How SSA sets security agenda

Strong central control keeps SSA focused on computer security, Arthur Mayhle says.

J. Adam Fenster

The Social Security Administration has ranked among the top federal agencies on the IT computer security report card issued by the House Government Reform Committee for the last two years.

How has the agency gotten such good grades?

SSA has long had the cooperation of top management in its security efforts, and a crackerjack IT staff to implement them, said Arthur Mayhle, Social Security's chief security officer in the CIO's office. Plus, it frequently updates its systems security.

Security isn't something the agency's IT officials began paying attention to after the Sept. 11, 2001, terrorist attacks. 'We have had strong executive-level support over the last eight to 10 years,' Mayhle said.

SSA relies on seven mainframe systems at its headquarters' National Computer Center in Baltimore and a combination of 100,000 Microsoft Windows NT desktop systems and workstations running Unix.

Security is a routine agenda item for executives and has been incorporated into other processes that typically receive top-level attention, Mayhle said. An executive internal control board, chaired by an assistant commissioner, monitors how the agency deals with security concerns. A critical infrastructure working group that evaluates how agency assets are protected reports to the executive board.

Permeates the enterprise

Since the 1980s, security has been integrated not only in SSA's business processes through the executive staff but also in the entire process of developing new applications, Mayhle said.

Strong central control helps keep SSA focused on computer security. 'We are fairly homogeneous. SSA has a centralized function and policy area,' he said. Other federal agencies have many operating divisions.

In addition to mandatory performance accountability measures, SSA established a specific measure for its IT officers. 'If we do have an incident'say a virus comes in'my performance goal is that it doesn't affect any more than 200 workstations' out of the 100,000, Mayhle said. In 2004, the goal is no more than 100 workstations.

Software systems controls register and record access and determine what functions employees are authorized to perform. IT security personnel assign a computer-generated personal identification number and an initial password to approved users, who must change it monthly. At least once a month, SSA scans all computers, telephones and platforms for compliance with agency standards.

SSA gives basic security awareness training to its general employees and those from federal and state agencies it works with, and training is reviewed annually. Security professionals and project managers are encouraged to take risk analysis courses two or three times a year, Mayhle said.

High-level security staff receive training from the CIO and systems security operations management offices.

Every major office in SSA has a security officer who serves as consultant for managers and project officers and works with the computer security chief.

SSA also integrates IT security in its capital planning process, Mayhle said.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.

inside gcn

  • IoT security

    A 'seal of approval' for IoT security?

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above