SDLC SOP 1051 - Security Administration

From OpenSDLC

Jump to: navigation, search

Contents

SOP 1051: Security Administration

Objective:

The objective of this Standard Operating Procedure (SOP) is to provide and overview of the security control activities in the SDLC Business environment.

Scope:

This procedure establishes the responsibilities of the Senior Security Administrator. This individual is charged with identifying, communicating, monitoring and addressing issues and concerns that pose threats to computer and intellectual assets.

Owner:

Operations


Definitions

Security Administration provides an overview to the areas of security control activities within the SDLC business environment. The Sr. Security Administrator is the individual charged with identifying, communicating, monitoring and addressing issues and concerns that pose threats to computer and intellectual assets. An unauthorized individual defines threats as any form of intentional or unintentional access to confidential or sensitive materials.

The Sr. Security Administrator oversees and maintains system access profiles. System access requests are compared to pre-approved profiles as part of the request approval process. Approved access is logged whenever it is considered an exception. On a quarterly basis, the exception log is analyzed and recommendations for improvement are presented to management. A periodic review of profiles is performed.

The Sr. Security Administration addresses the disposal of paper and electronic media, any of which may include confidential data. In addition, it addresses third party requests for information and the process to authorize the release of materials.

The Sr. Security Administration procedure defines the rules under which documents are to be annotated to show that they are the property of SDLC. All materials are to be consistently treated as though they contain confidential or sensitive information


Process Flow Diagrams

Security Administration Overview

File:SOP1051-01.gif


File:SOP1051-02.gif


File:SOP1051-03.gif


File:SOP1051-04.gif


Roles and Responsibilities

Role Responsibility
Senior Security Administrator The Sr. Security Administrator is charged with identifying, communicating, monitoring and addressing issues and concerns that pose threats to computer and intellectual assets. This person oversees and maintains systems access and performs periodic reviews of profiles. In addition, the Sr. Security Administrator prepares quarterly reports and makes recommendations for improvement to management.


Metrics

Metric Description
Cycle Time The amount of time required to complete all steps in the creation/maintenance of a user ID from the time a request reaches the Security Administrator through delivery of the executed maintenance to

the individual.

Advisories A list of security advisories published each month along with its source and the time consumed in preparation and distribution.
Special Events The number of occurrences and amount of time spent on security events/investigations each month. Each event will have a management report on file.
Change Agents Individuals who analyze a process and recommend ways to improve it, regardless of

whether or not the recommendation is implemented. The person’s namewill be reported to Engineering Department management and will receive recognition for their effort to compress cycle times and/or improve uality.



Procedure Activities

General Security Activities

Gate/Activity Description
Security Profiles Access to SDLC system environments is a “Right” that permits an individual to perform the duties associated with a particular job. Users are given access rights based on their job responsibilities and the training or knowledge they possess. Knowledge and skills are to be evaluated after each major enhancement to ensure they are current. The Sr. Security Administrator is responsible for verifying individual skill sets with appropriate management.
Review Database Logs The Sr. Security Administrator reviews database access logs monthly to determine when exception access, unusual access or other events occurred which warrant additional review. The Sr. Security Administrator performs

the necessary review and promotes findings to the Manager of Operations at the time of discovery or as part of the quarterly report depending on severity.

Temporary Access The Security Administrator is responsible for ensuring that temporary access permissions are disabled at the end of the authorized period. The default period is one business day.
User Access The Security Administrator has the responsibility to disable access to any individual when that individual's actions create a perceived threat to the systems environment. This responsibility will be executed without

regard to the individual’s title. Due diligence will be undertaken prior to taking this escalation avenue. In the event that the reason for the individual's action can not be determined and Operations Management is unavailable for council, the Security Administrator will disable the users account. Determination of the event and a report will be generated by the Security Administrator and distributed to both the Manager of Operations and the Senior Manager of the Engineering Department.

Situational Access Situational access is subject to audit review. Situational access requires that actions performed be documented and communicated to the appropriate areas within the Engineering Department. The manager who authorized access is responsible for ensuring that documentation and communication is completed and distributed in a timely fashion.
Quarterly Report (a) The Security Administrator analyses the exception log to determinetrends and reasons for requests. These findings are used to prepare a quarterly report. The report includes recommendations for root cause remediation, changes to standard profiles, process improvement, etc.

(b) The Manager of Operations reviews the Security Administrator’s recommendations:

  • Approved recommendations initiate the following process
    • Procedure updated following Document Governance Procedure (SOP 1001)
    • Recommendation directed to the appropriate Unit Management for consideration
    • Manager of Operations or Security Administrator champions the change in process


Manager of Operations requests for additional analysis and/or additional detail are handled by the Security Administrator in an appropriate and timely manner.


SDLC Staff:Protection of Intellectual Assets The Employee Handbook used by SDLC addresses the protection of intellectual assets in the Corporate Code of Ethics and Conduct Policy” section; specifically sub-sections:
  • Protection of Assets of SDLC
  • Confidential Information
  • Conflict of Interest
  • Sanctions for Breach of Ethical Standards

Each employee must sign a non-disclosure agreement at the time of hire. The terms and conditions of that agreement will be enforced.

