The penalties are severe and will lead to termination of employment for any offense that involves selling data. On March 2, 2000 this notice was revised and updated to make it even more relevant to employees.
SSA's IG is committed to the investigation and prosecution of every employee abuse case that is identified. Many of the SSA employee cases turned over to the IG for investigation were first discovered by the Social Security Administration itself. We must keep in mind that overwhelmingly SSA employees are honest, hardworking people.
In order to ensure that our mission critical systems are up and running, we have a solid contingency plan in place. In August 2000, we completed a successful test of all SSA critical systems. Also, SSA has in place a hotsite as backup for its critical operations. These are recommendations that Pricewaterhouse Coopers thought it was important for us to complete.
Recent status by PwC noted substantial progress in this area. No new issues were identified as a result of this year's review. We believe all issues have been resolved, but are awaiting PwC's final report.
Moving Away from Mainframe Systems
I want to come back to the broader concerns. Addressing systems security is, and always will be, first of all, a high priority for SSA. By design, the Agency has used a system architecture that relied almost exclusively on mainframe systems and centralized databases. With this architecture we are able to more tightly control computer security than those Agencies who are faced with large numbers of local and/or distributed systems.
As SSA, in the increasingly technological environment, moves away from the mainframe environment to more distributed systems, we carefully consider, at every step of the process, how to build in security features. We have taken a number of steps to ensure that these new systems are as secure as possible.
We are on constant alert to identify both intrusion detection and denial-of-service type attacks. SSA's firewall team uses various services that list current hacker activity in order to identify the different types of attacks and how to respond and avoid them. SSA uses various filters on our routers to deny these specific attacks.
We have supported and will continue to support the independent audit of our financial statements. We have supported the auditors' detailed testing of SSA's systems. We work with the various oversight bodies-the General Accounting Office and the IG, for example, to review what we are doing and identify any issues they believe we need to address. Only in this way can we be assured SSA is getting all the advice that is available to us, and doing its utmost to maintain the security of our computer systems, and the data they contain.
New Emerging Concerns
We are well aware of the daily stories about new viruses, hackers, and security breaches and have taken both preventive and enforcement actions to protect information in Social Security files from any wrongful use by our own employees and from any unauthorized access by outsiders. Mr. Chairman, SSA takes a very proactive approach to identify hacker activity and adopt the proper defensive posture to prevent interruption to SSA's website services. We use state-of-the-art technology to protect our network. We are on constant alert to identify both intrusion detection and denial-of-service types of attacks. SSA's network is monitored 24 hours a day, not only by SSA technicians but also by contract services.
This is not to say that we are resting on our laurels. We constantly reevaluate and, when necessary, upgrade the security features necessary to maintain the public's confidence that our systems are secure. Computer security is a top management priority.
When Social Security first became independent in 1995, and had its own IG for the first time devoted only to SSA's activities, the Commissioner asked the IG to make employee integrity the number one issue and the IG has done so. SSA has consistently asked for additional resources for the IG and received support from Congress for those requests.
In conclusion, Mr. Chairman, the Social Security Administration has a long-standing tradition of assuring the public that their personal records are secure. Both the Commissioner and the Deputy Commissioner give systems security their highest priority. We all recognize that this is not a one-time task to be accomplished, but rather is an ongoing mission we can never lose sight of. We know we cannot rest on past practice, but must be vigilant in every way we can to assure that these personal records remain secure, and that public confidence in SSA is maintained.
I want to thank the Subcommittee for holding this hearing and focusing on what we all view as a critical issue. We are glad to know that the Congress shares our concerns, and we will work with the Subcommittee to assure the American people that we are doing all we can to maintain the security of our computer operations. I will be happy to answer any questions you may have.