SDLC
*DOWNLOAD NOW $199.95
SOP
1051:
Security
Administration
|
Objective: |
|
The objective of this Standard Operating Procedure (SOP) is to provide and overview of the security control activities in the SDLC Business environment.
|
|
Scope: |
|
This
procedure establishes the responsibilities of the Senior Security
Administrator. This individual is charged with identifying, communicating,
monitoring and addressing issues and concerns that pose threats to
computer and intellectual assets. |
| Owner: |
| Operations |
|
Sections:
Related
Standard
Operating
Procedures:
|
SOP 1051 - Security Administration Definitions
Security Administration provides an overview to the areas of security control activities within the SDLC business environment. The Sr. Security Administrator is the individual charged with identifying, communicating, monitoring and addressing issues and concerns that pose threats to computer and intellectual assets. An unauthorized individual defines threats as any form of intentional or unintentional access to confidential or sensitive materials.
The
Sr. Security Administrator oversees and maintains system access profiles. System
access requests are compared to pre-approved profiles as part of the request
approval process. Approved access is logged whenever it is considered an
exception. On a quarterly basis, the exception log is analyzed and
recommendations for improvement are presented to management. A periodic review
of profiles is performed.
The
Sr. Security Administration addresses the disposal of paper and electronic
media, any of which may include confidential data. In addition, it addresses
third party requests for information and the process to authorize the release of
materials.
The Sr. Security Administration procedure defines the rules under which documents are to be annotated to show that they are the property of SDLC. All materials are to be consistently treated as though they contain confidential or sensitive information.
1.
Process
Flow Diagrams
Security
Administration Overview
Click Image to Enlarge
Click Image to Enlarge
Click Image to Enlarge
Click Image to Enlarge
2.
Roles and Responsibilities
|
Role |
Responsibility |
|
Senior
Security Administrator
|
The
Sr. Security Administrator is charged with identifying, communicating,
monitoring and addressing issues and concerns that pose threats to
computer and intellectual assets. This person oversees and maintains
systems access and performs periodic reviews of profiles. In addition,
the Sr. Security Administrator prepares quarterly reports and makes
recommendations for improvement to management.
|
3.
Metrics
|
Metric |
Description |
|
Cycle
Time
|
The
amount of time required to complete all steps in the
creation/maintenance of a user ID from the time a request reaches the
Security Administrator through delivery of the executed maintenance to
the individual.
|
|
Advisories
|
A
list of security advisories published each month along with its source
and the time consumed in preparation and distribution.
|
|
Special
Events
|
The
number of occurrences and amount of time spent on security
events/investigations each month. Each event will have a management
report on file.
|
|
Change
Agents
|
Individuals
who analyze a process and recommend ways to improve it, regardless of
whether or not the recommendation is implemented. The person’s name
will be reported to Engineering Department management and will receive
recognition for their effort to compress cycle times and/or improve
quality.
|
4.
Procedure
Activities
General
Security Activities
|
Gate/Activity |
Description |
|
Security
Profiles
|
Access to SDLC system environments is a “Right” that permits an individual to perform the duties associated with a particular job. Users are given access rights based on their job responsibilities and the training or knowledge they possess. Knowledge and skills are to be evaluated after each major enhancement to ensure they are current. The Sr. Security Administrator is responsible for verifying individual skill sets with appropriate management.
|
|
Review
Database Logs
|
The
Sr. Security Administrator reviews database access logs monthly to
determine when exception access, unusual access or other events occurred
which warrant additional review. The Sr. Security Administrator performs
the necessary review and promotes findings to the Manager of Operations
at the time of discovery or as part of the quarterly report depending on
severity.
|
|
Temporary
Access
|
The
Security Administrator is responsible for ensuring that temporary access
permissions are disabled at the end of the authorized period. The
default period is one business day.
|
|
User
Access
|
The
Security Administrator has the responsibility to disable access to any
individual when that individual's actions create a perceived threat to
the systems environment. This responsibility will be executed without
regard to the individual’s title. Due diligence will be undertaken
prior to taking this escalation avenue. In the event that the reason for
the individual's action can not be determined and Operations Management
is unavailable for council, the Security Administrator will disable the
users account. Determination of the event and a report will be generated
by the Security Administrator and distributed to both the Manager of
Operations and the Senior Manager of the Engineering Department.
|
|
Situational
Access
|
Situational
access is subject to audit review. Situational access requires that
actions performed be documented and communicated to the appropriate
areas within the Engineering Department. The manager who authorized
access is responsible for ensuring that documentation and communication
is completed and distributed in a timely fashion.
|
|
Quarterly
Report
|
(a)
The Security Administrator analyses the exception log to determine
trends and reasons for requests. These findings are used to prepare a
quarterly report. The report includes recommendations for root cause
remediation, changes to standard profiles, process improvement, etc.
(b)
The Manager of Operations reviews the Security Administrator’s
recommendations:
Manager of Operations
requests for additional analysis and/or additional detail are handled by
the Security Administrator in an appropriate and timely manner.
|
|
SDLC Staff:
Protection
of Intellectual Assets
|
The Employee Handbook used by SDLC addresses the protection of intellectual assets in the "Corporate Code of Ethics and Conduct Policy” section; specifically sub-sections:
Each
employee must sign a non-disclosure agreement at the time of hire. The
terms and conditions of that agreement will be enforced.
|
|
SDLC Staff:
Document
Notices
|
Each
employee
creating documents for internal use with confidential information or containing intellectual asset descriptions or definitions shall include a footer throughout the entire document stating “Confidential - Property of SDLC.” This applies to all documents that contain naming conventions used in coding and network configuration.