SDLC Staff: Document Notices Each employee creating documents for internal use with confidential information or containing intellectual asset descriptions or definitions shall include a footer throughout the entire document stating “Confidential - Property of SDLC.” This applies to all documents that contain naming conventions used in coding and network configuration.

Materials created for clients are to have “Copyright, SDLC MM/YYYY” (Month and Year) on each page.

SDLC Staff: Client/Partner Request for Information Any request for information from a client or partner that extends beyond what an employee considers regularly provided information will be honored only after authorization by Department Management. Authorization means:
  • Approval to compile the information within a defined scope approved by management.
  • Review and approval of materials prior to release.

Materials designated sensitive that will be released to clients or partners will have a cover document stating that the materials are “Intellectual Property of SDLC.” All provided materials will have a footer on each page as stated under the Document Notices section above.The individual authorizing the release of materials will maintain a description of the materials released, with their specific source.

Security Administrator: Input to Development and Configuration Standards The Security Administrator is responsible for maintaining a dialog with Development, Operations and

Configuration Functions within the Engineering Department and Content Staff in the Product Department. The Security Administrator will generate an advisory announcement each time a potential threat is discovered. Compliance with these advisories is the responsibility of staff in Development, Operations and Configuration Functions within the Engineering Department and Content Staff in the Product Department. An individual performing peer review and/or validating application/content has responsibility for ensuring the adherence to advisories.

  • Never encode sensitive information in a client-side script such as JavaScript.
  • HTML should use “Post” versus “Get” methods, when possible.


SDLC Staff: Paper Disposal Documents generated through the normal course of performing job-related duties must be considered to contain confidential information. As such, each employee is expected to consider this when disposing of paper.
SDLC Staff: Paper Disposal

Any electronic media disposed of must be rendered unusable. This requires that storage media be physically destroyed or passed through a magnetic field to erase content or be reformatted using a utility that writes a constant stream of values to the disk surface.


Operations:

Off Site Storage of Backup Materials

Any materials stored off-site will be placed in a locked container. When backup materials represent a systems environment, storage media will contain all necessary instruction to restore the environment, including passwords and current disaster/business recovery instructions. Operations will maintain a log of all off site materials.


Password Control and Oversight

User IDs and passwords will be unique and assigned to one individual. Group logon IDs will be prohibited. This not only increases accountability, but also provides the means to audit activities.

The process flow diagram provides a high level view of the Security Administration procedure for Password Control and Oversight. Access to systems is defined first by the role of the unit to which an individual is hired or contracted. Each unit has a profile defining the privileges associated with the roles and responsibilities of the normal work requirements for that unit. These profiles are defined above. Deviations from a unit profile require a compelling reason for permanent access. Temporary access may be granted based on circumstances and the approval of appropriate management.

The Security Administrator has primary responsibility for establishing, modifying and removing access as approved by the Manager of Operations. Department Managers (and Human Resources) are responsible for timely notification to the Security Administrator of termination, promotions, transfers and new hires. The Security Administrator will immediately disable the terminated individuals access.

Due consideration must be given prior to the granting of access rights to a consultant. The unit manager is responsible for performing a knowledge assessment and an education process regarding SDLC’s standards and technology environment, prior to allowing the individual access to the SDLC systems. Access rights should be limited to the consultant’s engagement scope. Each request for a security change is routed sequentially through the following steps


Gate/Activity Description

File:SOP1051-05.gif


Initiate Change Request

Requesting Department Management completes and authorizes the Security Change Request Form (Appendix A). In cases where exceptions are being requested, documentation supporting the request must be provided, as well as the duration of the requested access privilege.
Evaluate Request Request is forwarded to the Security Administrator for comparison to approved profile (Appendix B). (Requests will normally be processes within four (4) business day hours.)


Request Approved Deliver approval to Manager of Operations:
  • Request is within approved profile definitions
  • Request is outside approved profiles, but has supporting documentation.
Request Denied Return to Requestor or Requesting Department Management with explanation.
  • Request is outside approved profiles and does not have supporting documentation

Requesting Department Management may appeal the rejected request by reviewing the reason with the Manager of Operations. Should acceptable resolution not be achieved, the Senior Manager of the Engineering Department will arbitrate. That decision will be final.

Implement Request (a) Is the request for Temporary Access?
  • Yes – the Sr. Security Administrator sets password expiration in the system or schedules follow-up in 24 hours (next business day) and proceeds to step
  • (b) No – executes step (b)

(b) Is a Master ID involved in the request (outside standard profile)?

  • Yes – Sr. Security Administrator logs the request and reason in an exception log and proceeds to step
  • (c)No – executes and files the request; proceeds to step (c)

(c) The Sr. Security Administrator meets with the Requestor that access privileges are now available. The Requestor signs the Security Change Request form acknowledging receipt.


File:SOP1051-06.gif



Forms

Form Description

Security Change Request Form

See Appendix A


Security Profiles

See Appendix B



Exceptions None at this time

Tools/Software/Technology Used

Tool Description

MS Word

Word Processing


MS Excel

Spreadsheet



Attachments


Related Standard Operating Procedures:


Personal tools
SDLC Forms