170 likes | 325 Vues
United States Department of Agriculture Office of the Chief Financial Officer National Finance Center. The National Finance Center. IT Security.
E N D
United States Department of Agriculture Office of the Chief Financial Officer National Finance Center The National Finance Center
IT Security The Information Systems Policy and Control Staff (ISPCS) is responsible for IT Security. ISPCS is divided into 2 offices – Information Systems Quality Assurance Office (ISQAO) and Information Systems Security Office (ISSO). ISQAO is responsible for the migration life cycle of applications. This office ensures that major application changes migrate from a testing environment to a quality assurance environment and that user acceptance testing is performed before being migrated to a production environment. ISSO is responsible for developing security controls, administering security access to user accounts, reporting and auditing of security activity, and performing security test and evaluation of production applications. ISSO is the office that works directly with the Agency Security Officers (ASO) for the agencies we service.
IT Security ISSO is divided into three unique sections to handle the multitude of IT Security functions. SSDMG – The Security Software Development and Maintenance Group is responsible for the implementation and maintenance of all security software, the development and maintenance of security controls, and the security test and evaluation of production applications. SAAG – The Security Access Administration Group is responsible for the administration of security access, resolution of security help desk issues, and providing hands-on security training classes for Agency Security Officers. MARS – The Monitoring And Reporting Section is responsible for auditing and reporting of the NFC security infrastructure.
IT Security SAAG Wears Many Hats Initial Setup of Agency - Work with Agency Security Officers to define application roles and agency accounts. Security Access – Work with Agency Security Officers to define, modify, and revoke access to user accounts. Help Desk – Work with Agency Security Officers to resolve any access issues Training – Provide multiple Agency Security Officer training classes each year Audit Responses – Provide auditors with information necessary to complete audits
IT Security Security Access Request Process ASO Submits Request – The ASO will submit request to SAAG utilizing one of the following: • Clear Text e-mail • E-mail with encrypted zip file • instructions attached to end of presentation • E-mail with password protected Word document • Secure Fax
IT Security Security Access Request Process (continued) SAAG Reviews & Logs Request – • Ensure request is from authorized ASO • Ensure request is complete and accurate • Name • SSN • Userid • Application and appropriate parameters • Log request into SAAG database for tracking • Assign unique log number • Respond to ASO with log number assigned
IT Security Security Access Request Process (continued) Request Assigned to Administrator – SAAG Supervisor assigns request to a Security Access Administrator for processing. Bobby, This one’s for you…
IT Security Security Access Request Process (continued) Administrator Processes Request – • Access request is reviewed again. • Name • SSN • Userid • Application and appropriate parameters • Requested access is administered across multiple computing platforms according to request. • SAAG tracking database is updated
IT Security Security Access Request Process (continued) ASO Notified – • Administrator notifies ASO via e-mail that request has been completed. • Request is sent to be filed electronically.
IT Security Statistics The Numbers • Security File Size • Over 130 Agencies • 31,000 Users • 16,000 Profiles • Work Handled in 2006 • 80,000 userid changes • 20,000 profile changes • 80,000 database changes The Staff • 12 Security Administrators • Process changes for over 1,500 userids per week Turn Around Time • Usually 3 - 5 days • As of 7/6/07 – average 1.6 days
Information IT Security ASO Responsibilities • Ensure Backup ASO Assigned • Define one or more alternates • ASO cannot request access for themselves. • Keep NFC informed of ASO changes • NFC will only accept requests from designated ASO. • Conduct Periodic Review – Cleanup • Access Creep • Removing access is just as important as granting access. • Delete userids for separated employees • OIG considers this a high vulnerability
Information IT Security ASO Responsibilities (continued) • Ensure Accuracy of Request • Check for complete and accurate information • Userid, Name, SSN, Application criteria, scope of access • Use secure practices • Encrypted Zip File, Password Protected files • Be conscious of your agency’s security policies • Think Audits, OIG, SAS70 • Attend Training Regularly • Review processes and procedures • Learn what’s new
IT Security Future Plans Web Applications – Reporting Center and Others • Password resets • Reporting Center testing is targeted to begin pilot in August 2007 • Available to Agencies in January 2008 • Reporting • Currently Testing • Provide capability of ASO panels
IT Security Future Plans (continued) Automate Security Administration • CA Identity Access Management • Contract Awarded • Pilot to begin in September 2007 • Implement Internally 2008 • Begin implementing agencies in 2009 • Role Based Access is Key Web Based Training and Certification • Annual online training • Issue Certificate upon successful completion
IT Security Contact Information NFC Security Office nfc.securityofc@usda.gov Louis Collins (504) 426-0434 louis.collins@usda.gov Mike Zeringue (504) 426-0408 mike.zeringue@usda.gov
IT Security Instructions to encrypt using WinZip • Using Windows explorer or my computer, locate the file to be encrypted • Right click on the file. This will bring up a menu • Move cursor down to WinZip • A new menu will be displayed • On this menu, Left click on Add to Zip File • A new window, ADD, will appear • In the Options section, Left click “Encrypt added files”. A check mark will be placed in box. • Left click the “Add” button on the top right of the screen • A WinZip Caution screen is displayed. Left click OK • Enter password • Re-enter password for conformation • In the Encryption method section, Left click the 128-Bit AES encryption • Left click OK • Exit out of the WinZip screen • Pres F5 within your Windows explorer or my computer screen • The Zip file is now displayed. This is the file to send to NFC.
United States Department of Agriculture Office of the Chief Financial Officer National Finance Center Questions