Materials created for clients are to have “Copyright, SDLC MM/YYYY” (Month and Year) on each page.
|
|
SDLC Staff:
Client/Partner
Request for Information
|
Any
request for information from a client or partner that extends beyond
what an employee considers regularly provided information will be
honored only after authorization by Department Management.
Authorization
means:
Materials designated sensitive that will be released to clients or partners will have a cover document stating that the materials are “Intellectual Property of SDLC.” All provided materials will have a footer on each page as stated under the Document Notices section above. The individual authorizing the release of materials will
maintain a description of the materials released, with their specific
source.
|
|
Security
Administrator:
Input
to Development and Configuration Standards
|
The Security Administrator
is responsible for maintaining a dialog with Development, Operations and
Configuration Functions within the Engineering Department and Content
Staff in the Product Department. The Security Administrator will
generate an advisory announcement each time a potential threat is
discovered. Compliance with these advisories is the responsibility of
staff in Development, Operations and Configuration Functions within the
Engineering Department and Content Staff in the Product Department. An
individual performing peer review and/or validating application/content
has responsibility for ensuring the adherence to advisories.
-
Never
encode sensitive information in a client-side script such as
JavaScript.
-
HTML
should use “Post” versus “Get” methods, when possible.
|
|
SDLC Staff:
Paper
Disposal
|
Documents generated through
the normal course of performing job-related duties must be considered to
contain confidential information. As such, each employee is expected to
consider this when disposing of paper.
|
|
SDLC Staff:
Paper
Disposal
|
Any electronic media
disposed of must be rendered unusable. This requires that storage media
be physically destroyed or passed through a magnetic field to erase
content or be reformatted using a utility that writes a constant stream
of values to the disk surface.
|
|
Operations:
Off
Site Storage of Backup Materials
|
Any materials stored
off-site will be placed in a locked container. When backup materials
represent a systems environment, storage media will contain all
necessary instruction to restore the environment, including passwords
and current disaster/business recovery instructions. Operations will
maintain a log of all off site materials.
|
Password
Control and Oversight
User
IDs and passwords will be unique and assigned to one individual. Group logon IDs
will be prohibited. This not only increases accountability, but also provides
the means to audit activities.
The
process flow diagram provides a high level view of the Security Administration
procedure for Password Control and Oversight. Access to systems is defined first
by the role of the unit to which an individual is hired or contracted. Each unit
has a profile defining the privileges associated with the roles and
responsibilities of the normal work requirements for that unit. These profiles
are defined above. Deviations from a unit profile require a compelling reason
for permanent access. Temporary access may be granted based on circumstances and
the approval of appropriate management.
The
Security Administrator has primary responsibility for establishing, modifying
and removing access as approved by the Manager of Operations. Department
Managers (and Human Resources) are responsible for timely notification to the
Security Administrator of termination, promotions, transfers and new hires. The
Security Administrator will immediately disable the terminated individuals
access.
Due consideration must be given prior to the granting of access rights to a consultant. The unit manager is responsible for performing a knowledge assessment and an education process regarding SDLC’s standards and technology environment, prior to allowing the individual access to the SDLC systems. Access rights should be limited to the consultant’s engagement scope. Each request for a security change is routed sequentially through the following steps.
|
Gate/Activity |
Description |
|
Click Image to Enlarge
|
|
Initiate
Change Request
|
Requesting
Department Management completes and authorizes the Security Change
Request Form (Appendix A). In cases where exceptions are being
requested, documentation supporting the request must be provided, as
well as the duration of the requested access privilege.
|
|
Evaluate
Request
|
Request is forwarded to the
Security Administrator for comparison to approved profile (Appendix B).
(Requests will normally be processes within four (4) business day
hours.)
|
|
Request
Approved
|
Deliver approval to Manager
of Operations:
-
Request is within approved
profile definitions
-
Request is outside approved
profiles, but has supporting documentation.
|
|
Request
Denied
|
Return to Requestor or
Requesting Department Management with explanation.
Requesting
Department Management may appeal the rejected request by reviewing the
reason with the Manager of Operations. Should acceptable resolution not
be achieved, the Senior Manager of the Engineering Department will
arbitrate. That decision will be final.
|
|
Implement
Request
|
(a)
Is the request for Temporary Access?
(b)
Is a Master ID involved in the request (outside standard profile)?
(c)) The Sr. Security
Administrator meets with the Requestor that access privileges are now
available. The Requestor signs the Security Change Request form
acknowledging receipt.
|
|
Click Image to Enlarge
|
5.
Forms
|
Form |
Description |
|
Security
Change Request Form
|
See
Appendix A
|
|
Security
Profiles
|
See
Appendix B
|
6.
Exceptions
7.
Tools/Software/Technology
Used
|
Tool |
Description |
|
MS Word
|
Word
Processing
|
|
MS Excel
|
Spreadsheet
|
8.
Attachments
(INTERNAL USE ONLY)
|
|
