Senior Security Administrator

The Sr. Security Administrator is charged with identifying, communicating, monitoring and addressing issues and concerns that pose threats to computer and intellectual assets. This person oversees and maintains systems access and performs periodic reviews of profiles. In addition, the Sr. Security Administrator prepares quarterly reports and makes recommendations for improvement to management.

Security Profiles

Access to SDLC system environments is a “Right” that permits an individual to perform the duties associated with a particular job. Users are given access rights based on their job responsibilities and the training or knowledge they possess. Knowledge and skills are to be evaluated after each major enhancement to ensure they are current. The Sr. Security Administrator is responsible for verifying individual skill sets with appropriate management.

Review Database Logs

The Sr. Security Administrator reviews database access logs monthly to determine when exception access, unusual access or other events occurred which warrant additional review. The Sr. Security Administrator performs the necessary review and promotes findings to the Manager of Operations at the time of discovery or as part of the quarterly report depending on severity.

Temporary Access

The Security Administrator is responsible for ensuring that temporary access permissions are disabled at the end of the authorized period. The default period is one business day.

User Access

The Security Administrator has the responsibility to disable access to any individual when that individual's actions create a perceived threat to the systems environment. This responsibility will be executed without regard to the individual’s title. Due diligence will be undertaken prior to taking this escalation avenue. In the event that the reason for the individual's action can not be determined and Operations Management is unavailable for council, the Security Administrator will disable the users account. Determination of the event and a report will be generated by the Security Administrator and distributed to both the Manager of Operations and the Senior Manager of the Engineering Department.

Situational Access

Situational access is subject to audit review. Situational access requires that actions performed be documented and communicated to the appropriate areas within the Engineering Department. The manager who authorized access is responsible for ensuring that documentation and communication is completed and distributed in a timely fashion.

Quarterly Report

(a) The Security Administrator analyses the exception log to determine trends and reasons for requests. These findings are used to prepare a quarterly report. The report includes recommendations for root cause remediation, changes to standard profiles, process improvement, etc.

(b) The Manager of Operations reviews the Security Administrator’s recommendations:

• Approved recommendations initiate the following process

  • Procedure updated following Document Governance Procedure (SOP 1001)

  • Recommendation directed to the appropriate Unit Management for consideration

  • Manager of Operations or Security Administrator champions the change in process

Manager of Operations requests for additional analysis and/or additional detail are handled by the Security Administrator in an appropriate and timely manner.

SDLC Staff:

Protection of Intellectual Assets

The Employee Handbook used by SDLC addresses the protection of intellectual assets in the "Corporate Code of Ethics and Conduct Policy” section; specifically sub-sections:

• Protection of Assets of SDLC

• Confidential Information

• Conflict of Interest

• Sanctions for Breach of Ethical Standards

Each employee must sign a non-disclosure agreement at the time of hire. The terms and conditions of that agreement will be enforced.

SDLC Staff:

Document Notices

Each employee creating documents for internal use with confidential information or containing intellectual asset descriptions or definitions shall include a footer throughout the entire document stating “Confidential - Property of SDLC.” This applies to all documents that contain naming conventions used in coding and network configuration.

Materials created for clients are to have “Copyright, SDLC MM/YYYY” (Month and Year) on each page.

SDLC Staff:

Client/Partner Request for Information

Any request for information from a client or partner that extends beyond what an employee considers regularly provided information will be honored only after authorization by Department Management.

Authorization means:

• Approval to compile the information within a defined scope approved by management.

• Review and approval of materials prior to release.

Materials designated sensitive that will be released to clients or partners will have a cover document stating that the materials are “Intellectual Property of SDLC.” All provided materials will have a footer on each page as stated under the Document Notices section above.  The individual authorizing the release of materials will maintain a description of the materials released, with their specific source.

Security Administrator:

Input to Development and Configuration Standards

The Security Administrator is responsible for maintaining a dialog with Development, Operations and Configuration Functions within the Engineering Department and Content Staff in the Product Department. The Security Administrator will generate an advisory announcement each time a potential threat is discovered. Compliance with these advisories is the responsibility of staff in Development, Operations and Configuration Functions within the Engineering Department and Content Staff in the Product Department. An individual performing peer review and/or validating application/content has responsibility for ensuring the adherence to advisories.  

• Never encode sensitive information in a client-side script such as JavaScript.

• HTML should use “Post” versus “Get” methods, when possible.

SDLC Staff:

Paper Disposal

Documents generated through the normal course of performing job-related duties must be considered to contain confidential information. As such, each employee is expected to consider this when disposing of paper.

SDLC Staff:

Paper Disposal

Any electronic media disposed of must be rendered unusable. This requires that storage media be physically destroyed or passed through a magnetic field to erase content or be reformatted using a utility that writes a constant stream of values to the disk surface.

Operations:

Off Site Storage of Backup Materials

Any materials stored off-site will be placed in a locked container. When backup materials represent a systems environment, storage media will contain all necessary instruction to restore the environment, including passwords and current disaster/business recovery instructions. Operations will maintain a log of all off site materials.

  Click Image to Enlarge

Initiate Change Request

Requesting Department Management completes and authorizes the Security Change Request Form (Appendix A). In cases where exceptions are being requested, documentation supporting the request must be provided, as well as the duration of the requested access privilege.

Evaluate Request

Request is forwarded to the Security Administrator for comparison to approved profile (Appendix B). (Requests will normally be processes within four (4) business day hours.)

Request Approved

Deliver approval to Manager of Operations:

• Request is within approved profile definitions

• Request is outside approved profiles, but has supporting documentation.

Request Denied

Return to Requestor or Requesting Department Management with explanation.

• Request is outside approved profiles and does not have supporting documentation

Requesting Department Management may appeal the rejected request by reviewing the reason with the Manager of Operations. Should acceptable resolution not be achieved, the Senior Manager of the Engineering Department will arbitrate. That decision will be final.

Implement Request

(a) Is the request for Temporary Access?

• Yes – the Sr. Security Administrator sets password expiration in the system or schedules follow-up in 24 hours (next business day) and proceeds to step (b)

• No – executes step (b)

(b) Is a Master ID involved in the request (outside standard profile)?

• Yes – Sr. Security Administrator logs the request and reason in an exception log and proceeds to step (c)

• No – executes and files the request; proceeds to step (c)

(c)) The Sr. Security Administrator meets with the Requestor that access privileges are now available. The Requestor signs the Security Change Request form acknowledging receipt.

  Click Image to Enlarge

MS Word

Word Processing

MS Excel

Spreadsheet